Liberty Series Release Notes¶
cve-2016-4972 has been addressed. In ceveral places Murano used loaders inherited directly from yaml.Loader when parsing MuranoPL and UI files from packages. This is unsafe, because this loader is capable of creating custom python objects from specifically constructed yaml files. With this change all yaml loading operations are done using safe loaders instead.
RequestContext now serialises it’s roles. This should allow murano to work correctly (and allow rules like “role:xxx” in policy.json) when using oslo.context prior to 2.2.0 and oslo.policy
All HOT template outputs are put into a single dictionary property ‘templateOutputs’ rather than in a generated property per each output. As a result there are no more constraints on output names.