Liberty Series Release Notes¶
cve-2016-4972 has been addressed. In ceveral places Murano used loaders inherited directly from yaml.Loader when parsing MuranoPL and UI files from packages. This is unsafe, because this loader is capable of creating custom python objects from specifically constructed yaml files. With this change all yaml loading operations are done using safe loaders instead.
It is now possible to import packages with ‘!yaql’ tag, when glare is used as backend. Before this fix, importing such package caused a parsing error.