Updated python-marshmallow packages fix security vulnerability
Publication date: 13 Feb 2019Modification date: 13 Feb 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-17175
Description
In the marshmallow library before 2.15.1 for Python, the schema "only" option treats an empty list as implying no "only" option, which allows a request that was intended to expose no fields to instead expose all fields (if the schema is being filtered dynamically using the "only" option, and there is a user role that produces an empty value for "only") (CVE-2018-17175).
References
SRPMS
6/core
- python-marshmallow-2.2.1-0.5.gitea1def9.mga6