Bump pyyaml from 5.3.1 to 5.4.1 (sonic-net#6511)

qiluo-msft · web-flow · commit 1c8d5ec5007c · 2021-01-28T10:46:56.000-08:00
RCE resolved in new version yaml/pyyaml#420
diff --git a/sonic-slave-buster/Dockerfile.j2 b/sonic-slave-buster/Dockerfile.j2
@@ -429,8 +429,8 @@ RUN pip3 uninstall -y enum34
 RUN pip2 install j2cli==0.3.10
 
 # For sonic-mgmt-framework
-RUN pip2 install "PyYAML==5.3.1"
-RUN pip3 install "PyYAML==5.3.1"
+RUN pip2 install "PyYAML==5.4.1"
+RUN pip3 install "PyYAML==5.4.1"
 RUN pip2 install "lxml==4.6.2"
 RUN pip3 install "lxml==4.6.2"
 
diff --git a/src/sonic-bgpcfgd/setup.py b/src/sonic-bgpcfgd/setup.py
@@ -17,7 +17,7 @@
     install_requires = [
         'jinja2>=2.10',
         'netaddr==0.8.0',
-        'pyyaml==5.3.1',
+        'pyyaml==5.4.1',
     ],
     setup_requires = [
         'pytest-runner',
diff --git a/src/sonic-config-engine/setup.py b/src/sonic-config-engine/setup.py
@@ -9,7 +9,7 @@
     'ipaddress==1.0.23',
     'lxml==4.6.2',
     'netaddr==0.8.0',
-    'pyyaml==5.3.1',
+    'pyyaml==5.4.1',
     'sonic-py-common',
 ]
 
diff --git a/src/sonic-frr-mgmt-framework/setup.py b/src/sonic-frr-mgmt-framework/setup.py
@@ -14,7 +14,7 @@
     install_requires = [
         'jinja2>=2.10',
         'netaddr==0.8.0',
-        'pyyaml==5.3.1',
+        'pyyaml==5.4.1',
         'zipp==1.2.0', # importlib-resources needs zipp and seems to have a bug where it will try to import too new of a version for Python 2
     ],
     setup_requires = [
