==== Fixed Issues ====
CVE-2017-18342
https://nvd.nist.gov/vuln/detail/CVE-2017-18342
high severity
Vulnerable versions: < 4.2b1
Patched version: 4.2b1
In PyYAML before 4.1, the yaml.load() API could execute arbitrary code.
In other words, yaml.safe_load is not used.
==== Tech Notes ====
NONE - explain new algorithms in detail, tool changes, etc.
==== Documentation Notes ====
NONE - description of a new feature or notes on behavior changes
==== Localization Notes ====
NONE - point to new strings, language specific functions, etc.
==== Environment Notes ====
NONE - new package requirements, new files being written to disk, etc.
==== Protocol Notes ====
NONE - message types added or changed, new signals, APIs, etc.
Still very much a work in progress.
For understand and testing, here is the sequence:
STEP 1: GUI announces itself
* Connect to the main Mycroft messagebus
* Send: "mycroft.gui.connected" with data { "gui_id": XXX } where XXX is a uniq ID (uuid)
STEP 2: Mycroft creates GUI socket
* Mycroft extracts the gui_id
* Mycroft prepares a socket and announces its availability on the Mycroft messagebus with:
self.bus.emit(Message("mycroft.gui.port",
{"port": self.GUIs[gui_id].port,
"gui_id": gui_id}))
STEP 3: GUI connects
In python, a very minimal test socket handler on the GUI side would look like this
from websocket import create_connection
port = 18181 (from the message above)
ws = create_connection("ws://0.0.0.0:"+port+"/gui")
ws.send("Hello, World")
print("Sent")
print("Receiving...")
result = ws.recv()
print("Received '%s'" % result)
ws.close()
Adds the mycroft.util.combo_lock ComboLock class for interprocess/Thread
lock.
Loading updated to be more reliable:
- Flush and sync file
- wait 1.2 seconds before load
Split the logic from the locking so the lock can be avoided when calling
update from save or load from get.
All credit to @adocampo who validated this fix on Arch/Manjaro.
I have built 18.8.1 on Ubuntu 18.04 LTS and it works perfectly with `pyyaml 3.13`
This fix should help those using Arch and derivatives like Manjaro.
Padatious upgrade brings in nested parentheses support and slightly optimized network inputs
Msm upgrade brings in a bugfix for git repos with private or invalid remotes
This keeps track of the skills whose dependencies have already been installed. While it won't automatically register newly installed skills, it will attempt to reinstall dependencies the next boot only one time so it shouldn't be a big issue.
Åke Forslund
Kathy Reid
Steve Penrod
Matthew D. Scholefield
Michael Nguyen