Description: "A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor." Patch: https://github.com/yaml/pyyaml/commit/5080ba513377b6355a0502104846ee804656f1e0
@maintainer(s), please advise if 5.3.1 is ready for stabilisation, or call yourself.
It's a minor release, so I suppose we can stabilize it earlier.
(In reply to Michał Górny from comment #2) > It's a minor release, so I suppose we can stabilize it earlier. Thanks for the quick response.
SuperH port disbanded.
arm stable
ppc stable
ppc64 stable
s390 stable
sparc stable
x86 stable
amd64 stable
arm64 stable
commit b4d062b92cd0ac405468a7ed8d553dd206c5b4a7 Author: Rolf Eike Beer <eike@sf-mail.de> Date: Fri Mar 27 08:38:42 2020 +0100 dev-python/pyyaml: stable 5.3.1 for hppa, bug #714182
ia64 stable
m68k dropped stable keywords
@maintainer(s), please cleanup
GLSA Vote: No Please drop vulnerable versions
Bug 714866 is not blocking cleanup (anymore, fixed since bug 708682). Also, this vulnerability affects pyyaml-5.1+ only. From this bug it's not required to cleanup =3.13.
Cleanup done: in late March: https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-python/pyyaml?id=31b2c42941656ef0adef416bc8086c45aa5472ad https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-python/pyyaml?id=1e95dea43fc4a826ccb0a20e5d4040eae46180f2 Thanks ajak. Closing.