The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement. Links: https://security.snyk.io/vuln/SNYK-PYTHON-JOBLIB-3027033 Fix: https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059 Fixed version 1.2.0 is available.
dev-python/joblib-1.3.2 is currently the only version available.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=086ee91647926ad5550f1443e004b5f5d1bda7fc commit 086ee91647926ad5550f1443e004b5f5d1bda7fc Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-02 14:38:14 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-02 14:38:51 +0000 [ GLSA 202401-01 ] Joblib: Arbitrary Code Execution Bug: https://bugs.gentoo.org/873151 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-01.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+)