From ${URL} : in http://bugs.debian.org/735263, Jakub Wilk reports an insecure tempfile usage in rply. upstream homepage: https://github.com/alex/rply original bug report is attached below. @maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Found in version python-rply/0.7.0-1 Fixed in version python-rply/0.7.1-1 grief 0.7.0 was NEVER even in portage. *rply-0.7.2 (14 Feb 2014) 14 Feb 2014; Patrick Lauer <patrick@gentoo.org> +rply-0.7.2.ebuild: Bump && 28 Mar 2014; Ian Delaney <idella4@gentoo.org> -rply-0.5.1.ebuild: rm old rply-0.5.1 wrt to sec. Bug #498538
CVE-2014-1604 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1604): The parser cache functionality in parsergenerator.py in RPLY (aka python-rply) before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-*.json file with a predictable name.
Fixed in https://github.com/alex/rply/commit/fc9bbcd25b0b4f09bbd6339f710ad24c129d5d7c and >0.7.1 No stable version available @security: Please resolve as fixed.
all vulnerable versions removed. original package versions were unstable so no GLSA required