From ${URL}: Nikolaus Rath discovered a vulnerability in s3ql which can result in remote code execution, caused by the unsafe use of Python's pickle serialization library. The upstream commit is here: <https://bitbucket.org/nikratio/s3ql/commits/091ac263809b4e8> (This issue was reported privately to Debian, the distros list was notified, and this is the public heads-up required by list policy.) ### From: https://bitbucket.org/nikratio/s3ql/commits/091ac263809b4e8 : SECURITY UPDATE for CVE-2014-0485: Do not blindly unpickle untrusted data. The pickle protocol allows an attacker to execute arbitrary code by providing an appropriately crafted pickle stream. To fix this vulnerability, we prohibit the Unpickler to access any globals. This means that only Python objects constructed from dict, list, tuple, str, unicode, int, float, complex, bool and None can be unpickled. Luckily, this is enough to reconstruct for the kind of data stored by S3QL. Note that a pickle stream is still able to trigger code execution. However, code execution is limited to calling the __call__, __new__ and __init__ methods on instances of the above types (cf. http://hg.python.org/cpython/file/3.4/Lib/pickletools.py). There is no way to access object attributes, so obtaining access to more dangerous objects along the lines of http://nedbatchelder.com/blog/201302/finding_python_3_builtins.html is not possible. While the pickle protocol may change in the future, but Python 2.x is not going to add support for newer pickle protocols.
Fixed versions are now in the tree.
Thanks for swift response and cleanup. No stable versions, closing bug noglsa.