"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor."
@maintainer(s), please advise if 5.3.1 is ready for stabilisation, or call yourself.
It's a minor release, so I suppose we can stabilize it earlier.
(In reply to Michał Górny from comment #2)
> It's a minor release, so I suppose we can stabilize it earlier.
Thanks for the quick response.
SuperH port disbanded.
Author: Rolf Eike Beer <email@example.com>
Date: Fri Mar 27 08:38:42 2020 +0100
dev-python/pyyaml: stable 5.3.1 for hppa, bug #714182
m68k dropped stable keywords
@maintainer(s), please cleanup
GLSA Vote: No
Please drop vulnerable versions
Bug 714866 is not blocking cleanup (anymore, fixed since bug 708682). Also, this vulnerability affects pyyaml-5.1+ only. From this bug it's not required to cleanup =3.13.
Cleanup done: in late March:
Thanks ajak. Closing.