Source: pyyaml Version: 3.12-1 Severity: normal Tags: security upstream Forwarded: https://github.com/yaml/pyyaml/pull/74
Hi, The following vulnerability was published for pyyaml. Please see the notes in the security tracker to see why this got a CVE assigned now. The bug is filled to track the "fixed version" rebased to 4.1 once it gets uploaded to Debian. There is no action to be taken for older releases. CVE-2017-18342[0]: | In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. | In other words, yaml.safe_load is not used. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-18342 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342 Regards, Salvatore
