Hi, On Sat, Jul 25, 2020 at 09:32:25AM +0200, Salvatore Bonaccorso wrote: > Source: pyyaml > Version: 5.3.1-2 > Severity: important > Tags: security upstream > Forwarded: https://github.com/yaml/pyyaml/issues/420 > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > > Hi, > > The following vulnerability was published for pyyaml. > > CVE-2020-14343[0]: > | .load() and FullLoader still vulnerable to fairly trivial RCE > > The CVE is for an incomplete fix of CVE-2020-1747, see [1]. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2020-14343 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343 > [1] https://github.com/yaml/pyyaml/issues/420
If I understand the situation correctly, then this has been fixed via https://github.com/yaml/pyyaml/pull/472/commits/7adc0db3f613a82669f2b168edd98379b83adb3c . As such can you check and make it enter bullseye? Regards, Salvatore
