Source: python-tablib Version: 0.9.11-2 Severity: grave Tags: upstream patch security Justification: user security hole
Hi, the following vulnerability was published for python-tablib. CVE-2017-2810[0]: | An exploitable vulnerability exists in the Databook loading | functionality of Tablib 0.11.4. A yaml loaded Databook can execute | arbitrary python commands resulting in command execution. An attacker | can insert python into loaded yaml to trigger this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-2810 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2810 [1] https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0307 [2] https://github.com/kennethreitz/tablib/commit/69abfc3ada5d754cb152119c0b4777043657cb6e For stretch and jessie, we quickly discussed that on IRC, and given there are not reverse dependencies and low popcon/usage, we suggest to have the fix going via a future point release, can you contact the release team for that? Regards, Salvatore
