Ben/sysadmins,
git-kpull failed for me on Gentoo, due to an apparently long-open CVE
for pyyaml. See https://bugs.gentoo.org/659348 for more information.
The suggested fix (in comment 14 of that bug) is "you'll need to patch
out those unsafe calls. Look for calls to "yaml.load()" and replace
them with calls to "yaml.full_load()" (or "yaml.safe_load()" if you
know what you're doing). See upstream issue #265
[https://github.com/yaml/pyyaml/issues/265] for details.
In my case, the single change on line 36 of git-kpull:
- metadata = yaml.load( metadataFile )
+ metadata = yaml.full_load( metadataFile )
I don't know enough python to know whether yaml.safe-load() would work
or not and whether it would be any better or not.
Jack
