Hi Scott! On Mon, Aug 05, 2019 at 01:32:46AM -0400, Scott Kitterman wrote: > Package: src:python-markdown > Version: 3.0.1-3 > Severity: grave > Tags: security > Justification: user security hole > > The new version of pyyaml no longer allows use of yaml.load() without a > loader being specifed. This raises a deprecation warning which has > caused and autopkgtest failure on this package. These are generally > trivial to fix, see the upstream guidance [1].
I will now fix the use of yaml.load() for compatibility with pyyaml 5.1 (by uploading the new upstream release to unstable), but the new version will still use unsafe_load(). Please see this upstream change: https://github.com/Python-Markdown/markdown/pull/806 As the upstream comment explains, “We use unsafe_load because users may need to pass in actual Python objects. As this is only available from the CLI, the user has much worse problems if an attacker can use this as an attack vector”. -- Dmitry Shachnev
signature.asc
Description: PGP signature
_______________________________________________ Python-modules-team mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
