Bug#993264: gita: [security] Version in stable is using unsafe YAML loader

Andrew Savchenko Sun, 29 Aug 2021 09:57:16 -0700

Package: gita
Severity: important
X-Debbugs-Cc: and...@lists.savchenko.net

Dear Maintainer,


Currently packaged version of `gita` uses unsafe `yaml.FullLoader`.

This is fixed upstream:
https://github.com/nosarthur/gita/compare/v0.12.9...v0.13.6#diff-b1d7ea073af79fb37be4b16f769ba60acb68546d0661f89c1d13b1975b5ba3aeL60-R61

Please consider either upgrading to any version >= v0.13.XX or patching
the code in Debian with `Loader=yaml.SafeLoader` / `yaml.safe_load()`


-- 
With regards,
A


-- System Information:
Debian Release: 11.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gita depends on:
ii  git           1:2.30.2-1
ii  python3       3.9.2-3
ii  python3-yaml  5.3.1-5

gita recommends no packages.

gita suggests no packages.

Bug#993264: gita: [security] Version in stable is using unsafe YAML loader

Reply via email to