[Python-modules-commits] r19135 - in packages/python-django-piston/trunk/debian (3 files)

svedrin-guest at users.alioth.debian.org svedrin-guest at users.alioth.debian.org
Tue Nov 1 18:28:02 UTC 2011 

    Date: Tuesday, November 1, 2011 @ 18:28:01
  Author: svedrin-guest
Revision: 19135

Fix a security issue in the YAML emitter.

Added:
  packages/python-django-piston/trunk/debian/patches/02-fix-yaml-load.diff
Modified:
  packages/python-django-piston/trunk/debian/changelog
  packages/python-django-piston/trunk/debian/patches/series

Modified: packages/python-django-piston/trunk/debian/changelog
===================================================================
--- packages/python-django-piston/trunk/debian/changelog	2011-11-01 10:35:34 UTC (rev 19134)
+++ packages/python-django-piston/trunk/debian/changelog	2011-11-01 18:28:01 UTC (rev 19135)
@@ -4,8 +4,9 @@
   * Remove reference to /usr/share/common-licenses/BSD and strip trailing
     whitespace in copyright.
   * Fix a copy-paste error in copyright.
+  * Fix a security issue in the YAML emitter.
 
- -- Michael Ziegler <diese-addy at funzt-halt.net>  Sun, 20 Feb 2011 15:56:24 +0100
+ -- Michael Ziegler <diese-addy at funzt-halt.net>  Tue, 01 Nov 2011 19:21:20 +0100
 
 python-django-piston (0.2.2-1) unstable; urgency=low
 

Added: packages/python-django-piston/trunk/debian/patches/02-fix-yaml-load.diff
===================================================================
--- packages/python-django-piston/trunk/debian/patches/02-fix-yaml-load.diff	                        (rev 0)
+++ packages/python-django-piston/trunk/debian/patches/02-fix-yaml-load.diff	2011-11-01 18:28:01 UTC (rev 19135)
@@ -0,0 +1,18 @@
+Description: Fix a security bug in the YAML emitter.
+ See https://bitbucket.org/jespern/django-piston/changeset/91bdaec89543
+Forwarded: not-needed
+Author: Michael Ziegler <diese-addy at funzt-halt.net>
+
+Index: python-django-piston-0.2.2/piston/emitters.py
+===================================================================
+--- python-django-piston-0.2.2.orig/piston/emitters.py	2009-06-14 12:04:30.000000000 +0200
++++ python-django-piston-0.2.2/piston/emitters.py	2011-11-01 19:19:34.526595345 +0100
+@@ -385,7 +385,7 @@
+ 
+ if yaml:  # Only register yaml if it was import successfully.
+     Emitter.register('yaml', YAMLEmitter, 'application/x-yaml; charset=utf-8')
+-    Mimer.register(yaml.load, ('application/x-yaml',))
++    Mimer.register(yaml.safe_load, ('application/x-yaml',))
+ 
+ class PickleEmitter(Emitter):
+     """

Modified: packages/python-django-piston/trunk/debian/patches/series
===================================================================
--- packages/python-django-piston/trunk/debian/patches/series	2011-11-01 10:35:34 UTC (rev 19134)
+++ packages/python-django-piston/trunk/debian/patches/series	2011-11-01 18:28:01 UTC (rev 19135)
@@ -1 +1,2 @@
 01-fix-oauth-import.diff
+02-fix-yaml-load.diff

More information about the Python-modules-commits mailing list