[Python-modules-team] Bug#918890: pyyaml: New upstream release 4.1 (with incompatible load(), dump() behaviour)

Simon McVittie smcv at debian.org
Thu Jan 10 11:19:01 GMT 2019

Source: pyyaml
Severity: wishlist

pyyaml 4.1 is available.

This version addresses CVE-2017-18342 (#902878) by renaming the
current load() to danger_load(), making load() do the same thing as
the current safe_load(), and making corresponding changes to dump(),
Loader, Dumper etc. This is good for other packages' security (it makes
the most obvious interfaces safe for use with untrusted data), but is an
incompatible change that will break anything that relies on the ability
to serialize and deserialize arbitrary Python objects.

As a result, I think this should be handled as a transition, which is
why I'm opening this bug as a reminder, but not updating to that version
now - at this point it should probably wait for bullseye.


More information about the Python-modules-team mailing list