summaryrefslogtreecommitdiff
path: root/announcement.msg
diff options
context:
space:
mode:
Diffstat (limited to 'announcement.msg')
-rw-r--r--announcement.msg38
1 files changed, 24 insertions, 14 deletions
diff --git a/announcement.msg b/announcement.msg
index 1e32b3c..118d5e3 100644
--- a/announcement.msg
+++ b/announcement.msg
@@ -1,25 +1,34 @@
-From: Tina Müller <post@tinita.de>
+From: Ingy döt Net <ingy@ingy.net>
To: python-list@python.org, python-announce@python.org, yaml-core@lists.sourceforge.net
-Subject: [ANN] PyYAML-5.3.1: YAML parser and emitter for Python
+Subject: [ANN] PyYAML-5.4 Released
-=======================
-Announcing PyYAML-5.3.1
-=======================
+=====================
+Announcing PyYAML-5.4
+=====================
A new release of PyYAML is now available:
-https://pypi.org/project/PyYAML/
+https://github.com/yaml/pyyaml/releases/tag/5.4
-This release contains a security fix for CVE-2020-1747. FullLoader was still
-exploitable for arbitrary command execution.
-https://bugzilla.redhat.com/show_bug.cgi?id=1807367
+This release contains a security fix for CVE-2020-14343. It removes the
+python/module, python/object, and python/object/new tags from the FullLoader.
+YAML that uses these tags must be loaded by UnsafeLoader, or a custom loader
+that has explicitly enabled them.
+
+This release also adds Python wheels for manylinux1 (x86_64) and MacOS (x86_64)
+with the libyaml extension included (built on libyaml 0.2.5).
+
+PyYAML 5.4 will be the last release to support Python 2.7 (except for possible
+critical bug fix releases).
-Thanks to Riccardo Schirone (https://github.com/ret2libc) for both reporting
-this and providing the fixes to resolve it.
Changes
=======
-* https://github.com/yaml/pyyaml/pull/386 -- Prevents arbitrary code execution during python/object/new constructor
+* https://github.com/yaml/pyyaml/pull/407 -- build modernization, remove distutils, fix metadata, build wheels, CI to GHA
+* https://github.com/yaml/pyyaml/pull/472 -- fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader
+* https://github.com/yaml/pyyaml/pull/441 -- fix memory leak in implicit resolver setup
+* https://github.com/yaml/pyyaml/pull/392 -- fix py2 copy support for timezone objects
+* https://github.com/yaml/pyyaml/pull/378 -- fix compatibility with Jython
Resources
@@ -55,6 +64,7 @@ files to object serialization and persistence.
Example
=======
+```
>>> import yaml
>>> yaml.full_load("""
@@ -72,7 +82,7 @@ name: PyYAML
homepage: https://github.com/yaml/pyyaml
description: YAML parser and emitter for Python
keywords: [YAML, serialization, configuration, persistence, pickle]
-
+```
Maintainers
===========
@@ -89,7 +99,7 @@ See: https://github.com/yaml/pyyaml/pulls
Copyright
=========
-Copyright (c) 2017-2020 Ingy döt Net <ingy@ingy.net>
+Copyright (c) 2017-2021 Ingy döt Net <ingy@ingy.net>
Copyright (c) 2006-2016 Kirill Simonov <xi@resolvent.net>
The PyYAML module was written by Kirill Simonov <xi@resolvent.net>.
View Lorry Controller Status