It was found that python-tqdm executes the 'git log -n 1 --oneline' command when imported. A crafted Git repository configured to execute a particular script on a 'git log' could execute arbitrary code with the privileges of the user running an application that imports the tqdm module. Additional information and CVE assignment: http://seclists.org/oss-sec/2016/q4/748
Created python-tqdm tracking bugs for this issue: Affects: fedora-all [bug 1409609]
Martin, please file bug for EPEL7 as well. It also contains this security issue. I don't maintain EPEL version, so not going to fix it.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.