A flaw was found in osbs-client. yaml.load() is used for insecure user input instead of yaml.load_safe(). Thus osbs-client allows to load any suspicious objects given by user.
Acknowledgments: Name: Martin Bašti (Red Hat)
Upstream is: https://github.com/projectatomic/osbs-client
epel-6 (osbs-client-0.24-1.el6.src.rpm) and epel-7 (osbs-client-0.32-1.el7.src.rpm) both predate the problematic code, introduced in Jan 2018 with "import yaml"
yaml.load() first introduced in version 0.46: https://github.com/projectatomic/osbs-client/commit/2fb16f95208ba02670fd389644b2f94963b18970
Upstream Fix: https://github.com/containerbuildsystem/osbs-client/pull/865
Created osbs-client tracking bugs for this issue: Affects: fedora-all [bug 1722329]
This was patched in https://src.fedoraproject.org/rpms/osbs-client/c/d9795c0c8ea320096aa9a0ac410dc0d165103b0a?branch=f30