A flaw was found in osbs-client. yaml.load() is used for insecure user input instead of yaml.load_safe(). Thus osbs-client allows to load any
suspicious objects given by user.
Name: Martin Bašti (Red Hat)
Upstream is: https://github.com/projectatomic/osbs-client
epel-6 (osbs-client-0.24-1.el6.src.rpm) and epel-7 (osbs-client-0.32-1.el7.src.rpm) both predate the problematic code, introduced in Jan 2018 with "import yaml"
yaml.load() first introduced in version 0.46:
Created osbs-client tracking bugs for this issue:
Affects: fedora-all [bug 1722329]
This was patched in https://src.fedoraproject.org/rpms/osbs-client/c/d9795c0c8ea320096aa9a0ac410dc0d165103b0a?branch=f30