From 58d0cb7ee09954c67fabfbd714c5673b03e7a9e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ingy=20d=C3=B6t=20Net?= Date: Tue, 19 Jan 2021 14:07:59 -0500 Subject: [PATCH] 5.4 release --- CHANGES | 14 +++++++++++--- LICENSE | 2 +- announcement.msg | 38 ++++++++++++++++++++++++-------------- lib/yaml/__init__.py | 2 +- lib3/yaml/__init__.py | 2 +- setup.py | 2 +- 6 files changed, 39 insertions(+), 21 deletions(-) diff --git a/CHANGES b/CHANGES index f3facb1..876bd33 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,14 @@ For a complete changelog, see: * https://github.com/yaml/pyyaml/commits/ * https://bitbucket.org/xi/pyyaml/commits/ +5.4 (2021-01-19) + +* https://github.com/yaml/pyyaml/pull/407 -- Build modernization, remove distutils, fix metadata, build wheels, CI to GHA +* https://github.com/yaml/pyyaml/pull/472 -- Fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader +* https://github.com/yaml/pyyaml/pull/441 -- Fix memory leak in implicit resolver setup +* https://github.com/yaml/pyyaml/pull/392 -- Fix py2 copy support for timezone objects +* https://github.com/yaml/pyyaml/pull/378 -- Fix compatibility with Jython + 5.3.1 (2020-03-18) * https://github.com/yaml/pyyaml/pull/386 -- Prevents arbitrary code execution during python/object/new constructor @@ -11,7 +19,7 @@ For a complete changelog, see: 5.3 (2020-01-06) * https://github.com/yaml/pyyaml/pull/290 -- Use `is` instead of equality for comparing with `None` -* https://github.com/yaml/pyyaml/pull/270 -- fix typos and stylistic nit +* https://github.com/yaml/pyyaml/pull/270 -- Fix typos and stylistic nit * https://github.com/yaml/pyyaml/pull/309 -- Fix up small typo * https://github.com/yaml/pyyaml/pull/161 -- Fix handling of __slots__ * https://github.com/yaml/pyyaml/pull/358 -- Allow calling add_multi_constructor with None @@ -21,8 +29,8 @@ For a complete changelog, see: * https://github.com/yaml/pyyaml/pull/359 -- Use full_load in yaml-highlight example * https://github.com/yaml/pyyaml/pull/244 -- Document that PyYAML is implemented with Cython * https://github.com/yaml/pyyaml/pull/329 -- Fix for Python 3.10 -* https://github.com/yaml/pyyaml/pull/310 -- increase size of index, line, and column fields -* https://github.com/yaml/pyyaml/pull/260 -- remove some unused imports +* https://github.com/yaml/pyyaml/pull/310 -- Increase size of index, line, and column fields +* https://github.com/yaml/pyyaml/pull/260 -- Remove some unused imports * https://github.com/yaml/pyyaml/pull/163 -- Create timezone-aware datetimes when parsed as such * https://github.com/yaml/pyyaml/pull/363 -- Add tests for timezone diff --git a/LICENSE b/LICENSE index 3d82c28..2f1b8e1 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) 2017-2020 Ingy döt Net +Copyright (c) 2017-2021 Ingy döt Net Copyright (c) 2006-2016 Kirill Simonov Permission is hereby granted, free of charge, to any person obtaining a copy of diff --git a/announcement.msg b/announcement.msg index 1e32b3c..118d5e3 100644 --- a/announcement.msg +++ b/announcement.msg @@ -1,25 +1,34 @@ -From: Tina Müller +From: Ingy döt Net To: python-list@python.org, python-announce@python.org, yaml-core@lists.sourceforge.net -Subject: [ANN] PyYAML-5.3.1: YAML parser and emitter for Python +Subject: [ANN] PyYAML-5.4 Released -======================= -Announcing PyYAML-5.3.1 -======================= +===================== +Announcing PyYAML-5.4 +===================== A new release of PyYAML is now available: -https://pypi.org/project/PyYAML/ +https://github.com/yaml/pyyaml/releases/tag/5.4 -This release contains a security fix for CVE-2020-1747. FullLoader was still -exploitable for arbitrary command execution. -https://bugzilla.redhat.com/show_bug.cgi?id=1807367 +This release contains a security fix for CVE-2020-14343. It removes the +python/module, python/object, and python/object/new tags from the FullLoader. +YAML that uses these tags must be loaded by UnsafeLoader, or a custom loader +that has explicitly enabled them. + +This release also adds Python wheels for manylinux1 (x86_64) and MacOS (x86_64) +with the libyaml extension included (built on libyaml 0.2.5). + +PyYAML 5.4 will be the last release to support Python 2.7 (except for possible +critical bug fix releases). -Thanks to Riccardo Schirone (https://github.com/ret2libc) for both reporting -this and providing the fixes to resolve it. Changes ======= -* https://github.com/yaml/pyyaml/pull/386 -- Prevents arbitrary code execution during python/object/new constructor +* https://github.com/yaml/pyyaml/pull/407 -- build modernization, remove distutils, fix metadata, build wheels, CI to GHA +* https://github.com/yaml/pyyaml/pull/472 -- fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader +* https://github.com/yaml/pyyaml/pull/441 -- fix memory leak in implicit resolver setup +* https://github.com/yaml/pyyaml/pull/392 -- fix py2 copy support for timezone objects +* https://github.com/yaml/pyyaml/pull/378 -- fix compatibility with Jython Resources @@ -55,6 +64,7 @@ files to object serialization and persistence. Example ======= +``` >>> import yaml >>> yaml.full_load(""" @@ -72,7 +82,7 @@ name: PyYAML homepage: https://github.com/yaml/pyyaml description: YAML parser and emitter for Python keywords: [YAML, serialization, configuration, persistence, pickle] - +``` Maintainers =========== @@ -89,7 +99,7 @@ See: https://github.com/yaml/pyyaml/pulls Copyright ========= -Copyright (c) 2017-2020 Ingy döt Net +Copyright (c) 2017-2021 Ingy döt Net Copyright (c) 2006-2016 Kirill Simonov The PyYAML module was written by Kirill Simonov . diff --git a/lib/yaml/__init__.py b/lib/yaml/__init__.py index 6da15d8..1263d96 100644 --- a/lib/yaml/__init__.py +++ b/lib/yaml/__init__.py @@ -8,7 +8,7 @@ from nodes import * from loader import * from dumper import * -__version__ = '5.4.0a0' +__version__ = '5.4' try: from cyaml import * diff --git a/lib3/yaml/__init__.py b/lib3/yaml/__init__.py index 98b662c..ee3d4b3 100644 --- a/lib3/yaml/__init__.py +++ b/lib3/yaml/__init__.py @@ -8,7 +8,7 @@ from .nodes import * from .loader import * from .dumper import * -__version__ = '5.4.0a0' +__version__ = '5.4' try: from .cyaml import * __with_libyaml__ = True diff --git a/setup.py b/setup.py index 296b599..ed2487d 100644 --- a/setup.py +++ b/setup.py @@ -1,6 +1,6 @@ NAME = 'PyYAML' -VERSION = '5.4.0a0' +VERSION = '5.4' DESCRIPTION = "YAML parser and emitter for Python" LONG_DESCRIPTION = """\ YAML is a data serialization format designed for human readability