Skip to content

Commit

Permalink
5.4 release
Browse files Browse the repository at this point in the history
  • Loading branch information
ingydotnet committed Jan 19, 2021
1 parent a60f7a1 commit 58d0cb7
Show file tree
Hide file tree
Showing 6 changed files with 39 additions and 21 deletions.
14 changes: 11 additions & 3 deletions CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,22 @@ For a complete changelog, see:
* https://github.com/yaml/pyyaml/commits/
* https://bitbucket.org/xi/pyyaml/commits/

5.4 (2021-01-19)

* https://github.com/yaml/pyyaml/pull/407 -- Build modernization, remove distutils, fix metadata, build wheels, CI to GHA
* https://github.com/yaml/pyyaml/pull/472 -- Fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader
* https://github.com/yaml/pyyaml/pull/441 -- Fix memory leak in implicit resolver setup
* https://github.com/yaml/pyyaml/pull/392 -- Fix py2 copy support for timezone objects
* https://github.com/yaml/pyyaml/pull/378 -- Fix compatibility with Jython

5.3.1 (2020-03-18)

* https://github.com/yaml/pyyaml/pull/386 -- Prevents arbitrary code execution during python/object/new constructor

5.3 (2020-01-06)

* https://github.com/yaml/pyyaml/pull/290 -- Use `is` instead of equality for comparing with `None`
* https://github.com/yaml/pyyaml/pull/270 -- fix typos and stylistic nit
* https://github.com/yaml/pyyaml/pull/270 -- Fix typos and stylistic nit
* https://github.com/yaml/pyyaml/pull/309 -- Fix up small typo
* https://github.com/yaml/pyyaml/pull/161 -- Fix handling of __slots__
* https://github.com/yaml/pyyaml/pull/358 -- Allow calling add_multi_constructor with None
Expand All @@ -21,8 +29,8 @@ For a complete changelog, see:
* https://github.com/yaml/pyyaml/pull/359 -- Use full_load in yaml-highlight example
* https://github.com/yaml/pyyaml/pull/244 -- Document that PyYAML is implemented with Cython
* https://github.com/yaml/pyyaml/pull/329 -- Fix for Python 3.10
* https://github.com/yaml/pyyaml/pull/310 -- increase size of index, line, and column fields
* https://github.com/yaml/pyyaml/pull/260 -- remove some unused imports
* https://github.com/yaml/pyyaml/pull/310 -- Increase size of index, line, and column fields
* https://github.com/yaml/pyyaml/pull/260 -- Remove some unused imports
* https://github.com/yaml/pyyaml/pull/163 -- Create timezone-aware datetimes when parsed as such
* https://github.com/yaml/pyyaml/pull/363 -- Add tests for timezone

Expand Down
2 changes: 1 addition & 1 deletion LICENSE
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
Copyright (c) 2017-2020 Ingy döt Net
Copyright (c) 2017-2021 Ingy döt Net
Copyright (c) 2006-2016 Kirill Simonov

Permission is hereby granted, free of charge, to any person obtaining a copy of
Expand Down
38 changes: 24 additions & 14 deletions announcement.msg
Original file line number Diff line number Diff line change
@@ -1,25 +1,34 @@
From: Tina Müller <post@tinita.de>
From: Ingy döt Net <ingy@ingy.net>
To: python-list@python.org, python-announce@python.org, yaml-core@lists.sourceforge.net
Subject: [ANN] PyYAML-5.3.1: YAML parser and emitter for Python
Subject: [ANN] PyYAML-5.4 Released

=======================
Announcing PyYAML-5.3.1
=======================
=====================
Announcing PyYAML-5.4
=====================

A new release of PyYAML is now available:
https://pypi.org/project/PyYAML/
https://github.com/yaml/pyyaml/releases/tag/5.4

This release contains a security fix for CVE-2020-1747. FullLoader was still
exploitable for arbitrary command execution.
https://bugzilla.redhat.com/show_bug.cgi?id=1807367
This release contains a security fix for CVE-2020-14343. It removes the
python/module, python/object, and python/object/new tags from the FullLoader.
YAML that uses these tags must be loaded by UnsafeLoader, or a custom loader
that has explicitly enabled them.

This release also adds Python wheels for manylinux1 (x86_64) and MacOS (x86_64)
with the libyaml extension included (built on libyaml 0.2.5).

PyYAML 5.4 will be the last release to support Python 2.7 (except for possible
critical bug fix releases).

Thanks to Riccardo Schirone (https://github.com/ret2libc) for both reporting
this and providing the fixes to resolve it.

Changes
=======

* https://github.com/yaml/pyyaml/pull/386 -- Prevents arbitrary code execution during python/object/new constructor
* https://github.com/yaml/pyyaml/pull/407 -- build modernization, remove distutils, fix metadata, build wheels, CI to GHA
* https://github.com/yaml/pyyaml/pull/472 -- fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader
* https://github.com/yaml/pyyaml/pull/441 -- fix memory leak in implicit resolver setup
* https://github.com/yaml/pyyaml/pull/392 -- fix py2 copy support for timezone objects
* https://github.com/yaml/pyyaml/pull/378 -- fix compatibility with Jython


Resources
Expand Down Expand Up @@ -55,6 +64,7 @@ files to object serialization and persistence.
Example
=======

```
>>> import yaml

>>> yaml.full_load("""
Expand All @@ -72,7 +82,7 @@ name: PyYAML
homepage: https://github.com/yaml/pyyaml
description: YAML parser and emitter for Python
keywords: [YAML, serialization, configuration, persistence, pickle]

```

Maintainers
===========
Expand All @@ -89,7 +99,7 @@ See: https://github.com/yaml/pyyaml/pulls
Copyright
=========

Copyright (c) 2017-2020 Ingy döt Net <ingy@ingy.net>
Copyright (c) 2017-2021 Ingy döt Net <ingy@ingy.net>
Copyright (c) 2006-2016 Kirill Simonov <xi@resolvent.net>

The PyYAML module was written by Kirill Simonov <xi@resolvent.net>.
Expand Down
2 changes: 1 addition & 1 deletion lib/yaml/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
from loader import *
from dumper import *

__version__ = '5.4.0a0'
__version__ = '5.4'

try:
from cyaml import *
Expand Down
2 changes: 1 addition & 1 deletion lib3/yaml/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
from .loader import *
from .dumper import *

__version__ = '5.4.0a0'
__version__ = '5.4'
try:
from .cyaml import *
__with_libyaml__ = True
Expand Down
2 changes: 1 addition & 1 deletion setup.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@

NAME = 'PyYAML'
VERSION = '5.4.0a0'
VERSION = '5.4'
DESCRIPTION = "YAML parser and emitter for Python"
LONG_DESCRIPTION = """\
YAML is a data serialization format designed for human readability
Expand Down

0 comments on commit 58d0cb7

Please sign in to comment.