Package: python3-numexpr Version: 2.8.6-2 Severity: serious Justification: block testing migration of a known security hole Tags: patch
numexpr 2.8.5 introduced a security check, which was initially buggy enough to break pyfai and pandas (#1049326). Fixes for this were sent upstream, but only some of them made it into numexpr 2.8.6.
Hence, Debian 2.8.6-2 disabled this security check. However, this is not actually necessary to fix these bugs, and reopens a code execution security hole if numexpr is used to parse untrusted input.
This is fixed by the fix1049326v2 branch in Salsa. This fix has also been sent upstream as https://github.com/pydata/numexpr/pull/452.
(Sorry that this didn't get to you earlier - I tried to post to #1049326, and didn't notice the error message that posting to archived bugs is not allowed.)
