https://resources.whitesourcesoftware.com/blog-whitesource/top-5-new-open-source-security-vulnerabilities-in-march-2019?utm_source=twitter&utm_medium=channel&utm_term=blog-whitesource/top-5-new-open-source-security-vulnerabilities-in-march-2019&utm_content=top5-vulnerabilities-marchpat-li
libssh2 JS-YAML Linux kernel among others..
The js-yaml version in the AUR is vulnerable:
$ yay -Ss js-yaml
aur/nodejs-js-yaml 3.10.0-1 (+1 0.00%)
YAML 1.2 parser and writer
https://aur.archlinux.org/packages/nodejs-js-yaml
First Submitted: 2017-09-16 10:20
Last Updated: 2017-09-16 10:21
#3 JS-YAML
Affected versions: All versions prior to 3.13.0
safer-eval is not a package unless it's there under a different name and the others are OK at their current versions.
what is yaml?
gnu-yaml
GNU NOT UNIX
YAML AINT MARKUP LANGUAGE
UNIX NOT IBM X-operating-system
It's been updated to a secure version:
Package Details: nodejs-js-yaml 3.13.1-1
If you git clone artix pkgbuild's there are yaml files in a hidden directory:
openrc/.artixlinux/agent.yaml
Contents of this file:
%YAML 1.2
---
label: master
Mysterious secret yaml agents? What do they do?