Your message dated Sun, 08 Dec 2024 17:06:32 +0000
with message-id <e1tkkjo-00epa8...@fasolo.debian.org>
and subject line Bug#1050740: fixed in python-pyramid 2.0.2+dfsg-1
has caused the Debian Bug report #1050740,
regarding python-pyramid: CVE-2023-40587
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1050740: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050740
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-pyramid
Version: 2.0+dfsg-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for python-pyramid.
CVE-2023-40587[0]:
| Pyramid is an open source Python web framework. A path traversal
| vulnerability in Pyramid versions 2.0.0 and 2.0.1 impacts users of
| Python 3.11 that are using a Pyramid static view with a full
| filesystem path and have a `index.html` file that is located exactly
| one directory above the location of the static view's file system
| path. No further path traversal exists, and the only file that could
| be disclosed accidentally is `index.html`. Pyramid version 2.0.2
| rejects any path that contains a null-byte out of caution. While
| valid in directory/file names, we would strongly consider it a
| mistake to use null-bytes in naming files/directories. Secondly,
| Python 3.11, and 3.12 has fixed the underlying issue in
| `os.path.normpath` to no longer truncate on the first `0x00` found,
| returning the behavior to pre-3.11 Python, un an as of yet
| unreleased version. Fixes will be available in:Python 3.12.0rc2 and
| 3.11.5. Some workarounds are available. Use a version of Python 3
| that is not affected, downgrade to Python 3.10 series temporarily,
| or wait until Python 3.11.5 is released and upgrade to the latest
| version of Python 3.11 series.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-40587
https://www.cve.org/CVERecord?id=CVE-2023-40587
[1] https://github.com/Pylons/pyramid/security/advisories/GHSA-j8g2-6fc7-q8f8
[2]
https://github.com/Pylons/pyramid/commit/347d7750da6f45c7436dd0c31468885cc9343c85
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-pyramid
Source-Version: 2.0.2+dfsg-1
Done: Colin Watson <cjwat...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-pyramid, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1050...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwat...@debian.org> (supplier of updated python-pyramid package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 08 Dec 2024 16:53:27 +0000
Source: python-pyramid
Architecture: source
Version: 2.0.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Colin Watson <cjwat...@debian.org>
Closes: 1050740 1082259
Changes:
python-pyramid (2.0.2+dfsg-1) unstable; urgency=medium
.
* Team upload.
* New upstream release:
- CVE-2023-40587: Removed support for null-bytes in the path when making
a request for a file against a static_view (closes: #1050740).
* Allow InstancePropertyHelper to accept properties with names on Python
3.13+ (closes: #1082259).
Checksums-Sha1:
5c932607fb842454babce17d2cf6486454742650 2554 python-pyramid_2.0.2+dfsg-1.dsc
5e92bb37bbb8988f4eaf6c339d8300b6b2a265be 406520
python-pyramid_2.0.2+dfsg.orig.tar.xz
30be416a87d81009d0b3f1092db18c8f6fd53697 7584
python-pyramid_2.0.2+dfsg-1.debian.tar.xz
Checksums-Sha256:
bb2bfc763377e31967c9ee0d93b7c8e8363d9a91b259bb02631d16553ff077da 2554
python-pyramid_2.0.2+dfsg-1.dsc
a831232818ff5ca2cd288572c585fea406340ef2c2e44d97f8f069b81bff81fa 406520
python-pyramid_2.0.2+dfsg.orig.tar.xz
ef30a1fcc889efc25e42012159a3d74c73e41a71906bb51bbab40463a90dce6f 7584
python-pyramid_2.0.2+dfsg-1.debian.tar.xz
Files:
6c8024b1abf20dd19328d8dd27da33b4 2554 python optional
python-pyramid_2.0.2+dfsg-1.dsc
f1a255c52826284d5cc7d4f2d4edc67e 406520 python optional
python-pyramid_2.0.2+dfsg.orig.tar.xz
7f5ccd58fcdc9aa4f1dd329983fb6bb0 7584 python optional
python-pyramid_2.0.2+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmdVz00ACgkQOTWH2X2G
UAudZhAAoH9QHQd852a9MJktIPCzKEgj3K2ansftADFgXaaBmb5Dda86YJtCPlpg
VUxrFUWWdrotMtfgV7uoxIsof347yWdTnJyNk2h03TQGgFY+9gv3y5j+co0/fI/W
epb65Th8WnA7NVD+3KIjR4cppkC7m8d6L3oMomPfDItDqb1/6r29INtG32OoVwPm
/58+Ki+WAlvxICgu8NTdmC2OgdZWZIjrPNtDO5FVWBD7Xw3aI+hWL7kr4H0qMtz8
uDOTeUN7bzhipyKUbWayRYd6yOvbtphN2U2xpbZoBRNKeZe6g+u4WbNZHPPG3w41
HjBHadpG5pcMb4cWrI1jE1I8zWHFXAh6oN7f3PU9gjyypeI6kc9sAsKoQNK6FDvV
ZU/V7iY8ciihWQ3uIyDt+4AZTil+fMMHZppnn+p9olw5RUu/Y7pdba/2bUVAUtxa
ZeNP5gBHRvgFk/pv+5zGTbNc2wKnDEVh1h5kKBHL88h9b8EtjG1p1z9u5XLLDLhV
wyblqC3Tsyjriw/FHj2ri1E+hnNaIuO4nHUxAUnHGp1d8gIPC2B4oxa/XefSwayI
7VwIEe3KTtE00FJ//f9RqiHiHME2oIqxekWLRw8+Vv70eMZgvWi3f8qGlYGlyPbP
mavrwJdE15MFnqIiMitMu7XfcyS6Uy9Afy4eM4KawGSD6Jb2VP0=
=3yxe
-----END PGP SIGNATURE-----
pgpVu8zMzdd8O.pgp
Description: PGP signature
--- End Message ---
