Package: sentry-python
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for sentry-python.
CVE-2024-40647[0]:
| sentry-sdk is the official Python SDK for Sentry.io. A bug in
| Sentry's Python SDK < 2.8.0 allows the environment variables to be
| passed to subprocesses despite the `env={}` setting. In Python's
| `subprocess` calls, all environment variables are passed to
| subprocesses by default. However, if you specifically do not want
| them to be passed to subprocesses, you may use `env` argument in
| `subprocess` calls. Due to the bug in Sentry SDK, with the Stdlib
| integration enabled (which is enabled by default), this expectation
| is not fulfilled, and all environment variables are being passed to
| subprocesses instead. The issue has been patched in pull request
| #3251 and is included in sentry-sdk==2.8.0. We strongly recommend
| upgrading to the latest SDK version. However, if it's not possible,
| and if passing environment variables to child processes poses a
| security risk for you, you can disable all default integrations.
https://github.com/getsentry/sentry-python/security/advisories/GHSA-g92j-qhmh-64v2
https://github.com/getsentry/sentry-python/pull/3251
https://github.com/getsentry/sentry-python/commit/763e40aa4cb57ecced467f48f78f335c87e9bdff
(2.8.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-40647
https://www.cve.org/CVERecord?id=CVE-2024-40647
Please adjust the affected versions in the BTS as needed.
