Your message dated Tue, 24 Oct 2017 19:19:20 +0000
with message-id <e1e74jq-000j9t...@fasolo.debian.org>
and subject line Bug#864818: fixed in python-tablib 0.9.11-3
has caused the Debian Bug report #864818,
regarding python-tablib: CVE-2017-2810
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
864818: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864818
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-tablib
Version: 0.9.11-2
Severity: grave
Tags: upstream patch security
Justification: user security hole
Hi,
the following vulnerability was published for python-tablib.
CVE-2017-2810[0]:
| An exploitable vulnerability exists in the Databook loading
| functionality of Tablib 0.11.4. A yaml loaded Databook can execute
| arbitrary python commands resulting in command execution. An attacker
| can insert python into loaded yaml to trigger this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-2810
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2810
[1] https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0307
[2]
https://github.com/kennethreitz/tablib/commit/69abfc3ada5d754cb152119c0b4777043657cb6e
For stretch and jessie, we quickly discussed that on IRC, and given
there are not reverse dependencies and low popcon/usage, we suggest to
have the fix going via a future point release, can you contact the
release team for that?
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-tablib
Source-Version: 0.9.11-3
We believe that the bug you reported is fixed in the latest version of
python-tablib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated python-tablib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 30 May 2013 15:45:33 +0800
Source: python-tablib
Binary: python-tablib
Architecture: source all
Version: 0.9.11-3
Distribution: unstable
Urgency: low
Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
python-tablib - format agnostic tabular dataset library
Closes: 864818
Changes:
python-tablib (0.9.11-3) unstable; urgency=low
.
* Ran wrap-and-sort -bast.
* CVE-2017-2810: apply upstream patch: use safe load (Closes: #864818).
Checksums-Sha1:
820e6303568eab101060a02e3cc220a13e8b0e54 2195 python-tablib_0.9.11-3.dsc
3e8530e7d1f6782ebc3043070444ce41069747b3 3240
python-tablib_0.9.11-3.debian.tar.xz
ada3c53df5bfd4513fe66474ef494d5b1dc87c7a 253632 python-tablib_0.9.11-3_all.deb
c748388ce64d4968bb26606b32a2e45aa68097dd 7834
python-tablib_0.9.11-3_amd64.buildinfo
Checksums-Sha256:
751eb1f09b5f3758d1d8f91e55d6d8a1f876b44112cce57622e128d6205d6f6d 2195
python-tablib_0.9.11-3.dsc
3a38ab917cabf10c585dc8d11f9c7326e2bb4e484acd67115dfb0226ab251f35 3240
python-tablib_0.9.11-3.debian.tar.xz
98c11b67a22cd4ce1c0af70219e9b0ff52e1046987ca098c0c17f4d0c09856cb 253632
python-tablib_0.9.11-3_all.deb
a6677324e73edc556ccb4f1f5c70606dfa7a40931581e4accdd66f446d741a21 7834
python-tablib_0.9.11-3_amd64.buildinfo
Files:
22656c2ad7a29d34fa1f5bb6dfccce26 2195 python optional
python-tablib_0.9.11-3.dsc
05ed41f9346fe694ffbb8bcb014cb580 3240 python optional
python-tablib_0.9.11-3.debian.tar.xz
f6c6681f1bdc11f0052a560f774ceb1c 253632 python optional
python-tablib_0.9.11-3_all.deb
20d0805d06768763d8da04c148147616 7834 python optional
python-tablib_0.9.11-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAlnvj5cACgkQ1BatFaxr
Q/5wfg//dQZut83ll2kYPC24+GRhhULRjc/9zfXhqo62muvn9AIs07ePDk0+rF61
5ceIVoL6WKSaff2akwPTNU62p8IWQs0Qg4QMfVsCBAEkxIDNAh7T5xVyYlXkdz+d
v1y0YxPGl3OcbEJZlaOtjgbavjOoYxMlndY00XBtGYgg+kBhGppq68ACN6UFAV3v
p4TeV9NFqshjAcBdk4FHpeJaosaX4WGpd1dlD3YNL/MP2thd2nCNKVP5GbOMvEus
TpWHGm5n1U7Cf1+MR6QyvCQ3pW3J/0kGPmt7lE1FIMGHlYx0xbI+50lnAIa+849T
wV+2pB08VF9RAIW4L5T56eNq5sh6KFQlTUJjekpimz7o9HkCrukN+65kDD/ETWFQ
CE2ghNo8pkE7rNDChZWAogdFmo0uLAIMM6PWw9rzCrU/NsMwgnIQO/B7xAURkr4C
q13IhRSH49m3Xc3T5GIDSXlaFG+Ouautb/66oJ9QyKy0I8sobjwhNnFv9cYY9otT
RcXPPsp3GcRCzPwKpQJk6gMa1wtJIepJwww/RuacYG6tAVcRpovWs11ljhz2C3ig
s/UuintdK37WPC5NXW7VN1dRTOn5rhinwnH2mEDFehexou/ixa3YMBovhQVZZHQ7
+NsMCctZp4gJ4BN96chiLRECUOzrsBqyuqAHPlg1xETFHjzTIfo=
=Gomd
-----END PGP SIGNATURE-----
--- End Message ---
