Bug#864818: marked as done (python-tablib: CVE-2017-2810)

[Debian Bug Tracking System]

Your message dated Sat, 18 Nov 2017 21:32:11 +0000
with message-id <e1egaih-000hm1...@fasolo.debian.org>
and subject line Bug#864818: fixed in python-tablib 0.9.11-2+deb9u1
has caused the Debian Bug report #864818,
regarding python-tablib: CVE-2017-2810
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864818: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864818
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: python-tablib
Version: 0.9.11-2
Severity: grave
Tags: upstream patch security
Justification: user security hole

Hi,

the following vulnerability was published for python-tablib.

CVE-2017-2810[0]:
| An exploitable vulnerability exists in the Databook loading
| functionality of Tablib 0.11.4. A yaml loaded Databook can execute
| arbitrary python commands resulting in command execution. An attacker
| can insert python into loaded yaml to trigger this vulnerability.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-2810
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2810
[1] https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0307
[2] 
https://github.com/kennethreitz/tablib/commit/69abfc3ada5d754cb152119c0b4777043657cb6e

For stretch and jessie, we quickly discussed that on IRC, and given
there are not reverse dependencies and low popcon/usage, we suggest to
have the fix going via a future point release, can you contact the
release team for that?

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: python-tablib
Source-Version: 0.9.11-2+deb9u1

We believe that the bug you reported is fixed in the latest version of
python-tablib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated python-tablib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 24 Oct 2017 21:15:19 +0200
Source: python-tablib
Binary: python-tablib
Architecture: source all
Version: 0.9.11-2+deb9u1
Distribution: stretch
Urgency: low
Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
 python-tablib - format agnostic tabular dataset library
Closes: 864818
Changes:
 python-tablib (0.9.11-2+deb9u1) stretch; urgency=low
 .
   * CVE-2017-2810: apply upstream patch: use safe load (Closes: #864818).
Checksums-Sha1:
 7c6f83acf14cd7f6057ed39ca3c7c05bfce51a10 2221 python-tablib_0.9.11-2+deb9u1.dsc
 8042ccfb88e6e58aaaf848966355b5bb58e02b65 3236 
python-tablib_0.9.11-2+deb9u1.debian.tar.xz
 1f706f3f67a41d3a5aa6e996eda7bebd6ea661b5 253880 
python-tablib_0.9.11-2+deb9u1_all.deb
 bf361bc093643d58b943a36f2a5d78c1c0527156 7741 
python-tablib_0.9.11-2+deb9u1_amd64.buildinfo
Checksums-Sha256:
 285ff404e3e7b511dae53951c12e1ae75b85e561fcecd9dd97c47ebdf19dce8f 2221 
python-tablib_0.9.11-2+deb9u1.dsc
 6fbf0e161d33e3b8483ff07c9650ae41d2fcc966bed495536b31c051198e57cd 3236 
python-tablib_0.9.11-2+deb9u1.debian.tar.xz
 f0f72c9ca79b2fec3266ab3faddac328aebe711685f50cf5c687528d963d1391 253880 
python-tablib_0.9.11-2+deb9u1_all.deb
 a349d56683aa1e19ab7857662583eb070d9784fe03d983c46f93b78413c655fa 7741 
python-tablib_0.9.11-2+deb9u1_amd64.buildinfo
Files:
 99b5d445d2b1cdf72e36227b287aa37c 2221 python optional 
python-tablib_0.9.11-2+deb9u1.dsc
 0199b637493f39f12a64aa70d50683a6 3236 python optional 
python-tablib_0.9.11-2+deb9u1.debian.tar.xz
 745e306a9aab701d65dcc78f746a2625 253880 python optional 
python-tablib_0.9.11-2+deb9u1_all.deb
 fb051ccf0e30868f82bdb8d80375e483 7741 python optional 
python-tablib_0.9.11-2+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAlnvkXEACgkQ1BatFaxr
Q/7F3g/9G4eGh2R+9l2XMME1MOOlR9w7AVlLoFTA/SYqzuaFqtCvz7rhkvSQewI0
UNs2Xw+ttBMiufe9UQpAnOnPdhF57UJqxErnQvpTXzqrPtOn5Amc+fBy0O05AfsN
RsFC9NpH1IxU446nTUvCMon/r9590EuHOm6rPRw3QZZccp2FrIIp5RR62VKDryGn
2HTCVV9lNrAklaeOnytmDdotoLgWPzVZ3w5pQ94vaQ6HCfwkqvqB1rJrIbjduvRo
BxvILz2695Mfg7QP+qZzETVZBg8FndesacP6ClV67UE7GGDwBJFPbnG4xDTR5At+
8KP6OXX0UGXgQZ4jpLCwGQVVVFg8ilU+TcNz39yxmCXohOhNieNouAMpBcP6p6TH
MkqQdZQAe+7vUaD+HSK/JYrMHOuAnYojInpuu0UKsvl1Ws6e36DesWbsFp9GVXJL
IQWo2xnX3qQRWCvb9BX5mh3mSN/XidAoRwWEXUg4aZaJ4ptrTWo0tv/QwORCC9RV
PubXNEGRGlRBh8Odr3xa74RowPgSIl5Kt6evyeGFEsNA1AuXctR3ZWDIlgothjg9
3a3vo25mRCwcEIVGGhHCi9nY7mxmXrxaG1PI4k8QR8S67GAjdYgpHCQh+5gPWB1c
EWqqZpBgaY3Yo2hGOIh8CxjBX0kka/kel47RLT12iZaYMtUUprA=
=oRfZ
-----END PGP SIGNATURE-----

--- End Message ---