Your message dated Sun, 19 Nov 2017 22:47:49 +0000
with message-id <e1egynr-000es1...@fasolo.debian.org>
and subject line Bug#864818: fixed in python-tablib 0.9.11-2+deb8u1
has caused the Debian Bug report #864818,
regarding python-tablib: CVE-2017-2810
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
864818: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864818
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-tablib
Version: 0.9.11-2
Severity: grave
Tags: upstream patch security
Justification: user security hole
Hi,
the following vulnerability was published for python-tablib.
CVE-2017-2810[0]:
| An exploitable vulnerability exists in the Databook loading
| functionality of Tablib 0.11.4. A yaml loaded Databook can execute
| arbitrary python commands resulting in command execution. An attacker
| can insert python into loaded yaml to trigger this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-2810
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2810
[1] https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0307
[2]
https://github.com/kennethreitz/tablib/commit/69abfc3ada5d754cb152119c0b4777043657cb6e
For stretch and jessie, we quickly discussed that on IRC, and given
there are not reverse dependencies and low popcon/usage, we suggest to
have the fix going via a future point release, can you contact the
release team for that?
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-tablib
Source-Version: 0.9.11-2+deb8u1
We believe that the bug you reported is fixed in the latest version of
python-tablib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated python-tablib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 24 Oct 2017 21:15:19 +0200
Source: python-tablib
Binary: python-tablib
Architecture: source all
Version: 0.9.11-2+deb8u1
Distribution: jessie
Urgency: low
Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
python-tablib - format agnostic tabular dataset library
Closes: 864818
Changes:
python-tablib (0.9.11-2+deb8u1) jessie; urgency=low
.
* CVE-2017-2810: apply upstream patch: use safe load (Closes: #864818).
Checksums-Sha1:
59574b9841b67d8946436b546dc3ed31da785f0f 2221 python-tablib_0.9.11-2+deb8u1.dsc
c89f3b98e5c10b61ec554553196f88bcd3c146f4 3260
python-tablib_0.9.11-2+deb8u1.debian.tar.xz
557d00d3de5c065482b86351c7dc3c2757fbc761 254674
python-tablib_0.9.11-2+deb8u1_all.deb
Checksums-Sha256:
ac63029f3dff990b1f26121531f1f9428cd3a6e0f8ab32f07b12ac80aec2e961 2221
python-tablib_0.9.11-2+deb8u1.dsc
ce1e62644bee08d8aa5e0cb19dbe3787f2826466661ef6e6a83ab97709515271 3260
python-tablib_0.9.11-2+deb8u1.debian.tar.xz
9f317fd10cba675b999082f3aba1250f66da8a5b57d50ae3404408b1fa26a80b 254674
python-tablib_0.9.11-2+deb8u1_all.deb
Files:
765a659d8189bcae415fe1806a55489b 2221 python optional
python-tablib_0.9.11-2+deb8u1.dsc
5c812800c4fc5b71ce4174348dcc2cbd 3260 python optional
python-tablib_0.9.11-2+deb8u1.debian.tar.xz
796876bb5d0c0f16e7b22a12413d3cf8 254674 python optional
python-tablib_0.9.11-2+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAloE3ZEACgkQ1BatFaxr
Q/6B8w/+KFfCmLbrkbM1SitBTbLSr8ZjxjiSWLiMpEPHDKL1ewH4/Hkb0d3QNJqk
odYT73i0yLvF3xkSTOBDjp7J4231OdvyD4P8MsAWKjFwhULngp/BMFX+slIqQbyc
AhBuXMDWw6V/RP0GglUoctb9yjAflylOboJLl0VSY7zAU8/xIyW1UbwUnjznliAd
nrLF/agWjpWxx5xZk/4vjgxKOZSM3PHnMaw9IZyDZUWuqsi7cEi5cf14pViKcWhh
itNpASfaOxhHXKpcIvIM08ZelzPswgAMcoeWWFmONKRSJv1BVN+vNnzI4F+P0NCt
PsJ9pu/TUxR/yfYBKmaw3Bv6rmnIbEQhFdbWlSfPTPLXWOvsPpdO3GpC8XN1vnTi
Ki0Upbowu2xJwnUcEWA6fVTLE71WOkPyTaRZ/eWRJCm2gPMSUvwhpn6Bk174NQld
L+G0IpBJPF2ERxj0+rAp1xl+b7OM2VPrBh9E4QER/M8FSt6K3GDS3dg5OK0WHo5I
Gx6BSy+s0g3rbVoA8yqNsYGX2wBVdDyZSIjuANejt88aax5O0/GTINyEPWZCEkYV
VRHL5pMZAwxnOhmSLN6nzsTg43VG3L/ITWWiAh8j79Vuhsmg5NLTZR+aMw+C1AYv
HxlE9pt6CjpOHSs49DElJ4kYWlgYgFt4tezXODs5nu2B6n0isBo=
=ZNlk
-----END PGP SIGNATURE-----
--- End Message ---
