Your message dated Tue, 09 Apr 2019 20:39:05 +0000 with message-id <e1hdxwl-0004kt...@fasolo.debian.org> and subject line Bug#926602: fixed in jinja2 2.10-2 has caused the Debian Bug report #926602, regarding jinja2: CVE-2019-10906 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 926602: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926602 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jinja2 Version: 2.10-1 Severity: grave Tags: patch security upstream Hi, The following vulnerability was published for jinja2. CVE-2019-10906[0]: | In Pallets Jinja before 2.10.1, str.format_map allows a sandbox | escape. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-10906 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10906 [1] https://palletsprojects.com/blog/jinja-2-10-1-released/ [2] https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: jinja2 Source-Version: 2.10-2 We believe that the bug you reported is fixed in the latest version of jinja2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 926...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Piotr Ożarowski <pi...@debian.org> (supplier of updated jinja2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 09 Apr 2019 21:58:20 +0200 Source: jinja2 Binary: python-jinja2 python-jinja2-doc python3-jinja2 Architecture: source all Version: 2.10-2 Distribution: unstable Urgency: high Maintainer: Piotr Ożarowski <pi...@debian.org> Changed-By: Piotr Ożarowski <pi...@debian.org> Description: python-jinja2 - small but fast and easy to use stand-alone template engine python-jinja2-doc - documentation for the Jinja2 Python library python3-jinja2 - small but fast and easy to use stand-alone template engine Closes: 926602 Changes: jinja2 (2.10-2) unstable; urgency=high . [ Thomas Goirand ] * CVE-2019-10906: In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape. Applied upstream patch: sandbox_str.format_map.patch (Closes: #926602). Checksums-Sha1: ad35571166658a559fe50d46c53ccda31a1fdfe3 2188 jinja2_2.10-2.dsc bc2a7fcc95f26af7b45a839e8e42c3cbfa8240f7 7612 jinja2_2.10-2.debian.tar.xz 920ba33b164cd87ff1020c2aaeff24d904696fc2 7870 jinja2_2.10-2_amd64.buildinfo a8c1502e3f5ec43c20583212f89fe77a5e4dda40 169572 python-jinja2-doc_2.10-2_all.deb 4998b0bac85db510ec5422ed6b5056ef53b0448e 105804 python-jinja2_2.10-2_all.deb d32fd421186c32f236eb91462e98ea16af8d96a1 106500 python3-jinja2_2.10-2_all.deb Checksums-Sha256: 249b2258365a9a00877676e910695831ef38725f29c27dd1796951176a8b084e 2188 jinja2_2.10-2.dsc ad9348e80c397ff351b0a3b9dc8f9da7d19f450ad35939157a9f0691fb5a4326 7612 jinja2_2.10-2.debian.tar.xz de666d7a5300290405a629af59ae2d5b69b8eb35c7ab18b5cff6a7a080fd4069 7870 jinja2_2.10-2_amd64.buildinfo d099f8f265e0419ac1713db503655bddf0581ec9fb96cf138f0b058a2df9bf42 169572 python-jinja2-doc_2.10-2_all.deb edba7679b955edfa8b02d9fa9c3a31e2aa8f8c2292b940d9f8fe2bb8af1ce8c0 105804 python-jinja2_2.10-2_all.deb a9e5f3c829454f0277fdbee499ab9060a9424e565c923259d35612d5e2216284 106500 python3-jinja2_2.10-2_all.deb Files: f46478e5ecf225026c6ad771a92143a7 2188 python optional jinja2_2.10-2.dsc 467632bf04e415df5ab2d3d1f8900f17 7612 python optional jinja2_2.10-2.debian.tar.xz 01c580fcb8404948be1729ae33589901 7870 python optional jinja2_2.10-2_amd64.buildinfo 052879a04049ed5d77e630bdf4ffa692 169572 doc optional python-jinja2-doc_2.10-2_all.deb 6b8a4a47829e126f40b227ad5a7d1f08 105804 python optional python-jinja2_2.10-2_all.deb ee244b485fadaad460ebc7cef0fda2b8 106500 python optional python3-jinja2_2.10-2_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEHS+omFjar2IXhi33rvbxoqdFdkUFAlys+hcACgkQrvbxoqdF dkUgUg/+PI6kSahVNByBsipVdlkc1aQoANWzmZFtDpAFqxe7FOlc9uBdAkXSG4JN Yz/dVE6eJbyo0xn7PMesFhmmX9hHQcCtSorac5BBcncwArl6mOuP+QFpmqBsa7Bu fM3oDvNsvjwQb2N5No8xFRIMyihnLjN4fchYNLYippjdmSzQR9RY22nkgC3c9amY dCVxb3kUPL3H26QO0s9sgpXcQgvCouTwIhI+1PgwfRnLSNqdsG0JotY1a82DOJUy An9QGI0QwaWArvpMUaO99b+SX17iZJW3e3fIU4801QkvEyrAoLGx0wzN1bcLAhv/ nZutNLVP+y9xhw+spSZ4eQjw6lbDNMQCuTkAJLY20U3kIMMG13rZ+QTM8nN5SpX3 0eaoyBeMByaRmoUfo4Ia5udpMoj3GLmc2ElBSuHexSWyv7lzYj5ErSssEj+CD965 Vg1SuwirbubKAUoFV5iQNpszczLtzH3FxoG1KfWRVza8cmfKhz4Xl/eqc/HcE04w q1RPQq4URWGoaoVL2/RXCnEmhLUobC2LFF+cNCvv8880RDv538A59+961uguGnL9 NfHdaXKQxqNfcpEzJ1dYVnbjFhcTpAe89MOL05ovw7rah0yPt3CxAeTg1GttEYrf P127OBBU+hdNyX/a4VxrnIzGwFBlr7p5mUrCCqGC0Jiiw9djWT8= =UhFq -----END PGP SIGNATURE-----
--- End Message ---
