Your message dated Fri, 21 May 2021 15:43:47 +0000 with message-id <e1lk7jt-0006kg...@fasolo.debian.org> and subject line Bug#966233: fixed in pyyaml 5.3.1-4 has caused the Debian Bug report #966233, regarding pyyaml: CVE-2020-14343 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 966233: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966233 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: pyyaml Version: 5.3.1-2 Severity: important Tags: security upstream Forwarded: https://github.com/yaml/pyyaml/issues/420 X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for pyyaml. CVE-2020-14343[0]: | .load() and FullLoader still vulnerable to fairly trivial RCE The CVE is for an incomplete fix of CVE-2020-1747, see [1]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-14343 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14343 [1] https://github.com/yaml/pyyaml/issues/420 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: pyyaml Source-Version: 5.3.1-4 Done: Stefano Rivera <stefa...@debian.org> We believe that the bug you reported is fixed in the latest version of pyyaml, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 966...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefano Rivera <stefa...@debian.org> (supplier of updated pyyaml package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 21 May 2021 11:11:00 -0400 Source: pyyaml Architecture: source Version: 5.3.1-4 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Stefano Rivera <stefa...@debian.org> Closes: 966233 Changes: pyyaml (5.3.1-4) unstable; urgency=medium . * Team upload. . [ Debian Janitor ] * Apply multi-arch hints. + python3-yaml-dbg: Add Multi-Arch: same. . [ Stefano Rivera ] * Resolve CVE-2020-14343, more trivial RCEs in .load() and FullLoader. (Closes: #966233) Checksums-Sha1: 9b26e6ea9936451b66d5f4fba470abbeed750289 1542 pyyaml_5.3.1-4.dsc 083aa565edcc70218feb83f38aaa87b2bc965ac2 7756 pyyaml_5.3.1-4.debian.tar.xz 70d0a89ce8da83bfeff5ff905e284384969e103e 5791 pyyaml_5.3.1-4_source.buildinfo Checksums-Sha256: ef2a56e41400e8133cdc90d3bf789bdbc1efa14794976fa687966ea8f92ffe7a 1542 pyyaml_5.3.1-4.dsc 2f51f2d3fed9b778fc889047aa4cd380f0421b3ab97f4ae0d140e39d78d50733 7756 pyyaml_5.3.1-4.debian.tar.xz 408b1cbbe78d0b9997146567ac9f403dd27657d7a695ef5b4b3db106983931df 5791 pyyaml_5.3.1-4_source.buildinfo Files: 9ff35540640392d5bf5d4d7f0b1ab9aa 1542 python optional pyyaml_5.3.1-4.dsc ccc3f6bbfcc0edf326d599a526aef656 7756 python optional pyyaml_5.3.1-4.debian.tar.xz 790a3132aa82402f0396638d1211e8af 5791 python optional pyyaml_5.3.1-4_source.buildinfo -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQTumtb5BSD6EfafSCRHew2wJjpU2AUCYKfOQQAKCRBHew2wJjpU 2MxRAQDueAYajK4HYdGxWJ7ALSSNecl1Bas6ohw3MNQa+xEzVwD9Get6dy5el/J/ Y3jiXUgrJKmXnvuzqelV5XvE7JSvqAc= =GNEv -----END PGP SIGNATURE-----
--- End Message ---
