Your message dated Fri, 24 Mar 2023 20:49:16 +0000 with message-id <e1pfolc-00fq3v...@fasolo.debian.org> and subject line Bug#1033295: fixed in cairosvg 2.5.2-1.1 has caused the Debian Bug report #1033295, regarding cairosvg: CVE-2023-27586: SSRF & DOS vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1033295: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033295 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: cairosvg Version: 2.5.2-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for cairosvg. CVE-2023-27586[0]: | CairoSVG is an SVG converter based on Cairo, a 2D graphics library. | Prior to version 2.7.0, Cairo can send requests to external hosts when | processing SVG files. A malicious actor could send a specially crafted | SVG file that allows them to perform a server-side request forgery or | denial of service. Version 2.7.0 disables CairoSVG's ability to access | other files online by default. I am planning to look in the current bullseye version for a security upload, and can have a look as well for doing a NMU reaching bookworm. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-27586 https://www.cve.org/CVERecord?id=CVE-2023-27586 [1] https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv [2] https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: cairosvg Source-Version: 2.5.2-1.1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of cairosvg, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1033...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated cairosvg package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 21 Mar 2023 22:21:22 +0100 Source: cairosvg Architecture: source Version: 2.5.2-1.1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1033295 Changes: cairosvg (2.5.2-1.1) unstable; urgency=medium . * Non-maintainer upload. * Don't allow fetching external files unless explicitly asked for (CVE-2023-27586) (Closes: #1033295) Checksums-Sha1: 9eee07166b362867758176bcfaccff3aabc5d932 2386 cairosvg_2.5.2-1.1.dsc d658cf2fb7e4568d12395f398287118662acd507 7476 cairosvg_2.5.2-1.1.debian.tar.xz 8c26072b312ab916d94c379f77daf648e8ffb4f4 7660 cairosvg_2.5.2-1.1_source.buildinfo Checksums-Sha256: 6a03414f49ef1c5759f3684b714d1a4e1e48f0beda615c1c917cc4d96163ab06 2386 cairosvg_2.5.2-1.1.dsc e0350298a5192caab517cc163b1cff49ca943ffe2586eea117147df92d79a066 7476 cairosvg_2.5.2-1.1.debian.tar.xz 1615f488b79aa3b5f7173b22a99eb275c41f054476dc63ffb151e518564dee5c 7660 cairosvg_2.5.2-1.1_source.buildinfo Files: 2b7b138b383ef8792650335a948fdf55 2386 python optional cairosvg_2.5.2-1.1.dsc 34313bc23b7da763c59aec36a342d3e0 7476 python optional cairosvg_2.5.2-1.1.debian.tar.xz c631befbf5f527cd4ed628446b065544 7660 python optional cairosvg_2.5.2-1.1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQbWHBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EuzEP/j4dmBflFYxEtJuO4trlc+n+aE8ZqE+J DNQoX8HoU2Bjg9l8Pgiv9FUAEYGPrh/xwjQArCjqPCCfZUsT6aYlxM1x4TI3eE00 fyUuug/M78kbfyvCReIHOgf7luD0LJW1+wxggPLsWmqm/q7g9eH7CkAv98Npa+7b DzdrbLKvXQSyv4c2gxcb729MAXqfpmyQKiCHuk1RQOb3WQGBmH2h6e9DeWkkNj3C J2tPl28ay8BOy+u8XGUI7prhGhBnaptysscJoJg1kTJ+gariYaejYukZq06oE1j1 zvRZsbXk+xDA+LLRJ0mnrJcuB4lIs77t7XwsI/bqmaB4atmC6lMRmMpKc4s/nlQF WegoVUXZEMLTnnsNwfuS7YCqrH16ltX8TZ9OVhF1K5T8cSxWigm1Y61zru7tgaX/ 2LgHDLp4xAC+bFUcG6/xMV3OernOUvVUgaSVfFjkT04C5b7dqQrx9tyc7omjRW5l AkiimFosbJqquaxqmSlsQApX7LKd8wHtI3Y9dN/RoHXFOqvCmTvMjedMAXHKFLxq OncCNO7Uj7BBSsqfQNl7NROsNuNrXu1J2IaJVJjpgDpBETJy6GbiagtS/S5vDHVM zwmyXhRXukncB4IRfWsXLJTxMUm/qephp7t0WgabLW5zG00PJU/fNaGmw9pl6fbl awiYXwbWQG3F =a0oZ -----END PGP SIGNATURE-----
--- End Message ---
