Your message dated Tue, 18 Apr 2023 05:34:15 +0000 with message-id <e1podyp-00b3rl...@fasolo.debian.org> and subject line Bug#1034182: fixed in owslib 0.27.2-3 has caused the Debian Bug report #1034182, regarding owslib: CVE-2023-27476 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1034182: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034182 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: owslib X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for owslib. CVE-2023-27476[0]: | OWSLib is a Python package for client programming with Open Geospatial | Consortium (OGC) web service interface standards, and their related | content models. OWSLib's XML parser (which supports both `lxml` and | `xml.etree`) does not disable entity resolution, and could lead to | arbitrary file reads from an attacker-controlled XML payload. This | affects all XML parsing in the codebase. This issue has been addressed | in version 0.28.1. All users are advised to upgrade. The only known | workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` | for details. https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-27476 https://www.cve.org/CVERecord?id=CVE-2023-27476 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: owslib Source-Version: 0.27.2-3 Done: Bas Couwenberg <sebas...@debian.org> We believe that the bug you reported is fixed in the latest version of owslib, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1034...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bas Couwenberg <sebas...@debian.org> (supplier of updated owslib package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 11 Apr 2023 06:30:11 +0200 Source: owslib Architecture: source Version: 0.27.2-3 Distribution: unstable Urgency: medium Maintainer: Debian GIS Project <pkg-grass-de...@lists.alioth.debian.org> Changed-By: Bas Couwenberg <sebas...@debian.org> Closes: 1034182 Changes: owslib (0.27.2-3) unstable; urgency=medium . * Team upload. * Add Rules-Requires-Root to control file. * Add py3dist overrides for dataclasses. * Fix 'Recommends' typo. * Bump Standards-Version to 4.6.2, no changes. * Add upstream patch to fix CVE-2023-27476. (closes: #1034182) * Add python3-lxml to build dependencies. Checksums-Sha1: a492ce8bb49c1024589db7f22ab6d24002768b26 2094 owslib_0.27.2-3.dsc 4868a1e870a2372a81c8f04e15c3b576b0f141a9 7656 owslib_0.27.2-3.debian.tar.xz afc10485c10a963fa33dd8ca38e0adb177e7aa5c 8340 owslib_0.27.2-3_amd64.buildinfo Checksums-Sha256: 5184d8976bf9cc66c8c5759f416466f4f06b6935c1470a415461f75fc89fdc86 2094 owslib_0.27.2-3.dsc cba4162fdb1c50019a46bc30d9f9d3250e6fe7789b17d2fe191a1eb4b30fccd5 7656 owslib_0.27.2-3.debian.tar.xz fd69c0eb64b21d036dd86b5f4125fa1848a006c322244e9d026870c9085a8ec8 8340 owslib_0.27.2-3_amd64.buildinfo Files: 1a438b2865934510ea1d8ea2f74cf0a3 2094 python optional owslib_0.27.2-3.dsc 1f0907cd5a81797e182e25a27120e4ab 7656 python optional owslib_0.27.2-3.debian.tar.xz a6ce2412c1d8ee9eb837e3ef20e634c8 8340 python optional owslib_0.27.2-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEgYLeQXBWQI1hRlDRZ1DxCuiNSvEFAmQ+JSoACgkQZ1DxCuiN SvE2/RAAzGHdcismzjKUb+eK3GzP3B3f9eQQyo3xyHE5hFegB3m/xjcSvEFCPQlX Bu+wpNUjYnF9H0D6ByAodWlTzuvJG1s+56RaG97rfHD2ymIzCXYB+WQdI3WjyYBf j59KZnimXNDcfQYOzPpgE27AnoAAIqnfrm7VbfQdcICyNrKz9HIFHbZkYZc+gOUU ENZCMaiK8bLu5aEBu590gU74F9sQeWlp9Su0/FeJFZzbTcOAV9JJFNhPuRo2LoXd bnRirGUgxxBzha7ilLefuWepWNXV87SR3Vzh4KuCHUR7ZtZ7l5wPKTjhAJLV2egb 5OrOgqlBz1qAjEuMSsAryUJCFdYnJgH4UdIZq8kzu9vyLFQPH+i8MO6tNpHV1L2O kbzTdLZYyA10kl/iM4g6fXJlMU0ETgeQFfmIeKt8Eb9lySKR3KfgQQeSnlkqTRjC M/h8bIgsEz1Uot3UFVjPBcX2WnHjL9Z/YqJp8pUMNFej9XRKpaQQ3J9z6l9VQ4TQ KFxVlEZIYtqpmiwC+SW9HiGabKXjxLrFp0hKRaF5O4SQlnCMKUeqj7/+pdu0JXZk M76V0RMTl2YZHaqbvvjNRQmdN+XRf3/kSAxatzkYT1VNAlz1v+VlRXcp6Nvq+Z6N Rsh9mhqR2QCQmRW6X9ERGHJSb5z+jqgUGMsydbaaenaE7t51dRA= =m4V+ -----END PGP SIGNATURE-----
--- End Message ---
