Your message dated Tue, 28 May 2024 06:49:24 +0000
with message-id <e1sbqec-009zxa...@fasolo.debian.org>
and subject line Bug#1071628: fixed in python-pymysql 1.1.1-1
has caused the Debian Bug report #1071628,
regarding python-pymysql: CVE-2024-36039
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1071628: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071628
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-pymysql
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-pymysql.
We should also fix this in a DSA, could you prepare debdiffs for
bookworm-security and bullseye-security?
CVE-2024-36039[0]:
| PyMySQL through 1.1.0 allows SQL injection if used with untrusted
| JSON input because keys are not escaped by escape_dict.
https://github.com/advisories/GHSA-v9hf-5j83-6xpp
https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c
(v1.1.1)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-36039
https://www.cve.org/CVERecord?id=CVE-2024-36039
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: python-pymysql
Source-Version: 1.1.1-1
Done: Thomas Goirand <z...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-pymysql, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1071...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated python-pymysql package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 28 May 2024 08:18:40 +0200
Source: python-pymysql
Architecture: source
Version: 1.1.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openst...@tracker.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Closes: 1071628
Changes:
python-pymysql (1.1.1-1) unstable; urgency=high
.
* New upstream release:
- Fixes CVE-2024-36039 (SQL injection if used with untrusted JSON input
because keys are not escaped by escape_dict) (Closes: #1071628).
* Removed 0002-remove_intersphinx.patch now useless.
* Rebased removed-broken-tests.patch.
* Added python3-sphinx-rtd-theme as build-depends.
Checksums-Sha1:
e945f5a1f0aca5019b8b7ba41f1b1c79c1558668 2297 python-pymysql_1.1.1-1.dsc
c167cad6b02f21f4d190e2c04ccbe46b801915e7 72860 python-pymysql_1.1.1.orig.tar.xz
eb4dca136137d46eeccf388f58f9d53d96b6b9f2 7196
python-pymysql_1.1.1-1.debian.tar.xz
f7a289b61f5af0beb7782d915ec4bd639276638a 10027
python-pymysql_1.1.1-1_amd64.buildinfo
Checksums-Sha256:
2d9e1425f1c8ed88191c192a2737cdb0882ac2ccdfcd3ed4e0f9734d327860df 2297
python-pymysql_1.1.1-1.dsc
a501d7580f3db3738272838d01d31701c14cd3f3db804f798f6f3324ef83821e 72860
python-pymysql_1.1.1.orig.tar.xz
1cc4d16568f9c47ccb85d563b2ad5ebaeb3db4b2dbdf55f498d693b606f77bd2 7196
python-pymysql_1.1.1-1.debian.tar.xz
6b6a09e27a18a03f5268e8c6576459b811e0e0841fc0c96dcc16d97ee9450c58 10027
python-pymysql_1.1.1-1_amd64.buildinfo
Files:
dbac315e27d90a91a69a6254b71772cf 2297 python optional
python-pymysql_1.1.1-1.dsc
e773e6901526639301750e75cfc8ca62 72860 python optional
python-pymysql_1.1.1.orig.tar.xz
1997e1c4d130e83fbefd6acf58d3564f 7196 python optional
python-pymysql_1.1.1-1.debian.tar.xz
aa127257f7e1dc733ff17f5598f47732 10027 python optional
python-pymysql_1.1.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmZVesgACgkQ1BatFaxr
Q/72nA//dDp6HtHNxlwb22zVkUFUAdSGjLFhupcZ3Tgqbw53rTZW45YLAo/g5PaI
9eqgxGud1t5bYBxrfWnW9AMzaDQe6UW4XT5FfuBri0lBcPCnZWykFv1KgL/aT1HY
Rk2NqdSfH8eMm4BVVEfR8yfbKFaRGM1GVOwpuM68XyeQ+kUa+vCVR8IQt3+UAwYC
gjuZkeijFNgMgHhCgRonb0/0QsKqwLUiB32lV8RXmBK77o2wcCs07gZSdGL9bnFJ
XFC9ol0RcMSZIZpj8ypt9YeOLVMYqZm4JVqSoxK44kSKNLvDMVOeecttCA/fN6M2
+hM/ufj10hN1u1xOdpRWF4QrwivbQzIStw0yXVXnDVNz7unFR/3bedf9ilbc2PoL
lI+BnywzVPZMfb6GN4QFqRACXrQXKG2wJZQbX450LNoM8ax0beRDD4Vq9KWOE3aN
7IewAgNy2VxDyEuiSfeHpjn7YLsd14+YlI2MPM+hewGg17FgVizYoAZtiEmCMDvl
dw8qYXVGNvDjm75AAGLomo1toLDVfS8cvMCXEXZEyE7jOMeVNp5DvFwjmP1jqoYP
KBuu57072M62cEPP/VehSUqmcAugvm2bl/fUvJPP+aqUkT18aZwXowPbYIktAlD3
EtFuc8eyjasJVAV5RFwXcfv3ntt5aTnYNjgNdowH6TPLGAnNcc0=
=Z3jx
-----END PGP SIGNATURE-----
pgpWfzUsgwncg.pgp
Description: PGP signature
--- End Message ---
