Your message dated Mon, 27 Jan 2025 21:09:04 +0000
with message-id <e1tcwlw-00gq4u...@fasolo.debian.org>
and subject line Bug#1094026: fixed in restrictedpython 8.0-1
has caused the Debian Bug report #1094026,
regarding restrictedpython: CVE-2025-22153
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1094026: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094026
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: restrictedpython
Version: 6.2-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for restrictedpython.
CVE-2025-22153[0]:
| RestrictedPython is a tool that helps to define a subset of the
| Python language which allows to provide a program input into a
| trusted environment. Via a type confusion bug in versions of the
| CPython interpreter starting in 3.11 and prior to 3.13.2 when using
| `try/except*`, RestrictedPython starting in version 6.0 and prior to
| version 8.0 could be bypassed. The issue is patched in version 8.0
| of RestrictedPython by removing support for `try/except*` clauses.
| No known workarounds are available.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-22153
https://www.cve.org/CVERecord?id=CVE-2025-22153
[1]
https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-gmj9-h825-chq2
[2]
https://github.com/zopefoundation/RestrictedPython/commit/48a92c5bb617a647cffd0dadd4d5cfe626bcdb2f
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: restrictedpython
Source-Version: 8.0-1
Done: Colin Watson <cjwat...@debian.org>
We believe that the bug you reported is fixed in the latest version of
restrictedpython, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1094...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwat...@debian.org> (supplier of updated restrictedpython
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 27 Jan 2025 20:35:21 +0000
Source: restrictedpython
Architecture: source
Version: 8.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Colin Watson <cjwat...@debian.org>
Closes: 1084057 1094026
Changes:
restrictedpython (8.0-1) unstable; urgency=medium
.
* Team upload.
* debian/watch: Accept lower-case restrictedpython-*.
* New upstream release:
- CVE-2024-47532: Prevent information leakage via `AttributeError.obj`
and the `string` module (closes: #1084057).
- CVE-2025-22153: Disallow `try/except*` clauses due to a possible
sandbox escape and probable uselessness of this feature in the context
of `RestrictedPython`. In addition, remove `ExceptionGroup` from
`safe_builtins` (as useful only with `try/except*`) (closes:
#1094026).
* Use dh-sequence-python3.
* Use pybuild-plugin-pyproject.
* Switch to autopkgtest-pkg-pybuild.
Checksums-Sha1:
dadb1b1736dc81d3a8559e1d90791457eb2c8e53 2315 restrictedpython_8.0-1.dsc
7110249edde92a30cd0bea407ce1994c085d0f6f 448747
restrictedpython_8.0.orig.tar.gz
23e612b87146d05a91ad773190b06d33a72382ff 4224
restrictedpython_8.0-1.debian.tar.xz
Checksums-Sha256:
e9d6286c19ba9d4de922cfef9f956ee631c09a78fd8677cf91c8a9a952d2eb68 2315
restrictedpython_8.0-1.dsc
3af2312bc67e5fced887fb85b006c89861da72488128b155beea81eb6a0a9b24 448747
restrictedpython_8.0.orig.tar.gz
523507f4a881a9c0820e6ec9b42f0765197cbc6a91993244e5bb28f496f44346 4224
restrictedpython_8.0-1.debian.tar.xz
Files:
d3ff80e433df206eca767131ad9c477a 2315 python optional
restrictedpython_8.0-1.dsc
324371e5ea45d254e68d4ea147ef2eab 448747 python optional
restrictedpython_8.0.orig.tar.gz
cfd48ca5b69639cbcfbc784f4e90d8ea 4224 python optional
restrictedpython_8.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmeX7tkACgkQOTWH2X2G
UAsE8A/+JmG3v1EXmwCs/ZS1TgcALjxqN5o+4rH43IM3Ks7kJUWqmkwuZn1RTD+C
WAyJ2MueI0CY33+3LnPorLYv7M8SYZaX7gwgVgFA140uvfj2OaTMnXLYAmXSMB7I
NyWtZO9KJj2djAfnIOwdZ+SHaKVu585MenClLfh4500lPGbmjDdrdrHuL2rWbI1u
mC3Od08xju8Xwu19cOYB+hFrYOisOkrOqiLP24PcPhOUszYjPlY9X5FxgvhccVQn
S1MejTkMxKQfGn8qJZbKulUFgVF0Yql05kheo7zX2TYjFi4HlQzsXZb7rRe0PWt+
dwAyZXzvV2ILc31nX+orF1M0GJD8hJ9SC0bJkQ6R/JSVUYD84sxXwJgHZ96quZ86
7TjD3hhnrI3w036XOdE6mosU7GtpD9xXG0yxl8wCZYS6IqEE/7lVEouzhKHaSM7D
cuDUhxgq0u3s+zlW1QTH8kdEi2gR+/lv7Lawb9wf7aafImiDME9mdZO43wpx+pjp
HkDZfvq5zu1qyPj0VsnxOjbQexKiu/cYrdj4ZYamFN/uhGM6MzpFqpiyFpqyukJS
d3JVeg9XrTo2r52bHtwc0CFRiu2vP8nhrUDnT4zCcQF0EBtXCraWTeVHOvBC31fY
p0NEb/V0ojYbqK05MGvVuFDxdlPV/7XZZdlwGndMX4pkIya9FlU=
=1WPB
-----END PGP SIGNATURE-----
pgpEwNoObNqor.pgp
Description: PGP signature
--- End Message ---
