Your message dated Sat, 25 Apr 2020 15:02:15 +0000
with message-id <[email protected]>
and subject line Bug#942763: fixed in python-reportlab 3.5.13-1+deb10u1
has caused the Debian Bug report #942763,
regarding python-reportlab: CVE-2019-17626: remote code execution in colors.py
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
942763: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942763
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-reportlab
Version: 3.5.28-1
Severity: important
Tags: security upstream
Forwarded:
https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code
Hi,
python-reportlab is affected by the following vulnerability:
CVE-2019-17626[0]: "ReportLab through 3.5.26 allows remote code execution
because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted
XML document with '<span color="' followed by arbitrary Python code."
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-17626
regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: python-reportlab
Source-Version: 3.5.13-1+deb10u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-reportlab, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated python-reportlab
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 24 Apr 2020 22:29:45 +0200
Source: python-reportlab
Architecture: source
Version: 3.5.13-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Matthias Klose <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 942763
Changes:
python-reportlab (3.5.13-1+deb10u1) buster-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Address remote code execution in colors.py (CVE-2019-17626)
(Closes: #942763)
Checksums-Sha1:
7eeecad29855d37affa591263377720b8fd09179 3008
python-reportlab_3.5.13-1+deb10u1.dsc
5706858f9d12900bfb30fd9407b8d8e07c25bb68 2842790
python-reportlab_3.5.13.orig.tar.gz
4bd36cd2a5a0c5c914347b79a047effb029e7839 12720
python-reportlab_3.5.13-1+deb10u1.debian.tar.xz
Checksums-Sha256:
74ffadca7a4bb6bc8c0968bedde124c93decc457910e03ee83eecd15c352b92c 3008
python-reportlab_3.5.13-1+deb10u1.dsc
6116e750f98018febc08dfee6df20446cf954adbcfa378d2c703d56c8864aff3 2842790
python-reportlab_3.5.13.orig.tar.gz
8923d9c1855949823191088a6ab715eed5a53adbb82babf5c37af9d741607933 12720
python-reportlab_3.5.13-1+deb10u1.debian.tar.xz
Files:
518fc262028dfe12b4b98f2847c8e310 3008 python optional
python-reportlab_3.5.13-1+deb10u1.dsc
3d6377ff766f291f3bc3b5c2e685ba9b 2842790 python optional
python-reportlab_3.5.13.orig.tar.gz
0edbbb88af9940a42cee096f9a83d5e6 12720 python optional
python-reportlab_3.5.13-1+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl6jYJ5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EG8cP+gJ8g5HFI+HA6GrFtZJne+YSOruIkmBY
ZPsWjJJhAtp6mJxpQHwOmdCDeRsLpWzLkjORp+aMeKxUXKLwW/yFy9+WBAWhGUnH
xm9bdF6XlASrG3fHJinBCQ58a7FX1EQyON/XuDGzhghxPbbqZdTPrUq6vawqLEAo
q7qbMFX3ocW32Qehy38S1azV3B0oVLwodPEhMS/DNmuBG48LfYUsddlAODJ2y8vl
duVT8Mm8ojVHJtFJpU9g4Fz1dSFIAZ0OmH8df35I1hfeIiV9cQcyExhldmQB0r4P
/YeIvFBsahGNVSccndHmUzdSqtbKlkEE3nG+lI8JQZgqpb0B0z+keno3QbYRFEiB
7BuLGUCzwijd2e23wX2v3UZw5vG+9GWJWY3e6AQhP0UXU3e+3UAIw1rjK89ZPN7t
i8iMiJDMxpLoJeyhmqXu+Jbs+KduS7xEtA5WIFdqvmfeN2eZxudUXL52aX/4sYSl
yvozQ2fbo49ar0NDGe1rvuORHjxIsbTWCAM5mk873XFyQStEZofLn3JvNdG2/I/S
dbKmDzyGQ105iTYVriTKuE8Phx7kNFdvlCyLUwvuTFXb1DpDxDESWo5DAhbH3SNq
GTqIuUsXuTmEP8JblNV5XNgQiZKCeNKuO0/fYiPMYpNAapd4uGX/lLkfv0AwIe32
DS5nQBWAdJNL
=ngv6
-----END PGP SIGNATURE-----
--- End Message ---
