Your message dated Sat, 03 Jun 2023 20:48:55 +0000
with message-id <[email protected]>
and subject line Bug#1034152: fixed in configobj 5.0.8-2
has caused the Debian Bug report #1034152,
regarding configobj: CVE-2023-26112
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1034152: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034152
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: configobj
Version: 5.0.8-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/DiffSK/configobj/issues/232
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for configobj.
CVE-2023-26112[0]:
| All versions of the package configobj are vulnerable to Regular
| Expression Denial of Service (ReDoS) via the validate function, using
| (.+?)\((.*)\). **Note:** This is only exploitable in the case of a
| developer, putting the offending value in a server side configuration
| file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-26112
https://www.cve.org/CVERecord?id=CVE-2023-26112
[1] https://github.com/DiffSK/configobj/issues/232
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: configobj
Source-Version: 5.0.8-2
Done: Stefano Rivera <[email protected]>
We believe that the bug you reported is fixed in the latest version of
configobj, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefano Rivera <[email protected]> (supplier of updated configobj package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 03 Jun 2023 16:23:41 -0400
Source: configobj
Architecture: source
Version: 5.0.8-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Stefano Rivera <[email protected]>
Closes: 1034152
Changes:
configobj (5.0.8-2) unstable; urgency=medium
.
* Patch: Resolve CVE-2023-26112, a Regular Expression Denial of Service
attack. (Closes: #1034152)
* Clean correctly.
Checksums-Sha1:
e8f32ab15a1615c269ef6d579bf975f656f80ca6 1820 configobj_5.0.8-2.dsc
21e3b5028decf5a2ffb72f2825c3aeef17f6da9b 7644 configobj_5.0.8-2.debian.tar.xz
33af178757d62972755e8e507625f44281f218d1 7726
configobj_5.0.8-2_source.buildinfo
Checksums-Sha256:
8a36252c437afc3ac54000605a52c07905af8ed9dd7a9163b32d377a175834f8 1820
configobj_5.0.8-2.dsc
a8eeb4be9b8b7cda14a2994e52c1f17b043effcf8d63432a1d5c1f88411bc0d2 7644
configobj_5.0.8-2.debian.tar.xz
063fa54cafb0cbb5f08ab8d551317ac48a383dd90bee351fdc75ce8e48add5b7 7726
configobj_5.0.8-2_source.buildinfo
Files:
6e52742b9dae33f3045f1407c1c2d4ea 1820 python optional configobj_5.0.8-2.dsc
eb8087839e412f9d49788ec9c5e053ed 7644 python optional
configobj_5.0.8-2.debian.tar.xz
8a1fa79981a0959dae1374aadc16bce1 7726 python optional
configobj_5.0.8-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iIoEARYKADIWIQTumtb5BSD6EfafSCRHew2wJjpU2AUCZHuiTRQcc3RlZmFub3JA
ZGViaWFuLm9yZwAKCRBHew2wJjpU2HwPAP95453Yjk4TEPZ7FmVEOa86prz7cfyB
HxMW7tS/EXWIMgD/S/1JeBj8GTr0a3JnxV4JKcLgZr3jerQ6U3Mmtyk3Tg8=
=gaTc
-----END PGP SIGNATURE-----
--- End Message ---
