Your message dated Mon, 26 Feb 2024 01:49:41 +0000
with message-id <e1req7h-00ajgo...@fasolo.debian.org>
and subject line Bug#1064514: fixed in pymatgen 2024.1.27+dfsg1-6
has caused the Debian Bug report #1064514,
regarding pymatgen: CVE-2024-23346
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1064514: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064514
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: pymatgen
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for pymatgen.
CVE-2024-23346[0]:
| Pymatgen (Python Materials Genomics) is an open-source Python
| library for materials analysis. A critical security vulnerability
| exists in the
| `JonesFaithfulTransformation.from_transformation_str()` method
| within the `pymatgen` library prior to version 2024.2.20. This
| method insecurely utilizes `eval()` for processing input, enabling
| execution of arbitrary code when parsing untrusted input. Version
| 2024.2.20 fixes this issue.
https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-23346
https://www.cve.org/CVERecord?id=CVE-2024-23346
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: pymatgen
Source-Version: 2024.1.27+dfsg1-6
Done: Drew Parsons <dpars...@debian.org>
We believe that the bug you reported is fixed in the latest version of
pymatgen, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1064...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Drew Parsons <dpars...@debian.org> (supplier of updated pymatgen package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 26 Feb 2024 00:56:58 +0100
Source: pymatgen
Architecture: source
Version: 2024.1.27+dfsg1-6
Distribution: unstable
Urgency: medium
Maintainer: Debichem Team <debichem-de...@lists.alioth.debian.org>
Changed-By: Drew Parsons <dpars...@debian.org>
Closes: 1064514
Changes:
pymatgen (2024.1.27+dfsg1-6) unstable; urgency=medium
.
* debian/tests test-pymatgen Depends: packmol
for io/test_packmol.py. Also Build-Depends.
* debian patch for CVE-2024-23346
CVE-2024-23346_JonesFaithfulTransformation_sympy-c231cbd.patch
applies upstream commit c231cbd to fix security vulnerability in
JonesFaithfulTransformation. Closes: #1064514.
Checksums-Sha1:
20c1bb46f631694cdceb1fa4853889d7b2e48c25 3148 pymatgen_2024.1.27+dfsg1-6.dsc
769d9934975c8bb9ebc47d808ab0e3d487d9ad93 15184
pymatgen_2024.1.27+dfsg1-6.debian.tar.xz
Checksums-Sha256:
ec6ca3d267889b246fcce48dcff92c660fd423fa7d243a6af72673f297da09ca 3148
pymatgen_2024.1.27+dfsg1-6.dsc
4b33521c0873f0e416606692fe330df99cb7f58fbc3376918128b872ab3dda5d 15184
pymatgen_2024.1.27+dfsg1-6.debian.tar.xz
Files:
4d9240fa6334e2438da97841c9023d2e 3148 python optional
pymatgen_2024.1.27+dfsg1-6.dsc
6e6acf5f6db33bcfc8a3c84098fc8fd6 15184 python optional
pymatgen_2024.1.27+dfsg1-6.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEI8mpPlhYGekSbQo2Vz7x5L1aAfoFAmXb6UwACgkQVz7x5L1a
AfrcRw//YN/1cobJNSZvb7PEtgiJ2J+9OpGY9E29KqBCrC69RTz9DFlzV4QqA2pu
ewmNycI4gabAWOKuPQJ1o2CHbgwhCvc40QUicQXFRS7Y2EYRD5b8eslbcOWWVyNh
Vs2WHPIanKIlhcUZW2pAvynj04e7yCqJBBDCfpFpo7YkfKP/aSmoeHQnLbZkF0oa
AdpPAS9G5sIBxWjSe6n2js3zAoSQYdiO7whoJ1ofoalo1biBCUK736JnezMTyPAY
gCNBsEeLZIhzz0/OsI01/IhTkmVH/3SU/fmUBMbL2K8WR25oFRWhZ2BlmKdq1YrN
wDthsR2V2nONoOP+tKZj6uLEaD/gE2TAbeJisuo9wLU51sUiFNHeP1G5POgv6qMM
+zqFAZ8m5bChN7YrImExhzxhs7aY4SgNw3Huhmud8I/JCcHto84tbwujndWMAxLO
KJA4izGlbdsSU1jjKwS/4QMKHXC32dRilVCp5mlUu7KesclboKZCcPqgArzpmK+l
XnUUFA+cALWhEDCKDUTVJ6xCj48L/SZJIDl7P22DLAT2ATan/l3532PecVcKCUKK
sqtn9oyWtdemW8cvX7ybKzdv+rv+9Ok0sWPPjkmMWDzmA2/ProlGf1xoGSXkwtPJ
pO2cJhP7E9ZWkRcgPMaa5cartooEBwyOx4IvWYHS/sklXOdEoHU=
=2Dbj
-----END PGP SIGNATURE-----
pgpBul32VYmA8.pgp
Description: PGP signature
--- End Message ---
