Your message dated Tue, 05 Mar 2024 08:49:43 +0000
with message-id <[email protected]>
and subject line Bug#1060748: fixed in jinja2 3.1.3-1
has caused the Debian Bug report #1060748,
regarding jinja2: CVE-2024-22195: HTML attribute injection when passing user
input as keys to xmlattr filter
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1060748: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060748
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jinja2
Version: 3.1.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for jinja2.
CVE-2024-22195[0]:
| Jinja is an extensible templating engine. Special placeholders in
| the template allow writing code similar to Python syntax. It is
| possible to inject arbitrary HTML attributes into the rendered HTML
| template, potentially leading to Cross-Site Scripting (XSS). The
| Jinja `xmlattr` filter can be abused to inject arbitrary HTML
| attribute keys and values, bypassing the auto escaping mechanism and
| potentially leading to XSS. It may also be possible to bypass
| attribute validation checks if they are blacklist-based.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-22195
https://www.cve.org/CVERecord?id=CVE-2024-22195
[1] https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95
[2]
https://github.com/pallets/jinja/commit/7dd3680e6eea0d77fde024763657aa4d884ddb23
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jinja2
Source-Version: 3.1.3-1
Done: Hans-Christoph Steiner <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jinja2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hans-Christoph Steiner <[email protected]> (supplier of updated jinja2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 Mar 2024 09:32:06 +0100
Source: jinja2
Architecture: source
Version: 3.1.3-1
Distribution: unstable
Urgency: medium
Maintainer: Piotr Ożarowski <[email protected]>
Changed-By: Hans-Christoph Steiner <[email protected]>
Closes: 1060748
Changes:
jinja2 (3.1.3-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 3.1.3 (Closes: #1060748)
* CVE-2024-22195: HTML attribute injection when passing user input as
keys to xmlattr filter
Checksums-Sha1:
bfa2369e328642110ca9b7ec440a452dde2f237a 1881 jinja2_3.1.3-1.dsc
a9db54d91b53f76f546afa1414dd015c0574ebeb 268261 jinja2_3.1.3.orig.tar.gz
34c9691d09b8bf577243317f4d5b486d9d37a286 10080 jinja2_3.1.3-1.debian.tar.xz
201b3bce16a1e843f66711e044a0856493691eb2 8466 jinja2_3.1.3-1_source.buildinfo
Checksums-Sha256:
59fd9065679fe5b375c3e549ea2a93eac6c5484beaad7959d72e05c55c0f4a8d 1881
jinja2_3.1.3-1.dsc
ac8bd6544d4bb2c9792bf3a159e80bba8fda7f07e81bc3aed565432d5925ba90 268261
jinja2_3.1.3.orig.tar.gz
4d2572bc3d43a547d619c50c48c328d69f8ad88d770b7ffb60c3cdf283fc8822 10080
jinja2_3.1.3-1.debian.tar.xz
e92a57282ef194c6138f34017e4344157423b7015cccf33a8fa8211f36d6ee60 8466
jinja2_3.1.3-1_source.buildinfo
Files:
0dfc0baec68c30fba0b2ec0a3484ce1b 1881 python optional jinja2_3.1.3-1.dsc
caf5418c851eac59e70a78d9730d4cea 268261 python optional
jinja2_3.1.3.orig.tar.gz
a486a895224d53f965aebb2950b14084 10080 python optional
jinja2_3.1.3-1.debian.tar.xz
9f94cc2b230ee97020a91e9349ab539e 8466 python optional
jinja2_3.1.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEElyI52+aGmfUmwGoFPhd4F7obm/oFAmXm2ewACgkQPhd4F7ob
m/rmQwf/SjKWEdCrX4HQjZZGPaJcVCfhwD8L3BAQgSurtHEfMuJnltRHT1rg1Y9I
oBrh+S4znxzUuMknEN3hzanWZ3P2aCEB0dC75jNL5SmWjiax9KV5LsfK59mva0dJ
In2grd9IlhlpMGxNjuA4INNTO6cRx/IxLJWi9+RT7nLAgPw+k5THVqclLgdZxTE8
3SUkn7OTujxRRC/SCNDxpu8L5ggVDRZv6O4cJNbycums8F6mmNooOXSXDzCkCZZc
WJ0Zn6mOomAh6GrcEze8r4Vl4kdxZcHewEdv+nj9TA7HOXzrglaiOFGV/6A/Bmu9
tkgy2odDoY/fRaXMLCKM5gm9xfMxog==
=e+d5
-----END PGP SIGNATURE-----
pgpO1mBztO0Nf.pgp
Description: PGP signature
--- End Message ---
