Your message dated Wed, 22 Jan 2025 13:05:34 +0000
with message-id <[email protected]>
and subject line Bug#1091329: fixed in jinja2 3.1.5-1
has caused the Debian Bug report #1091329,
regarding jinja2: CVE-2024-56201
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1091329: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091329
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jinja2
Version: 3.1.2-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/pallets/jinja/issues/1792
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 3.1.3-1.1
Hi,
The following vulnerability was published for jinja2.
CVE-2024-56201[0]:
| Jinja is an extensible templating engine. Prior to 3.1.5, a bug in
| the Jinja compiler allows an attacker that controls both the content
| and filename of a template to execute arbitrary Python code,
| regardless of if Jinja's sandbox is used. To exploit the
| vulnerability, an attacker needs to control both the filename and
| the contents of a template. Whether that is the case depends on the
| type of application using Jinja. This vulnerability impacts users of
| applications which execute untrusted templates where the template
| author can also choose the template filename. This vulnerability is
| fixed in 3.1.5.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-56201
https://www.cve.org/CVERecord?id=CVE-2024-56201
[1] https://github.com/pallets/jinja/issues/1792
[2] https://github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699
[3]
https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jinja2
Source-Version: 3.1.5-1
Done: Sean Whitton <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jinja2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sean Whitton <[email protected]> (supplier of updated jinja2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 22 Jan 2025 12:55:28 +0000
Source: jinja2
Architecture: source
Version: 3.1.5-1
Distribution: unstable
Urgency: high
Maintainer: Piotr Ożarowski <[email protected]>
Changed-By: Sean Whitton <[email protected]>
Closes: 1091329 1091331
Changes:
jinja2 (3.1.5-1) unstable; urgency=high
.
* Team upload.
* New upstream release
- CVE-2024-56201: Compiler sandbox escape (Closes: #1091329)
- CVE-2024-56326: Compiler sandbox escape (Closes: #1091331).
* Update path to examples, examples/* -> docs/examples/*.
* Stop trying to install CHANGES.rst, which has gone.
* Add build-deps on flit, pybuild-plugin-pyproject.
* Add autopkgtest dep on python3-all given use of 'py3versions -s'.
* Drop backported upstream commits included in this release.
* Refresh remaining patches.
Checksums-Sha1:
c5707caa0300562b75cfd6e56fa961d9df9fc239 2396 jinja2_3.1.5-1.dsc
6399fa2cf3e71269d1b0e6b59434616fd4c9d142 244674 jinja2_3.1.5.orig.tar.gz
69732a330496c3b319e6472a5e456066eea9efa1 10268 jinja2_3.1.5-1.debian.tar.xz
Checksums-Sha256:
2fe85c3c63cabebb7d8f980bc671b7c3f1cd6e38178e1a6e128ce396a53033d8 2396
jinja2_3.1.5-1.dsc
8fefff8dc3034e27bb80d67c671eb8a9bc424c0ef4c0826edbff304cceff43bb 244674
jinja2_3.1.5.orig.tar.gz
8b04952bc1bfdc47ed4e4aa26329772a8d4b6add35c8994f7f991afac97b7ab5 10268
jinja2_3.1.5-1.debian.tar.xz
Files:
cae1319e7e89e9d288c7cbe12532cdc2 2396 python optional jinja2_3.1.5-1.dsc
083d64f070f6f1b5f75971ae60240785 244674 python optional
jinja2_3.1.5.orig.tar.gz
07c4e407d7b2f020dc8511afe573116c 10268 python optional
jinja2_3.1.5-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmeQ6wgACgkQaVt65L8G
YkAHDA/+Om66u7hPxRzmMB4FErkYYCZmAwpFLuQiTjcsFV04NH3p3ZBgg+4oRkMX
D6hqVRgTHPGxa3ARR1M+Ok+E5U//ZbztqBILMi0EuJfY9lgNLnwMh6VTqOce6ox+
zyRROOA02IJGlz+WMw020Npu60K7Nj4Jh9lziG0hGlwv04yS79sgv02PNXiUmb0v
q9QX6taT6026k+08UisrTubnbvNQGONOgx325Vxb5bU0+30VGLXVFXrmwsuD7BlM
Y9XM8LyKtLfyWAbLVPb5z1IbVpzhrpQhj9u5Mk4saTwU1m79d9D/oftvmaGgR9X7
er+9bDVFZqCHeJo2KjX4HKOXuGelnsqDIwakLY5YCYH5cDdotujzOxb/iA6J6XLT
Ls+i+y34UrLZ59pO2VYUowJJ99FH/5POMZkVHSA45msIT4CrkMYHiAu0ONcVtx2E
YzeoxXM8WpQ07rAp767aA5MyQIzfIsx6mCx0O4ynyzmT4zcg+x6wYhTLWCf7+ZRw
ZAkQG+AG+yMxb0/Klvyt7oumNJn6OZDSBdIJ0TvuP0i+thHPYsYMBKcKfA4QVoHe
sLx7MV5Xup6WAcRLEcd1OYgQ5HaLagO5g5wMer2Sq6C1rJge+a4Ps2wtfgcMH7ZX
C6JY1j1J14rhs3dqfdjstXLk/KiYzQhzQp7fy9ETxVGJ2uKo2qw=
=b7i6
-----END PGP SIGNATURE-----
pgpPAbbD1kC5T.pgp
Description: PGP signature
--- End Message ---
