Your message dated Sun, 09 Mar 2025 17:22:07 +0000
with message-id <[email protected]>
and subject line Bug#1099084: fixed in spotipy 2.25.1-1
has caused the Debian Bug report #1099084,
regarding spotipy: CVE-2025-27154
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1099084: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099084
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: spotipy
Version: 2.25.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for spotipy.
CVE-2025-27154[0]:
| Spotipy is a lightweight Python library for the Spotify Web API. The
| `CacheHandler` class creates a cache file to store the auth token.
| Prior to version 2.25.1, the file created has `rw-r--r--` (644)
| permissions by default, when it could be locked down to `rw-------`
| (600) permissions. This leads to overly broad exposure of the
| spotify auth token. If this token can be read by an attacker
| (another user on the machine, or a process running as another user),
| it can be used to perform administrative actions on the Spotify
| account, depending on the scope granted to the token. Version 2.25.1
| tightens the cache file permissions.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27154
https://www.cve.org/CVERecord?id=CVE-2025-27154
[1]
https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599
[2]
https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2
Rgards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: spotipy
Source-Version: 2.25.1-1
Done: Edward Betts <[email protected]>
We believe that the bug you reported is fixed in the latest version of
spotipy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Edward Betts <[email protected]> (supplier of updated spotipy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 09 Mar 2025 16:31:55 +0000
Source: spotipy
Architecture: source
Version: 2.25.1-1
Distribution: unstable
Urgency: medium
Maintainer: Home Assistant Team <[email protected]>
Changed-By: Edward Betts <[email protected]>
Closes: 1099084
Changes:
spotipy (2.25.1-1) unstable; urgency=medium
.
* New upstream release.
* Fix CVE-2025-27154 (Closes: #1099084)
* Update Standards-Version.
Checksums-Sha1:
98ccc592d50571f5c571bd2cacea9b8f1353d77d 2195 spotipy_2.25.1-1.dsc
c116aa54b6e658c15a4f3c73a1fe223ac2040bf6 107750 spotipy_2.25.1.orig.tar.gz
7cd15241b3ca4732fc14f1a5dc9bb0a14a4d947c 2428 spotipy_2.25.1-1.debian.tar.xz
912d59c0c77c272da7f379c67e79ce76d9812685 7828 spotipy_2.25.1-1_source.buildinfo
Checksums-Sha256:
c1506964f77c6afb3b4ef3cea8f401abdbdca6920a8a1dc29060c3e277781b16 2195
spotipy_2.25.1-1.dsc
1d525c070567a3aa36efda82dbde59e0a2ac7f395e5a88ea4f31da47fda07ff9 107750
spotipy_2.25.1.orig.tar.gz
462086f57672ac844679ef0fde40b373175641131077cf7567d49b5912ac3782 2428
spotipy_2.25.1-1.debian.tar.xz
31823639b51b60107266dc9ef1c9c89fa9fa8d28485b68b130c13d1a00fbb7bd 7828
spotipy_2.25.1-1_source.buildinfo
Files:
c1b20b116dc76288471e9066fd42ad91 2195 python optional spotipy_2.25.1-1.dsc
22cfc297cea95f6d906e76d57fd92d8b 107750 python optional
spotipy_2.25.1.orig.tar.gz
7d79b889449c078e8fa10c78ccdc4a37 2428 python optional
spotipy_2.25.1-1.debian.tar.xz
05c3839179bfb831c03948cea23cc039 7828 python optional
spotipy_2.25.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+4rPp4xyYInDitAmlgWhCYxjuSoFAmfNxlUACgkQlgWhCYxj
uSqQkQ/+KgxG38VBYEDEyDkg/c6FbTUewWovP5J9iRFT+Eo3PilkngJeEGexIs+8
L4QHrK4B/P/eHXe6tWmF0w8gUZ998JccOhNnvm0TtdJgnUqw1V/2TY6EDIzTn9tT
TIZ2f7HBY5SMidXY/60gafNuB+/igtEmiGOqyV2lq80HzJKXWx2kmT/PWgwqXnmX
HsQwjFmbc6NQvaf2L8FmokWujWw8ovVAjaHnk0sAKM//wm51cWROR0UNgTddYsKm
psKo/QZFpyTeBWnPBq39U3eCSR6pq8oomuaOkLyOv8rYPFUEnDBuSosEmZ/DVIer
ZTuEn2RSd2XDho0xU5M8sATeYbchI3GofeAYJK0MXQ5n9YetDhUK2/dXidXAzKIa
7sx0alWeK8Vl0tXPdhlcBenP3ctYNE2rai+/t5CXF+JmoGzPyzmOvwwvvDoLgfQF
X0jAlCmMOTO6W2cJ3o+cqBcIX839IY5uBCOL21adFdU5Pw62mJ6QIUwh2LOtnZZH
jisvAEfAil1VpmAyL2wXzjxpWvVZWG4/J2mRxuF3F3EhdjrOA0mWuGQiH3Eda9H2
WaVrNh/WDf1qGrgB3V3zCXF4vUafUizC2zGzMi1JEKyu/igTideDc4kaic059VM1
eoLVRc/XQQBfP8gzfVYMvlOdQqCN1sforbpZ9LNy6DAJa45O/Ms=
=+n7I
-----END PGP SIGNATURE-----
pgpSZenZCqbXx.pgp
Description: PGP signature
--- End Message ---
