Your message dated Fri, 30 Oct 2020 17:18:56 +0000 with message-id <e1kyy3e-000fm9...@fasolo.debian.org> and subject line Bug#972988: fixed in lookatme 2.3.0-1 has caused the Debian Bug report #972988, regarding lookatme: CVE-2020-15271 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 972988: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972988 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: lookatme Version: 1.2.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for lookatme. CVE-2020-15271[0]: | In lookatme (python/pypi package) versions prior to 2.3.0, the package | automatically loaded the built-in "terminal" and "file_loader" | extensions. Users that use lookatme to render untrusted markdown may | have malicious shell commands automatically run on their system. This | is fixed in version 2.3.0. As a workaround, the | `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` | files may be manually deleted. Additionally, it is always recommended | to be aware of what is being rendered with lookatme. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-15271 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15271 [1] https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q [2] https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84 [3] https://github.com/d0c-s4vage/lookatme/pull/110 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: lookatme Source-Version: 2.3.0-1 Done: Reiner Herrmann <rei...@reiner-h.de> We believe that the bug you reported is fixed in the latest version of lookatme, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 972...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Reiner Herrmann <rei...@reiner-h.de> (supplier of updated lookatme package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 23 Oct 2020 17:25:58 +0200 Source: lookatme Architecture: source Version: 2.3.0-1 Distribution: unstable Urgency: medium Maintainer: Reiner Herrmann <rei...@reiner-h.de> Changed-By: Reiner Herrmann <rei...@reiner-h.de> Closes: 972988 Changes: lookatme (2.3.0-1) unstable; urgency=medium . * New upstream release. - no longer automatically load "terminal" and "file_loader" extensions, which would run commands inside the documents (CVE-2020-15271). (Closes: #972988) * Drop patch applied in new upstream version. * Document copyright of nasa_orion.jpg. Checksums-Sha1: b007c67048e68be4486400b24852c946ec6ae37b 2090 lookatme_2.3.0-1.dsc c4ceaad3472f19f9727b36efdd2cbbfc73a0274d 2530262 lookatme_2.3.0.orig.tar.gz c0b72caf5edeb7f8a696df48332ac2dd7678a41c 4488 lookatme_2.3.0-1.debian.tar.xz 0d79fbc56ba19b5a176b6850ddcb8170079d1f1e 8060 lookatme_2.3.0-1_source.buildinfo Checksums-Sha256: cf28633ddd23d86549cd022ab1e3f4fb74994e5b0a233df1d71de1fc94e36fee 2090 lookatme_2.3.0-1.dsc 34250c54e462a18bc04818f1714f005433c7b3d9ddee969c1583e2170b112ea4 2530262 lookatme_2.3.0.orig.tar.gz faa4557e73320342f0ccf235c1132df74efbd0f8f2b37723597aa8ff29ffd0fe 4488 lookatme_2.3.0-1.debian.tar.xz 30da1ef6b1bffe7c3adf09dbc2a2a43d5634b0645f3eda95bbf92df1ce62bab9 8060 lookatme_2.3.0-1_source.buildinfo Files: 3d7e00a21486e456735b9185c5987235 2090 text optional lookatme_2.3.0-1.dsc b0b87698c224225f54896d3a63de910e 2530262 text optional lookatme_2.3.0.orig.tar.gz db3b811eedad112ccb840b126c851cc0 4488 text optional lookatme_2.3.0-1.debian.tar.xz 98dd0cbf4e68a509b20268eaed333582 8060 text optional lookatme_2.3.0-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE2Pb6feok2Q1urHM7zPBJKNsO6qcFAl+cRkUACgkQzPBJKNsO 6qe6PhAAty5P6A0qLK+OhWD3MsISiZkgFAKHZpsIONlfOdDslw4fo5wpEH4hfLTx yacAbRkdjXdZYmAZs6ps/+Pblbos6UYih642U+MEpzJxSC2fxKvhew8wwJ8v4iLK km14szwzSZOC4VNucUfOfRdTcfPJ9P9j9ufWk2vNTyxzfA3QJtvwGenrBkEqA9F1 uoFxMQGSq86Do5UQt0OKQtBNJNLPEEeGOxL/+quFXiOkuMJtAFSc/gekQGw47IvF kYiLJL+87S1Tffohfuo5ENFAo59xoXnU4JFBWKqz/bn/pOR3H3wk4fYRJPaoEmnN rSswrHBzEffDW6cleELriDss8XBNsmNFXx9Mt7E94JlFwjuq0J9e8Bfvp3YTZOr5 uqxtbzbkWejIylqUhXyJSOcyqTUY5ORIwDwxQwPTKoZ4yMTu8NimXaXcqtKB90hD un+/ZloXo975g1GID00dvbg7A5D/RyxWcxFSOo/7BIK44vRWothrXJL2IvYLpSck r94Ao8zjzxIqqFJHnfGraPGqtFEF3gqKtFwCptQF8PRZ+PdjZmsifEBbGOQhjxZk A2Hf3jMX8h6r1f2UN3bZpbYcXktgHNBPJwrTcYvbM46bXMJStaRnx6XbU1btykri Ki+gzFOexiyzBrKMhGnmr5SVu51y5uoaT0n94jb422n3a33iQQg= =LWtz -----END PGP SIGNATURE-----
--- End Message ---
