Your message dated Sat, 09 Jan 2021 04:18:57 +0000
with message-id <e1ky5il-00098b...@fasolo.debian.org>
and subject line Bug#969275: fixed in python-uvicorn 0.13.3-1
has caused the Debian Bug report #969275,
regarding python-uvicorn: CVE-2020-7695
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
969275: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969275
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-uvicorn
Version: 0.11.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 0.11.3-1
Hi,
The following vulnerability was published for python-uvicorn.
CVE-2020-7695[0]:
| Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF
| sequences are not escaped in the value of HTTP headers. Attackers can
| exploit this to add arbitrary headers to HTTP responses, or even
| return an arbitrary response body, whenever crafted input is used to
| construct HTTP headers.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-7695
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7695
[1] https://snyk.io/vuln/SNYK-PYTHON-UVICORN-570471
[2] https://github.com/encode/uvicorn/issues/719
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-uvicorn
Source-Version: 0.13.3-1
Done: Sandro Tosi <mo...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-uvicorn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 969...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sandro Tosi <mo...@debian.org> (supplier of updated python-uvicorn package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 08 Jan 2021 23:00:04 -0500
Source: python-uvicorn
Architecture: source
Version: 0.13.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Sandro Tosi <mo...@debian.org>
Closes: 969275 969276
Changes:
python-uvicorn (0.13.3-1) unstable; urgency=medium
.
[ Ondřej Nový ]
* d/control: Update Maintainer field with new Debian Python Team
contact address.
* d/control: Update Vcs-* fields with new Debian Python Team Salsa
layout.
.
[ Sandro Tosi ]
* New upstream release
- Closes: #969275 CVE-2020-7695
- Closes: #969276 CVE-2020-7694
* debian/control
- run wrap-and-sort
- add httpx, pytest-mock, trustme to b-d, needed for tests
- bump Standards-Version to 4.5.1 (no changes needed)
Checksums-Sha1:
ebfffe1323ccaa7bf32e3b422edfc514ba717c6e 2468 python-uvicorn_0.13.3-1.dsc
b3ff2458e7ba2fcb4eac0b38ba9f4e568c180840 495096
python-uvicorn_0.13.3.orig.tar.xz
2320db0df048272af97c5acaa8ac96227584686e 7420
python-uvicorn_0.13.3-1.debian.tar.xz
ff3499d217ce24817fc8cb67d191f072ff51f105 8519
python-uvicorn_0.13.3-1_source.buildinfo
Checksums-Sha256:
2b4a0d914b9599dc236ed28f342588accc511ec112d1bf1a8d5da8ef92fa7bfd 2468
python-uvicorn_0.13.3-1.dsc
ffe16af85ccab64387830953972ea91aa8b2647130d201e91305cb52e8516a87 495096
python-uvicorn_0.13.3.orig.tar.xz
efa714dde12db5f1e7aeff37184130de6e58873ee01be9ca038d066d18581147 7420
python-uvicorn_0.13.3-1.debian.tar.xz
c36e46bdb3f1254f555ddf03fa3285b48e851f8a1b08c5dbe8e9dc20e5b4d9a9 8519
python-uvicorn_0.13.3-1_source.buildinfo
Files:
db891cbd806a54fdc2e74b5ecd154aff 2468 python optional
python-uvicorn_0.13.3-1.dsc
5ece58af87b38d46040c14ea07859eb7 495096 python optional
python-uvicorn_0.13.3.orig.tar.xz
9021abc4d659376b54ddd535595a8380 7420 python optional
python-uvicorn_0.13.3-1.debian.tar.xz
5f57743d4a1996f8ef7cf33fba17e840 8519 python optional
python-uvicorn_0.13.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEufrTGSrz5KUwnZ05h588mTgBqU8FAl/5KmIACgkQh588mTgB
qU8Qtg//czIVIokl7RJaLBZAKG/vrYIsLhr2uX9TcHKSUMFDBp1o8WhSlZgDBfnh
GrXvstt9dcUQGoozFmdID9lsZXDVj+8HktOp6pkyeJUtNt16Vpg+yoYbMkrK1xZN
wmc6aLeL0jg5SOKTnPHlnLzzs3mzU9PiG2AUpgoASL63UE3tkXMd0gAVhBqYpVv2
HgC8UjUWsKUJakvZUOahKMmIsrIZFdxWphVMVk2q+MaQjgAjkuio4OnnRCF8ubJt
g/UUAlZhaTRUUJ13N7t3h1UfriT+6l+h3T19cLF1vAqWlB6de3/vvtLGcu0G+te3
OAp8AbROp6DkzlJA5l6+qEVkg+jlTm6dstttnBXd22prmIvIjSKUZh4SjrDdaD/u
+RsuQaMTEBuk2tlfCbNB8JRDEvy3pHjj58O+CeJgZHBOoG4pSiAVhdFFMV0S1YpK
yt/ppc0e1bG4no7Dixnj3pwiNZVazyppWCNggldueDBGhLz39ejr+Sx24XQTz8Lv
hL3MnRDsZZNHmIn6TsX9Ae+VDEqN4kfDNFpANf3YaHqwvFMcV+WMUWrAD8jY3U9Y
/uKQ8genXDbC/MQbkSEL5BRHY89xVbjzL3HAWZyKg82YsP4VJmz/SSe3lBS8xEIp
R2Nvhvn3gvskQIgXbwc7mdAp5na/d4EOKdxVYgf7U6ecnS4anJg=
=YGqM
-----END PGP SIGNATURE-----
--- End Message ---