Your message dated Sat, 25 Mar 2023 23:04:06 +0000 with message-id <e1pgcve-002ig9...@fasolo.debian.org> and subject line Bug#1032091: fixed in py7zr 0.11.3+dfsg-5 has caused the Debian Bug report #1032091, regarding py7zr: CVE-2022-44900 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1032091: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032091 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: py7zr X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for py7zr. CVE-2022-40152[0]: | Those using Woodstox to parse XML data may be vulnerable to Denial of | Service attacks (DOS) if DTD support is enabled. If the parser is | running on user supplied input, an attacker may supply content that | causes the parser to crash by stackoverflow. This effect may support a | denial of service attack. https://github.com/miurahr/py7zr/commit/1bb43f17515c7f69673a1c88ab9cc72a7bbef406 (v0.20.1) https://lessonsec.com/cve/cve-2022-44900/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-40152 https://www.cve.org/CVERecord?id=CVE-2022-40152 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: py7zr Source-Version: 0.11.3+dfsg-5 Done: Sandro Tosi <mo...@debian.org> We believe that the bug you reported is fixed in the latest version of py7zr, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1032...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sandro Tosi <mo...@debian.org> (supplier of updated py7zr package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 25 Mar 2023 18:50:07 -0400 Source: py7zr Architecture: source Version: 0.11.3+dfsg-5 Distribution: unstable Urgency: medium Maintainer: Sandro Tosi <mo...@debian.org> Changed-By: Sandro Tosi <mo...@debian.org> Closes: 1032091 Changes: py7zr (0.11.3+dfsg-5) unstable; urgency=medium . [ YOKOTA Hiroshi ] * debian/patches/0003-Fix-sanity-check-for-path-traversal-attack.patch - backport upstream fix for CVE-2022-44900; Closes: #1032091 Checksums-Sha1: 636f78bb0a4646f9d127cb0cd5960f10608a8aac 2367 py7zr_0.11.3+dfsg-5.dsc 33b6bd78e46e2b88938de746ad3efa153cd31e5c 9616 py7zr_0.11.3+dfsg-5.debian.tar.xz 49a1b721289c0e09edc0959b513861d985ddf6be 9758 py7zr_0.11.3+dfsg-5_source.buildinfo Checksums-Sha256: 360510ae2810c4771aaf9298e99ea7748308546b3864bcdc7f1f1da834e6fc84 2367 py7zr_0.11.3+dfsg-5.dsc 2191a44eedd74b1642d44aab1d33b91f8180783c044cc1de65e193e56e22abec 9616 py7zr_0.11.3+dfsg-5.debian.tar.xz 22628492451d65eb11bd75da6d2e32b60e652ee9b10d1ef6063ec1eeb5fb0646 9758 py7zr_0.11.3+dfsg-5_source.buildinfo Files: 67968217c6fad2924b9f7a6b4f8e992a 2367 python optional py7zr_0.11.3+dfsg-5.dsc e35042a56692c9d26265070927f3660e 9616 python optional py7zr_0.11.3+dfsg-5.debian.tar.xz 83ee044bdc9ea452ada2056ecd6b1072 9758 python optional py7zr_0.11.3+dfsg-5_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEufrTGSrz5KUwnZ05h588mTgBqU8FAmQfersACgkQh588mTgB qU8dYQ//TtnXAZWS4fIwfsHufpcbPYA5gOpK+cLMq9IboeSMTk/MLEnzC6jIe0/1 GhaI4HX9+WsdxnQnU4T4PIxFSozlrMsoYoFZsC3h+DpxlFmbVWGBDVS7oDtb4VJX lMwcRTCpSWrY07TRiBZlolVjikqYCDUbNL4YlbZg5L2bD3WQkoNcPSFGMcI1GjL7 Gn4AFhsEW7eZ4OPfOqrE0V7JF3+46CfySb9NVwp1SOcPnGoOgaYSRAIqSO0f8Bso yJckJhDlSntNGl84AVyeqVbL4FAguHselsQsMwR/b2U1Hg12vDMyH/LyyFlCuCPP b9Vbhn9I1aY2igKKVOIQL+BD/i3shqqe813/+3DAqIzU76pCWs6zvnVSRaaNbsxG A3srBh1CSGT1QorqS/ZcqUporyBrUENzf1HsDaQcTWwZc6LoQcK9tT0+c1/0bhIW 9ip8blLsBzbYrRzHsxUdCIyA8oIDL6VURn8aDReFEaR3Qhpu6XgVNsvbTUu0w3qp 138ABb3FW5p3J3Zef3ToQl8FSLHz5UUrHOw7KbuwzDjgE+vU2dpYQatHQVZc5hLG MOlnqI3rfg2xnE0vT37UaJhfOX64NnQWS5TqoKDVJdvxGl71tD0baNPdrWgrNaXy m2T9yeZc45tjreL2tUxKWWyQ3iG5ORe4EdlYbdckJw2v6BXL6LI= =hhyj -----END PGP SIGNATURE-----
--- End Message ---
