On Tue, May 28, 2024 at 09:06:51AM +0200, Thomas Goirand wrote:
> On 5/22/24 17:08, Moritz Mühlenhoff wrote:
> > The following vulnerability was published for python-pymysql.
> >
> > We should also fix this in a DSA, could you prepare debdiffs for
> > bookworm-security and bullseye-security?
> >
> > CVE-2024-36039[0]:
> > | PyMySQL through 1.1.0 allows SQL injection if used with untrusted
> > | JSON input because keys are not escaped by escape_dict.
> >
> > https://github.com/advisories/GHSA-v9hf-5j83-6xpp
> > https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c
> > (v1.1.1)
> >
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2024-36039
> > https://www.cve.org/CVERecord?id=CVE-2024-36039
> >
> > Please adjust the affected versions in the BTS as needed.
>
> Hi,
>
> Please find attached to this message, the fixes I would like to upload to
> bullseye and bookworm. Please allow these uploads.
>
> Note that I have uploaded latest upstream version 1.1.1-1 to unstable, that
> includes the patch in these debdiffs.
Thanks! These look fine, please build both with -sa and upload to
security-master.
Cheers,
Moritz
