Bug#1077209: marked as done (python-orjson: CVE-2024-27454)

[Debian Bug Tracking System]

Your message dated Sat, 27 Jul 2024 02:44:56 +0000
with message-id <e1sxxqw-007zp3...@fasolo.debian.org>
and subject line Bug#1077209: fixed in python-orjson 3.9.15-1
has caused the Debian Bug report #1077209,
regarding python-orjson: CVE-2024-27454
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1077209: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077209
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: python-orjson
Version: 3.9.14-3
Severity: grave
Tags: security upstream
Forwarded: https://github.com/ijl/orjson/issues/458
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for python-orjson.

CVE-2024-27454[0]:
| orjson.loads in orjson before 3.9.15 does not limit recursion for
| deeply nested JSON documents.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-27454
    https://www.cve.org/CVERecord?id=CVE-2024-27454
[1] https://github.com/ijl/orjson/issues/458

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: python-orjson
Source-Version: 3.9.15-1
Done: Agathe Porte <gag...@debian.org>

We believe that the bug you reported is fixed in the latest version of
python-orjson, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1077...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Agathe Porte <gag...@debian.org> (supplier of updated python-orjson package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Jul 2024 10:51:53 +0900
Source: python-orjson
Architecture: source
Version: 3.9.15-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>,
Changed-By: Agathe Porte <gag...@debian.org>
Closes: 1077209
Changes:
 python-orjson (3.9.15-1) unstable; urgency=medium
 .
   * New upstream version 3.9.15 (Closes: #1077209) CVE-2024-27454
Checksums-Sha1:
 194d20b0f79a8debdbf8728e38a6139f0809367f 2546 python-orjson_3.9.15-1.dsc
 cc86941616f2f318d9749e6a53d8f4a972ba43f0 907361 
python-orjson_3.9.15.orig.tar.gz
 2805298502746e976b9b6868a962796d46a916f5 3320 
python-orjson_3.9.15-1.debian.tar.xz
 664a1f3eecb548125596e526145d5062a850beb9 15824 
python-orjson_3.9.15-1_amd64.buildinfo
Checksums-Sha256:
 5afe30eb0b6308d7b035639696bfffb5582d373d944b0cc5120dc43ec5101ac0 2546 
python-orjson_3.9.15-1.dsc
 c1eabac395c26aa004c2082ce0b213269ffecde98d71d3155d9209dfeaa632dd 907361 
python-orjson_3.9.15.orig.tar.gz
 a2797a1e46f1e5656131859389014fec5ebb0d11a68ccbae838886d61833a6a2 3320 
python-orjson_3.9.15-1.debian.tar.xz
 2dfb647bf1d13bdba7980cb7c0dbdbca4ea7b54ab8cefa2023abd7e4cb87e28c 15824 
python-orjson_3.9.15-1_amd64.buildinfo
Files:
 876b1e0a6a4a8409619a6ea80aab3edd 2546 python optional 
python-orjson_3.9.15-1.dsc
 dbea01413ea3027bc1fab0947191f7f5 907361 python optional 
python-orjson_3.9.15.orig.tar.gz
 9faa65121df4619ba33ff5944c297b24 3320 python optional 
python-orjson_3.9.15-1.debian.tar.xz
 f987d3318d96d2dcbe2cfdcebec15467 15824 python optional 
python-orjson_3.9.15-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEE2xMJtrCqCOwoob8cBjaerR0+AQUFAmakUy4SHGdhZ2F0aEBk
ZWJpYW4ub3JnAAoJEAY2nq0dPgEFLUEQAIizyGUAXQQcb56AR7tsHkHBs9k81N1m
s2fPuW0eadIFCUlQ7vtvgtypZzMk6BpprbXATt0LzLx9ISP6Vxp4XnR8Nk7NiuAw
Uv9ASpQ72gA67kh/kEzFuhLAWmkfmhgmSNCfJmoaLrddgAt7m9UF4QomE4C2i5pC
BdyNt5aH8Y0KxMXPt7CJVE78QjSQ2AG9v7DWi8TEzKyP6BoRFwovqY/RFrLTXbY6
KYDztYiEftUGH05NCdw6pZaLPTCXBoUfKSc/bzliU+RYwurAALBGXgOuCfEypO7c
ALPC1wZNoqwm9KzbRXm6ybsyvvfr6zGyCho/t40LmrofEmoNZClngo+KYd9KV0gO
DqXD3W/fRimrfYvQYesAqg3RTfPrUi7mlBT8kQTNzSk2bQUQiaDVzKR2mxB/1Lui
aQ0NaJKisVQGxoe+4hLKXhuS7Yu/LpuPs/5Ey7nz0w7P/Kh/HzcCwbfIgDDLBfH/
0P4ron1zqy5437y6EpiOzHHeYZ0d9LrAvrr4pYZEPqjyvojji5/ka35PyD8PkXHU
Yvm6G7AehzMoaxlGxQGrU8w4HzrzaVfQFFdT+GuhtdiwrlbyqqYwPOmiC7lBtePs
fimbHJTZ2PoOA6FPtl5GHBDjsSLIDPT62DTH9z0Lm0PyWOl/L0H41j3VxrZOoyhy
6HAQTYJtHgJn
=pdM3
-----END PGP SIGNATURE-----

pgpkFCWKRpbfS.pgp
Description: PGP signature

--- End Message ---