Your message dated Thu, 06 Jan 2022 15:52:34 +0000
with message-id <[email protected]>
and subject line Bug#1002623: fixed in nltk 3.6.7-1
has caused the Debian Bug report #1002623,
regarding nltk: CVE-2021-43854
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1002623: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002623
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nltk
Version: 3.6.5-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/nltk/nltk/issues/2866
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for nltk.
CVE-2021-43854[0]:
| NLTK (Natural Language Toolkit) is a suite of open source Python
| modules, data sets, and tutorials supporting research and development
| in Natural Language Processing. Versions prior to 3.6.5 are vulnerable
| to regular expression denial of service (ReDoS) attacks. The
| vulnerability is present in PunktSentenceTokenizer, sent_tokenize and
| word_tokenize. Any users of this class, or these two functions, are
| vulnerable to the ReDoS attack. In short, a specifically crafted long
| input to any of these vulnerable functions will cause them to take a
| significant amount of execution time. If your program relies on any of
| the vulnerable functions for tokenizing unpredictable user input, then
| we would strongly recommend upgrading to a version of NLTK without the
| vulnerability. For users unable to upgrade the execution time can be
| bounded by limiting the maximum length of an input to any of the
| vulnerable functions. Our recommendation is to implement such a limit.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-43854
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43854
[1] https://github.com/nltk/nltk/issues/2866
[2] https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: nltk
Source-Version: 3.6.7-1
Done: Mo Zhou <[email protected]>
We believe that the bug you reported is fixed in the latest version of
nltk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mo Zhou <[email protected]> (supplier of updated nltk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 06 Jan 2022 10:31:46 -0500
Source: nltk
Architecture: source
Version: 3.6.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Science Maintainers
<[email protected]>
Changed-By: Mo Zhou <[email protected]>
Closes: 1002623 1003142
Changes:
nltk (3.6.7-1) unstable; urgency=medium
.
* New upstream version 3.6.7 (Closes: #1002623, #1003142)
Fixes CVE-2021-3842, CVE-2021-43854
Checksums-Sha1:
aa713f9628f5c94c08fe8419eae05267526bc432 1954 nltk_3.6.7-1.dsc
3f6cfb9aa0e2e6349ea2c2f6df986f5b18e88f1f 2848416 nltk_3.6.7.orig.tar.gz
b55e20ea5d3d87c9cc406066c750d326dcae72cd 8560 nltk_3.6.7-1.debian.tar.xz
6c96d2a0f1aafffd5b0c03ce6035ca361e14b432 6209 nltk_3.6.7-1_source.buildinfo
Checksums-Sha256:
28e2d099a92bc5404fcf303e224923df0227800b95835e9f92f48052eaebad6d 1954
nltk_3.6.7-1.dsc
650d9c48fd3c4c43822e330d5e970d5c9e5914b5e76e7a0b7d3ca792c779f1ae 2848416
nltk_3.6.7.orig.tar.gz
9f05604b9eab909096d76b279cdb7f3e162566c98420575d7dc48bfff56cd6b5 8560
nltk_3.6.7-1.debian.tar.xz
0da5a91ad20999260fc8d977ac80256a92ed16276c3f9fdab6318d747018252c 6209
nltk_3.6.7-1_source.buildinfo
Files:
3452ca700c680a5ff9a69c8183c967e3 1954 science optional nltk_3.6.7-1.dsc
08065039502fde7e565d3687f8126dda 2848416 science optional
nltk_3.6.7.orig.tar.gz
b8d2dd4832cb37eedbd6d50dbc3bc979 8560 science optional
nltk_3.6.7-1.debian.tar.xz
84f5110baa8877836eab7e3900757728 6209 science optional
nltk_3.6.7-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEY4vHXsHlxYkGfjXeYmRes19oaooFAmHXC3sRHGx1bWluQGRl
Ymlhbi5vcmcACgkQYmRes19oaopv6g/9F04PoHufNaLLUvMmRM/hKNf1jICfill/
oACe7Eox2YOoLc3JEZQYo9fyb/hoZY9NLMwN3RShaT6g7nOYps32GWsKLhSZkOH8
4ZcSHv92WoxH4ybelq/AnPhUcUwEW4ldhpRwFfZJo2+OYglejNayl7oHz/XpUior
TU6Hz34HQgtusEFA9uxRAJQ045t1wCtjLTfdvetVJaoK30ekXup/mH76248N3RLG
ENMh8djjhR06x8dnMniPrcxLtnuvEOVtdNysTYl9bEHSijE+wz7y04hMcxOrsJSQ
naw6JjNU2V+FS6lRg7ZevAIK7IREj/zsGtWmOgKme8aBUijkJ+UIMTAmcE3rUe1O
LqG8t0rxqQ2W55YzEwZ3T530jh4hRoP81T76RuNvucsLZdgnc9VrboxBq10vMV+U
bSPfMHeOODE5HHCxR4aQsqpeSFAQRVSulWXUcSrz1UJQ+SqoWNqhqiGvdlqA2chF
uSNuDQjE/OoUylGa3brR96SFWZRu363PPvHTuZ34RCuaMSu8KjN5gigvTCO53qCo
BYEeHNU+IiMmJvz4HW3mjjBXzXG6kp9f3+6eOS7VpwnSzjQH6hjt8dfV8G/VpT4E
yxgpfuZZhnrTMwxyQBZnafTk1FUn8mD/fe9pn9/LFXiHlYtBoCZFm0bOyAmtyUvO
bpN9MOxFiUc=
=bgWg
-----END PGP SIGNATURE-----
--- End Message ---
--
debian-science-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
