Your message dated Thu, 24 Nov 2022 11:22:55 +0000 with message-id <e1oyajj-00d66r...@fasolo.debian.org> and subject line Bug#1024018: fixed in python-cleo 1.0.0a5-1 has caused the Debian Bug report #1024018, regarding python-cleo: CVE-2022-42966 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1024018: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024018 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: python-cleo X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for python-cleo. CVE-2022-42966[0]: | An exponential ReDoS (Regular Expression Denial of Service) can be | triggered in the cleo PyPI package, when an attacker is able to supply | arbitrary input to the Table.set_rows method https://research.jfrog.com/vulnerabilities/cleo-redos-xray-257186/ This doesn't seem to have been reported upstream yet, can you please take care of that?` If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-42966 https://www.cve.org/CVERecord?id=CVE-2022-42966 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: python-cleo Source-Version: 1.0.0a5-1 Done: Emmanuel Arias <eam...@yaerobi.com> We believe that the bug you reported is fixed in the latest version of python-cleo, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1024...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Arias <eam...@yaerobi.com> (supplier of updated python-cleo package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 22 Nov 2022 12:39:05 -0300 Source: python-cleo Architecture: source Version: 1.0.0a5-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Emmanuel Arias <eam...@yaerobi.com> Closes: 1024018 Changes: python-cleo (1.0.0a5-1) unstable; urgency=medium . * d/watch: Update link to upstream, now is under python-poetry umbrella. - Remove debian uupdate from watch file. * New upstream version. * d/patches: Add patch from upstream to avoid ReDoS security issue (CVE-2022-42966). Closes: #1024018. * d/control: Bump Standards-Version to 4.6.1.1 (from 4.6.0.1; no further changes). * d/control: Remove python3-clickit from B-Depends, it's not longer needed. * d/copyright: Update Source key in the file. * d/control: Update Homepage to the new upstream repository. * d/patches: Remove 0001-add_stylesheet-deprecated-use-add_css_file-instead.patch file is already applied for upstream. * d/control: Add python3-pylev as Build Depends. * d/tests: Update cleo-tests.py according to the new upstream release API. * d/control: Remove trivial autopkgtest-pkg-python. Checksums-Sha1: 9a6c4079d3e96f49267d26ffa3a27334b6a6a9c4 2369 python-cleo_1.0.0a5-1.dsc d0a3cafe1640e9570bd4ba2a1a5a3cac3068123d 144117 python-cleo_1.0.0a5.orig.tar.gz e2f7142f52566c6088080864578a61b9812b5698 4120 python-cleo_1.0.0a5-1.debian.tar.xz f87be30def7bb38b2649f9d9e0ac409df8035e18 8881 python-cleo_1.0.0a5-1_amd64.buildinfo Checksums-Sha256: 29d0c7590412e8ecc4c86d4c9e2dcfc5fe9080214c8fd50bfc773e2e085d000f 2369 python-cleo_1.0.0a5-1.dsc b75424b2c3f71dec06342290b255d725a4c02f83f3baa98b0a805162f09515da 144117 python-cleo_1.0.0a5.orig.tar.gz c19f2bf4a8f70df43019ebc68544a3a542a4054c44571ab7e210f5e5e44ed8b1 4120 python-cleo_1.0.0a5-1.debian.tar.xz ae80b05dabafa5d46b3098458d4dffe300bd6feae476fe4bc3561c2ae346d4d1 8881 python-cleo_1.0.0a5-1_amd64.buildinfo Files: 25f28c37f32be010e07c366bb90c03bd 2369 python optional python-cleo_1.0.0a5-1.dsc 8146328973f05ae6d7d2f42f50766d4d 144117 python optional python-cleo_1.0.0a5.orig.tar.gz 125178f5758da77a25f1520647308710 4120 python optional python-cleo_1.0.0a5-1.debian.tar.xz 7233f2dfc027f0af686818c2727e33c2 8881 python optional python-cleo_1.0.0a5-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEE3lnVbvHK7ir4q61+p3sXeEcY/EFAmN/ST8THGVhbWFudUB5 YWVyb2JpLmNvbQAKCRD6nexd4Rxj8RStD/9jxB5ayJZxwHzTN6OCemXemsSVtTUb 4Ur2ppj46QLu2aqb+iiqnZbDZBV5G1uSW/I0Wl3t7Ig9TE453okJgToKzOKU5Idu LCCGC3pvRJN/r8tsCQY6tY89oIWJeQb/M60jWfsxSlh1CAlyZTZnHf2engrhO1Mn +eyuKaL+oSjoYq8gsW+698WrPw7zqiilGVFbZO3CEdelXUSy7Hc83si4EUXQGIMh teO/3vapuP3LG2Lo3pw0G1cpIoP1tBPKWSn/br9VKxS25TPW1kSJClGag+hBzemG MWelzFEWgG2L8OtLD95qn5vep0QCvxtncbxqI8b8grDt4M4hzVV+NycGQK8jKbTZ GyJxhSGqdlPLgHHyc4CuKtQRifO8z56dusrlggcPy4AajxnBlWMU3y1E6ZhPjCHb Xzf4tmGa+JUV61FWHCPR32KGD1ABseZrQ2uLEgKAWELXphLRJo4hKtm8zoldY655 /2k2YH4V3xnhZH7hMnOHNulwAUStqwq/BXtxAaGPWw0mXwy1en5VougiLEJyPqsS zs+EeZONjUOziKGLHkTD6FnVixwfOZRSgGe4UGs77KT0dNwnaHbV5wNxw8dfwPkF 9TF19WWVsaHEvq0fxnmrCZcyoEZf3n+sAiUs03hs/ggGBTsGis1Snax/4k3rmN0O NwBoNybVVzPtRg== =9lcU -----END PGP SIGNATURE-----
--- End Message ---
