Bug#922669: marked as done (sqlalchemy: CVE-2019-7164 CVE-2019-7548 (SQL injection))

[Debian Bug Tracking System]

Your message dated Tue, 21 May 2019 16:05:37 +0000
with message-id <e1ht7gj-000fuf...@fasolo.debian.org>
and subject line Bug#922669: fixed in sqlalchemy 1.2.18+ds1-2
has caused the Debian Bug report #922669,
regarding sqlalchemy: CVE-2019-7164 CVE-2019-7548 (SQL injection)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
922669: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922669
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: sqlalchemy
Version: 1.2.15+ds1-1
Severity: important
Tags: security upstream

Hi,

The following vulnerabilities were published for sqlalchemy.

CVE-2019-7164[0]:
| SQL Injection when the order_by parameter can be controlled

CVE-2019-7548[1]:
| SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be
| controlled.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-7164
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7164
[1] https://security-tracker.debian.org/tracker/CVE-2019-7548
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7548

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: sqlalchemy
Source-Version: 1.2.18+ds1-2

We believe that the bug you reported is fixed in the latest version of
sqlalchemy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 922...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated sqlalchemy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 21 May 2019 16:23:35 +0200
Source: sqlalchemy
Binary: python-sqlalchemy python-sqlalchemy-doc python-sqlalchemy-ext 
python-sqlalchemy-ext-dbgsym python3-sqlalchemy python3-sqlalchemy-ext 
python3-sqlalchemy-ext-dbgsym
Architecture: source all amd64
Version: 1.2.18+ds1-2
Distribution: unstable
Urgency: high
Maintainer: Piotr Ożarowski <pi...@debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
 python-sqlalchemy - SQL toolkit and Object Relational Mapper for Python
 python-sqlalchemy-doc - documentation for the SQLAlchemy Python library
 python-sqlalchemy-ext - SQL toolkit and Object Relational Mapper for Python - 
C extension
 python3-sqlalchemy - SQL toolkit and Object Relational Mapper for Python 3
 python3-sqlalchemy-ext - SQL toolkit and Object Relational Mapper for Python3 
- C extensio
Closes: 922669
Changes:
 sqlalchemy (1.2.18+ds1-2) unstable; urgency=high
 .
   * Team upload.
   * CVE-2019-7164 CVE-2019-7548: SQL injection. Apply upstream backported patch
     for this. Note: This potentially impacts applications (Closes: #922669).
Checksums-Sha1:
 9f943f43e6fef9dd28a654b40e3e5754783768f7 2557 sqlalchemy_1.2.18+ds1-2.dsc
 bc05d08eb42d70aab5f7569f50c8bb2d402bea09 16052 
sqlalchemy_1.2.18+ds1-2.debian.tar.xz
 1f661a8912b086f93f025c15d4e46384267af8ba 2319404 
python-sqlalchemy-doc_1.2.18+ds1-2_all.deb
 e65eedf1efa2de8e7044682fc60be25c9d009e94 41520 
python-sqlalchemy-ext-dbgsym_1.2.18+ds1-2_amd64.deb
 f7fc34b09a05355f7cfb539ba6febbd75e0cdf56 19248 
python-sqlalchemy-ext_1.2.18+ds1-2_amd64.deb
 6311846bf03c45b2fc6645e60f146abb04240b7e 728956 
python-sqlalchemy_1.2.18+ds1-2_all.deb
 b4d139d4617c0d756830283ba1bb61697cb1c155 51140 
python3-sqlalchemy-ext-dbgsym_1.2.18+ds1-2_amd64.deb
 69a6522274691c0c78dd3de18282f61f23d9a0e6 19348 
python3-sqlalchemy-ext_1.2.18+ds1-2_amd64.deb
 acf1759bc0f572b58656054256175804ccafbd4f 727452 
python3-sqlalchemy_1.2.18+ds1-2_all.deb
 79e2736de5e9585574c8a532368065365641a52c 9769 
sqlalchemy_1.2.18+ds1-2_amd64.buildinfo
Checksums-Sha256:
 1a6d35cab7b397a03f8b6b1ed3f384cf6c470db77eda53596ae0fa9470a70f1c 2557 
sqlalchemy_1.2.18+ds1-2.dsc
 482b0a206e2f316db861e2051450966c97dc3023ad4ed633ca7afa9bb5f6a41b 16052 
sqlalchemy_1.2.18+ds1-2.debian.tar.xz
 e9ecf89fab033bfd79b511334e034c5e2816dcb73fc2a2ed96d68ae4a165cc96 2319404 
python-sqlalchemy-doc_1.2.18+ds1-2_all.deb
 1536698197a0ad4505f6ee9ce1bc9aa8e45dfcea6128ff1371d862a58659cd1f 41520 
python-sqlalchemy-ext-dbgsym_1.2.18+ds1-2_amd64.deb
 b2afb6ca84eb53eba99d9eae178c7c631c629b2b2a53e277bc8a03a7603ab4ec 19248 
python-sqlalchemy-ext_1.2.18+ds1-2_amd64.deb
 abc0234cdd0fd6b1a6e87ca5a703f59ce65eb60d28938b049ec2bb1b1d2351b2 728956 
python-sqlalchemy_1.2.18+ds1-2_all.deb
 258820968ad24434ab587ef81e0b91f9494301e2bb6a52a69e26c3edd261081e 51140 
python3-sqlalchemy-ext-dbgsym_1.2.18+ds1-2_amd64.deb
 7287ee2eb0d6da462423d432510febd5fb3662533def8963ac0d7d14de0b5ceb 19348 
python3-sqlalchemy-ext_1.2.18+ds1-2_amd64.deb
 73bbb0811cb9d64eb140fe9cce9e9ca08253711f0d3b304259b225b92af796a6 727452 
python3-sqlalchemy_1.2.18+ds1-2_all.deb
 7c05a0a70b27be9f99b72fa1d993c7e8177b7206b9f55fb550921afa7594ebc8 9769 
sqlalchemy_1.2.18+ds1-2_amd64.buildinfo
Files:
 7ac894f57be2e1dabfc06d822fad5760 2557 python optional 
sqlalchemy_1.2.18+ds1-2.dsc
 ba43da2a8afc562f52a39a17d9bfcdb3 16052 python optional 
sqlalchemy_1.2.18+ds1-2.debian.tar.xz
 74d907d1b27a89fffe451640a1396450 2319404 doc optional 
python-sqlalchemy-doc_1.2.18+ds1-2_all.deb
 a91f53d5eceff20d215e1148f99c8d51 41520 debug optional 
python-sqlalchemy-ext-dbgsym_1.2.18+ds1-2_amd64.deb
 3f382d51113e73203e5ee9e21608e8da 19248 python optional 
python-sqlalchemy-ext_1.2.18+ds1-2_amd64.deb
 03f107c223d4c0c6d840341d0687f7f9 728956 python optional 
python-sqlalchemy_1.2.18+ds1-2_all.deb
 913fc3e4288ea97cedf20be8bb2e9770 51140 debug optional 
python3-sqlalchemy-ext-dbgsym_1.2.18+ds1-2_amd64.deb
 131ccf6840fd714265c7ef1149fc8b37 19348 python optional 
python3-sqlalchemy-ext_1.2.18+ds1-2_amd64.deb
 b5b976ac9c38016d48eb6fc6e7bc7d05 727452 python optional 
python3-sqlalchemy_1.2.18+ds1-2_all.deb
 17aaa2c469a2d4b3f23f02fa3774efb9 9769 python optional 
sqlalchemy_1.2.18+ds1-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlzkCwYACgkQq1PlA1ho
d6a1Fw/+MlBwaQm+fSdkktest/oR1pzxB3s8ChbvMiiCZhNP8KJw7D7zo6g6Q5pS
lFcIR2vlAQv2wo1a7gofs+YLEUGbJuomC2RO0ifypRIVgUrENIju9OP/wmfJa/se
/z9QGigkwvPe8VjW4f9DrMbf7/0UYcsPomZS1+8dwGuqeO7CbxO9NsGtwQNw61iz
mck38KVkViVI9pY6cqNEArS4j0VBmxRYvS7Z2OINy+pf451jFMqI5wyWthXxvwfW
1h5tmY3KxP9so0nL7EwzZeRnFI7GUdTqEl9yY0Gf1d34+UiLYXGiRd4QRY3mHkdh
ZA1bHhHdqQ7xlbn9zRobUSA7fh3VvgbVpsoz3NcYslv5y0eMoJQcx9YkndziTupr
es0OHj58OK5BTEJNYnV4hzoCT5Px+Rm3Wu1wRHnc38chwCpjeLI/xsHecgyaDPYP
sT3VvjmTnA32P6kt2RpWuCtEvrwMD7gcI9oz3r3BZDBz2T/xUyJJAouVpMwixuvx
SjPZLhvIGXR1eNWmr3QhXxco4rpKU5U5glnlAQLeNgWg8H9cvRY2KSfJFFj+siSg
ks7buwzgpF/jlbcEhLVsgiNoXeikkpTOWyixmIl8iOySIgqsnICMsVc1R4vBrD/Z
JS/gaHn+PjPvonA+xgKv0ppECPGB7BJjEF7K890kqW0o5UFX7xo=
=iJB/
-----END PGP SIGNATURE-----

--- End Message ---