Your message dated Fri, 05 Jan 2024 10:50:50 +0000 with message-id <e1rlhms-003qhi...@fasolo.debian.org> and subject line Bug#1041814: fixed in python-mechanicalsoup 1.3.0-1 has caused the Debian Bug report #1041814, regarding python-mechanicalsoup: CVE-2023-34457 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1041814: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041814 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: python-mechanicalsoup Version: 0.10.0-6 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 0.10.0-4 Hi, The following vulnerability was published for python-mechanicalsoup. The severity choosen for the bugreport might be slightly overrated, but I am aiming to understand if the package is actively maintained and might rather be removed from testing if not updated to a more recent version. CVE-2023-34457[0]: | MechanicalSoup is a Python library for automating interaction with | websites. Starting in version 0.2.0 and prior to version 1.3.0, a | malicious web server can read arbitrary files on the client using a | `<input type="file" ...>` inside HTML form. All users of | MechanicalSoup's form submission are affected, unless they took very | specific (and manual) steps to reset HTML form field values. Version | 1.3.0 contains a patch for this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-34457 https://www.cve.org/CVERecord?id=CVE-2023-34457 [1] https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4 [2] https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: python-mechanicalsoup Source-Version: 1.3.0-1 Done: Alexandre Detiste <tc...@debian.org> We believe that the bug you reported is fixed in the latest version of python-mechanicalsoup, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1041...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Alexandre Detiste <tc...@debian.org> (supplier of updated python-mechanicalsoup package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 05 Jan 2024 11:24:14 +0100 Source: python-mechanicalsoup Architecture: source Version: 1.3.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Alexandre Detiste <tc...@debian.org> Closes: 1040429 1041814 Changes: python-mechanicalsoup (1.3.0-1) unstable; urgency=medium . * New upstream version 1.3.0 (Closes: #1041814, #1040429) * add myself as uploader * remove old dependency on python3-six * set Rules-Requires-Root: no * use new dh-sequence-python3 * bump Standards-Version to 4.6.2, no further change needed * tests: * delete old patches, not needed anymore * autopkgtest needs python3-pytest-httpbin * disable tests failing likely due to changes on http://httpbin.org/: * new_control * get_request_kwargs * submit_online * submit_set Checksums-Sha1: f2ae7c92579896d1deb9112c066b9169ae839572 2365 python-mechanicalsoup_1.3.0-1.dsc e56008e44027d0f88bf6aadaa74f89d1d91ba1b1 50826 python-mechanicalsoup_1.3.0.orig.tar.gz 5ff026c2f4232b4fd6ded048133ba55a89ed3471 3672 python-mechanicalsoup_1.3.0-1.debian.tar.xz d3f4caf8d06ed1db53700a88651623442686c38c 7169 python-mechanicalsoup_1.3.0-1_source.buildinfo Checksums-Sha256: daee5d9dfe55c223d1166bb2db81ae2395ca402d01b63cf4d4bb6427bf2ccbfb 2365 python-mechanicalsoup_1.3.0-1.dsc 38e8748f62fd9455a0818701a9e2dbfa549639d09f829f3fdd03665c825e7ce1 50826 python-mechanicalsoup_1.3.0.orig.tar.gz f4498aece4dcdd927d68635307ed3faa02dafc729b6bd76a924d432eece7fcff 3672 python-mechanicalsoup_1.3.0-1.debian.tar.xz 33b134d5586e0e65f85963e27f1d7536b6da6f44c9dc7c1bcaf364511993d73b 7169 python-mechanicalsoup_1.3.0-1_source.buildinfo Files: dbe1cf7481ad73671fba22473f60ad99 2365 python optional python-mechanicalsoup_1.3.0-1.dsc b144e9f9b4e3c19f9d06dc62343a960d 50826 python optional python-mechanicalsoup_1.3.0.orig.tar.gz affa64596933c4f30b79ed7cfcb3163c 3672 python optional python-mechanicalsoup_1.3.0-1.debian.tar.xz ced42e026bc44173304067a313e048a2 7169 python optional python-mechanicalsoup_1.3.0-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEj23hBDd/OxHnQXSHMfMURUShdBoFAmWX2dwRHHRjaGV0QGRl Ymlhbi5vcmcACgkQMfMURUShdBrv4Q//YUIktdd7kchjoALBx8GX7CQJnreXN13t ngdKNHEZ1fXf0d7FcMki2N5xgNclonJo/q7/y7irZQp6E/srIkOpxGjc7FFWLSGF JIludk84a0BAfce8IMbg1zfLTKsUPKELEIi5i6ETk1zbFieG0MOpOP9ZLxDgEOOr SbwY0JS07Och4YwZqO5Xol11L4UdIsjKKgoGaV4Pj1QnJPuRt7Im7t3kwGsB5pSG kz74Gx5BSvKsodfOmyiOv013h/X1vdwq+bpCHHCr2oFdHx/8CZlZga+APjSQcmE3 RZrfQSJaur4pVfvG9dfg+gz7SO7eCfINVXkIjCMxKB25bGL+E5gUOyhWjJSuuUeA m8fgrOjuNu+xabtFFnB8ROYKL4jCXPR94FeAPLNZ7keABp+0XFe7RayqGUxhFxzs dwUK7VJWAWT9XWIolkUhFkyeoq/xx6RUytwE1Od9ozpDtKZ356BCdcjdE+kCHtQ/ byWLv2BpFqlJSMigmNVhQ3gOMKk855+A8ooB6T2VtLmoiLcjxOyUIOxe+GShrquI c16797ZytQ+hJ344b70PmOymUQ05eo9bEp5nMwKxeHJZ6nceRRhO6Zzgmu0oNBzT ip8zQ8b3qERnnxZlY5kqvl7JMH/vl/60b/cyRP+TDd5zdXTk1cEQmNfakZHrQ6yN H9zgd6YNGIc= =q9kR -----END PGP SIGNATURE-----
--- End Message ---
