:python-modules-t...@alioth-lists.debian.net>
List-Help:
<mailto:python-modules-team-requ...@alioth-lists.debian.net?subject=help>
List-Subscribe:
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team>,
<mailto:python-modules-team-requ...@alioth-lists.debi
Source: jupyter-notebook
Version: 4.2.3-4
Severity: grave
Tags: patch security upstream
Hi,
the following vulnerability was published for jupyter-notebook.
CVE-2018-8768[0]:
| In Jupyter Notebook before 5.4.1, a maliciously forged notebook file
| can bypass sanitization to execute JavaScript in
Source: python-asyncssh
Version: 1.11.1-1
Severity: grave
Tags: patch security upstream
Hi,
the following vulnerability was published for python-asyncssh,
although there should be not "servers" implemented in Debian
depending on python3-asyncssh, still chosed an RC severity to have the
fix certai
Hi,
On Sun, Feb 11, 2018 at 01:08:01AM -0500, Scott Kitterman wrote:
> Given that the fix for this is problematic from a backward compatility
> perspective and that it requires a misconfigured django app before it is a
> problem, recommend No DSA for the security team.
Scott, sorry we did not res
Control: retitle -1 python-bleach: CVE-2018-7753: URI values with character
entities not properly sanitized
Hi Scott,
On Wed, Mar 07, 2018 at 02:09:14AM -0500, Scott Kitterman wrote:
> Package: src:python-bleach
> Version: 2.1.2-1
> Severity: important
> Tags: upstream, security
>
>
> Version
Source: pycryptodome
Version: 3.4.7-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/Legrandin/pycryptodome/issues/90
Hi,
the following vulnerability was published for pycryptodome.
CVE-2018-6594[0]:
| lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 gen
Source: mistune
Version: 0.7.4-1
Severity: important
Tags: patch security upstream
Control: found -1 0.7.3-1
Hi,
the following vulnerability was published for mistune.
CVE-2017-15612[0]:
| mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such
| as in java\nscript:) or a crafted
Ciao Daniele,
On Mon, Sep 25, 2017 at 02:48:16AM +0200, Daniele Tricoli wrote:
> Hi Salvatore,
>
> On Tuesday, September 19, 2017 8:37:14 PM CEST Salvatore Bonaccorso wrote:
> > Well actually I did not do that, but Moritz picked it up.
>
> Oh, many thanks to Moritz then!
&
Hello Daniele,
On Mon, Sep 18, 2017 at 02:35:05AM +0200, Daniele Tricoli wrote:
> Hello Salvatore,
>
> On Saturday, September 16, 2017 3:19:51 PM CEST Salvatore Bonaccorso wrote:
> > There is a new upstream version availabe for pyjwt, could you consider
> > packaging it for
Source: pyjwt
Severity: wishlist
Hi
There is a new upstream version availabe for pyjwt, could you consider
packaging it for unstable?
Regards,
Salvatore
___
Python-modules-team mailing list
Python-modules-team@lists.alioth.debian.org
http://lists.alio
loses: #873244)
+
+ -- Salvatore Bonaccorso Sat, 16 Sep 2017 14:49:38 +0200
+
pyjwt (1.4.2-1) unstable; urgency=medium
* New upstream release.
diff -Nru pyjwt-1.4.2/debian/patches/0001-Throw-if-key-is-an-PKCS1-PEM-encoded-public-key.patch pyjwt-1.4.2/debian/patches/0001-Throw-if-key-is-an-PKCS
Control: reassign -1 src:pyjwt
Control: forcemerge 873244 -1
Hi
On Thu, Aug 31, 2017 at 09:35:41AM -0300, Leonidas S. Barbosa wrote:
> Package: pyjwt
> Version: 1.4.2-1
> Severity: important
> Tags: patch
> User: ubuntu-de...@lists.ubuntu.com
> Usertags: origin-ubuntu artful ubuntu-patch
>
> Dea
Source: python-scrapy
Version: 1.4.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/scrapy/scrapy/issues/482
Hi,
the following vulnerability was published for python-scrapy.
CVE-2017-14158[0]:
| Scrapy 1.4 allows remote attackers to cause a denial of service (memory
Source: python-django
Version: 1:1.10.7-1
Severity: normal
Tags: security upstream
Hi,
the following vulnerability was published for python-django.
CVE-2017-12794[0]:
Possible XSS in traceback section of technical 500 debug page
If you fix the vulnerability please also make sure to include the
Control: notfound -1 0.2.1-1+deb8u1
Hi
On Fri, Aug 25, 2017 at 08:59:33PM +0200, Salvatore Bonaccorso wrote:
> Please adjust the affected versions in the BTS as needed. I think this
> should be present as well in 0.2.1-1+deb8u1.
Whilst the test is missing as well in 0.2.1-1+deb8u1, py
Source: pyjwt
Version: 1.4.2-1
Severity: important
Tags: security patch upstream
Forwarded: https://github.com/jpadilla/pyjwt/pull/277
Control: found -1 0.2.1-1+deb8u1
Hi,
the following vulnerability was published for pyjwt.
CVE-2017-11424[0]:
| In PyJWT 1.5.0 and below the `invalid_strings` che
Source: fedmsg
Version: 0.9.3-1
Severity: important
Tags: upstream security
Hi,
the following vulnerability was published for fedmsg.
CVE-2017-101[0]:
| FedMsg 0.18.1 and older is vulnerable to a message validation flaw
| resulting in message validation not being enabled if configured to be
Source: python-django
Version: 1.7.7-1
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for python-django.
CVE-2017-7233[0]:
|Open redirect and possible XSS attack via user-supplied numeric
|redirect URLs
If you fix the vulnerability please also ma
Source: python-django
Version: 1.7.7-1
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for python-django.
CVE-2017-7234[0]:
Open redirect vulnerability in django.views.static.serve()
If you fix the vulnerability please also make sure to include th
Control: reassign 848349 src:linux 4.8.11-1
Control: affects 848349 - src:swift
Hi Dmitry,
On Fri, Dec 16, 2016 at 06:30:41PM +0300, Dmitry Shachnev wrote:
> forwarded 848349 https://sourceforge.net/p/docutils/bugs/303/
> kthxbye
Okay so this needs to be fixed on src:linux side, I will apply you
Source: python-django
Version: 1.7.7-1
Severity: important
Tags: security upstream patch
Hi,
the following vulnerabilities were published for python-django.
CVE-2016-9013[0]:
User with hardcoded password created when running tests on Oracle
CVE-2016-9014[1]:
DNS rebinding vulnerability when DEB
Source: python-django
Version: 1.7.7-1
Severity: important
Tags: security upstream patch fixed-upstream
Control: fixed -1 1.7.7-1+deb8u5
Hi,
the following vulnerability was published for python-django.
CVE-2016-6186[0]:
XSS in admin's add/change related popup
If you fix the vulnerability please
sible signature forgery using Bleichenbacher'06 attack
+(Closes: #809980)
+
+ -- Salvatore Bonaccorso Sun, 07 Feb 2016 07:29:08 +0100
+
python-rsa (3.2.3-1) unstable; urgency=medium
[ Dariusz Dwornikowski ]
diff -Nru python-rsa-3.2.3/debian/patches/CVE-2016-1494.patch python-rsa-3.
Source: python-django
Version: 1.9.1-1
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for python-django.
CVE-2016-2048[0]:
| User with "change" but not "add" permission can create objects for
| ModelAdminâs with save_as=True
If you fix
Source: python-django
Version: 1.4.5-1
Severity: important
Tags: security upstream fixed-upstream
Control: fixed -1 1.7.7-1+deb8u2
Hi,
the following vulnerabilities were published for python-django.
CVE-2015-5963[0]:
Denial-of-service possibility in logout() view by filling session store
CVE-20
Source: ipython
Version: 0.13.1-1
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for ipython. Creating new
bug, cf. #789824, due to different affected versions.
CVE-2015-5607[0]:
cross-site request forgery
If you fix the vulnerability pl
Hi Daniele,
On Tue, Jul 07, 2015 at 02:01:59PM +0200, Daniele Tricoli wrote:
> Hello Salvatore,
>
> On Monday 06 July 2015 20:49:24 Salvatore Bonaccorso wrote:
> > Increasing again the severity, since we have it fixed in
> > jessie-security but not yet included as well for
Control: severity -1 serious
Hi
On Wed, Jul 01, 2015 at 08:17:05AM +0200, Salvatore Bonaccorso wrote:
> Hey Daniele,
>
> On Wed, Jun 24, 2015 at 12:23:19AM +0200, Daniele Tricoli wrote:
> > On Saturday 20 June 2015 15:38:44 Alessandro Ghedini wrote:
> > > I just rel
Hey Daniele,
On Wed, Jun 24, 2015 at 12:23:19AM +0200, Daniele Tricoli wrote:
> On Saturday 20 June 2015 15:38:44 Alessandro Ghedini wrote:
> > I just released the DSA for jessie.
>
> Many thanks!
>
> > What's the status for the unstable
> > upload?
>
> My plan is to have it uploaded by the end
Source: ipython
Version: 2.1.0-1
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for ipython.
CVE-2015-4707[0]:
IPython XSS in JSON error responses -- /api/notebooks path
If you fix the vulnerability please also make sure to include the
C
Source: python-restkit
Version: 4.2.2-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for python-restkit.
CVE-2015-2674[0]:
Doesn't Validate TLS
python-restkit just used ssl.wrap_socket from the standard library
(which does not do any validation by de
Source: python-django
Version: 1.7.6-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for python-django.
CVE-2015-2316[0]:
Denial-of-service possibility with strip_tags()
AFAICS this actually is only a problem if it would be used w
Source: python-django
Version: 1.4.5-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for python-django.
CVE-2015-2317[0]:
Mitigated possible XSS attack via user-supplied redirect URLs
If you fix the vulnerability please also make
Source: requests
Version: 2.4.3-4
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for requests.
CVE-2015-2296[0]:
session fixation and cookie stealing
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnera
Source: python-django
Version: 1.7.1-1
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for python-django.
CVE-2015-0219[0]:
WSGI header spoofing via underscore/dash conflation
CVE-2015-0220[1]:
Mitigated possible XSS attack via user-suppli
Hi Scott,
On Thu, Dec 11, 2014 at 07:09:11AM -0500, Scott Kitterman wrote:
> On December 11, 2014 6:37:51 AM EST, Moritz Muehlenhoff
> wrote:
> >Package: pyyaml
> >Severity: grave
> >Tags: security
> >
> >Hi,
> >CVE-2014-9130 from libyaml also affects pyyaml. I'm attaching a short
> >reproducer.
Control: retitle -1 python-logilab-common: insecure use of /tmp (CVE-2014-1838
CVE-2014-1839)
Hi Jakub,
FYI, two CVEs were assigned for these issues: CVE-2014-1838 and
CVE-2014-1839, see [1] for the assignment.
[1] http://marc.info/?l=oss-security&m=139139947905109&w=2
Regards,
Salvatore
___
Hi,
On Thu, Dec 19, 2013 at 07:51:00AM +0100, Moritz Muehlenhoff wrote:
> Package: pywbem
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Please see:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6418
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6444
Hi Julian,
On Wed, Oct 23, 2013 at 01:16:36AM +0200, Julian Taylor wrote:
> On 22.10.2013 08:43, Salvatore Bonaccorso wrote:
> > Hi Julian,
> >
> > Cc'ing Julian directly as per short discussion on IRC.
> >
> > On IRC you mentioned that you are looking at t
Hi Julian,
Cc'ing Julian directly as per short discussion on IRC.
On IRC you mentioned that you are looking at this issue. Did you had a
chance to prepare the upload for unstable?
I can otherwise try to prepare a NMU with the given patch only, if
needed.
p.s.: Note it was decided to tag this as
Control: severity -1 grave
Actually increasing the severity, reason is
https://bugzilla.redhat.com/show_bug.cgi?id=916690#c10 (I have not
fully verified the issue).
Regards,
Salvatore
___
Python-modules-team mailing list
Python-modules-team@lists.aliot
Package: python-scipy
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for python-scipy.
CVE-2013-4251[0]:
weave /tmp and current directory issues
For more details see also the RedHat Bugreport [1]. Upstream released
0.12.1[2] this i
-2013-4314: Fix hostname check bypassing vulnerability with server
+certificates that have a null byte in the subjectAltName. (Closes: #722055)
+
+ -- Salvatore Bonaccorso Sun, 15 Sep 2013 16:59:07 +0200
+
pyopenssl (0.13-3) experimental; urgency=low
* debian/{control, rules}
diff
-4314: Fix hostname check bypassing vulnerability with server
+certificates that have a null byte in the subjectAltName. (Closes: #722055)
+
+ -- Salvatore Bonaccorso Sat, 14 Sep 2013 11:07:42 +0200
+
pyopenssl (0.13-2) unstable; urgency=low
[ Barry Warsaw ]
diff -Nru pyopenssl-0.13/d
Package: python-oauth2
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for python-oauth2.
CVE-2013-4346[0]:
_check_signature() ignores the nonce value when validating signed urls
If you fix the vulnerability please also make sure to include the
CVE (Common
Package: python-oauth2
Version: 1.5.211-2
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for python-oauth2.
CVE-2013-4347[0]:
Uses poor PRNG
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in yo
Hello Sandro
Are you working on the updates for this issues? The Security Team also
has pyopenssl on the "needs DSA" list: Could you also prepare packages
targetting squeeze-security and wheezy-security?
Regards,
Salvatore
___
Python-modules-team maili
Hi
The reference to upstream diff:
http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/revision/169
Regards,
Salvatore
___
Python-modules-team mailing list
Python-modules-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/l
48 matches
Mail list logo