Your message dated Tue, 18 Sep 2018 22:20:36 +0000
with message-id <[email protected]>
and subject line Bug#909140: fixed in python-marshmallow 3.0.0b14-1
has caused the Debian Bug report #909140,
regarding python-marshmallow: CVE-2018-17175
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
909140: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909140
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-marshmallow
Version: 3.0.0b3-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/marshmallow-code/marshmallow/issues/772
Hi,
The following vulnerability was published for python-marshmallow.
CVE-2018-17175[0]:
| In the marshmallow library before 2.15.1 and 3.x before 3.0.0b9 for
| Python, the schema "only" option treats an empty list as implying no
| "only" option, which allows a request that was intended to expose no
| fields to instead expose all fields (if the schema is being filtered
| dynamically using the "only" option, and there is a user role that
| produces an empty value for "only").
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-17175
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17175
[1] https://github.com/marshmallow-code/marshmallow/issues/772
[2] https://github.com/marshmallow-code/marshmallow/pull/777
[3] https://github.com/marshmallow-code/marshmallow/pull/782
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-marshmallow
Source-Version: 3.0.0b14-1
We believe that the bug you reported is fixed in the latest version of
python-marshmallow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Federico Ceratto <[email protected]> (supplier of updated python-marshmallow
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 18 Sep 2018 22:44:15 +0100
Source: python-marshmallow
Binary: python3-marshmallow python3-marshmallow-doc
Architecture: source all
Version: 3.0.0b14-1
Distribution: unstable
Urgency: high
Maintainer: Federico Ceratto <[email protected]>
Changed-By: Federico Ceratto <[email protected]>
Description:
python3-marshmallow - Lightweight library for converting complex datatypes
python3-marshmallow-doc - Library for converting complex datatypes -
documentation
Closes: 909140
Changes:
python-marshmallow (3.0.0b14-1) unstable; urgency=high
.
* New upstream release (Closes: #909140), CVE-2018-17175
Checksums-Sha1:
3450edefaca274eb2e840f9bcee921ed636366b6 2225 python-marshmallow_3.0.0b14-1.dsc
fe745665048cd5f62a41ad50b409a6c76069b82b 160618
python-marshmallow_3.0.0b14.orig.tar.gz
af12a1847db441af9d4a663b5ab8d3449e6641c1 2672
python-marshmallow_3.0.0b14-1.debian.tar.xz
866a677998c369f08fed1f9a2d95a586194c47e5 7624
python-marshmallow_3.0.0b14-1_amd64.buildinfo
08dc2cb839cc26e31077497bef42ccff0ce1bbe0 189716
python3-marshmallow-doc_3.0.0b14-1_all.deb
c5e58c9c19c6ea92c972ce3c8fbdaf328bf1fd48 54216
python3-marshmallow_3.0.0b14-1_all.deb
Checksums-Sha256:
1cb63c1155b0f77afa970ba2001834f00a4f060bdb4dfd73687643706e00694a 2225
python-marshmallow_3.0.0b14-1.dsc
3729233a05419aba45456054e16aa0622267a8f8731a072efc23b2a268372686 160618
python-marshmallow_3.0.0b14.orig.tar.gz
2e8015daca833da354ed7e65797302043cdd40a4015001102869ab4f41971df0 2672
python-marshmallow_3.0.0b14-1.debian.tar.xz
2506f2beecf6f40faa345cb3bfbcaddd029f9d352e500ff7b37f12e504d364d2 7624
python-marshmallow_3.0.0b14-1_amd64.buildinfo
a4fb45333c4d2dcbe306d7524ef47996a0585ba6d5f000138a2c73d47641f16b 189716
python3-marshmallow-doc_3.0.0b14-1_all.deb
e2792390d23ea28137b2c64e32dbead54cf07fa3c11785f5706f534ad3e298ec 54216
python3-marshmallow_3.0.0b14-1_all.deb
Files:
35e63110772bd67cb37c0544be10e0e7 2225 python optional
python-marshmallow_3.0.0b14-1.dsc
cef8c6f347b81553c46dbee663b24643 160618 python optional
python-marshmallow_3.0.0b14.orig.tar.gz
af0378d38f7c63fbee9310e8255b196c 2672 python optional
python-marshmallow_3.0.0b14-1.debian.tar.xz
c2698dd8d61c953546aac2364b3465c3 7624 python optional
python-marshmallow_3.0.0b14-1_amd64.buildinfo
33c234b09cc6e658249b9d543171ab24 189716 doc optional
python3-marshmallow-doc_3.0.0b14-1_all.deb
c1c12fdab35767ab81846f90d186bb1e 54216 python optional
python3-marshmallow_3.0.0b14-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfKfd+zM5IUCMbyuWbzG8RPUXfaoFAluhdWcACgkQbzG8RPUX
faq6TRAAh0Hy3FbC460FqaIH6nBWyUoLXUf1zv6gz54EcvR2/wCVUkLumomxY+nU
Net76z2dsFmPYwUotKjYmD9VEkf+HJPJJEFCJ/Ydj9hk/UzFCnP8fjPecE5M8PWQ
YiD9lvHNJQ9V2a9/ZFry+tusxxV7fotJkDr01pbEBC3v/6lnTWKYTfHE0t1iadd1
iYbltbDCvesUXDDlHyVTGRDqqaNPnMD3DqNQShiPHqIj+6ROM+bS+vZxKGGbhW33
rNDADqgdBUX0LMW+FQE2iJHboOG3JM5rzH/W7qjX29E79IBop4lll2Em32HcplDS
TZgDIN1S2LCSSJVyP39dl/CINAZknTcQwwSt9M3RdPAvbuT1UZ7G7lxwpjPw7z3y
Mz/sdFkbjQfUuILTjNUKIdcJuC+sOgrRW6h1eS3mGahXhiUg39MdpNbzZQwjMNf1
Zw7iPDC4vrVB0JbN4ruNFshCcazue2kkMNOjyurhHkBkbbtokaDPdrUaaU4+2Tfj
7uWc4OpbnJ7gDdgvcXRWMmL94NnQzZCLfr2Arnq2Jkq62xOxmFVtjs6SaJ0Chr+O
mKekwPEjTggdFb61zTuCfvHRwUEfNJxrMfWYNTchgkBSOsU97Mf+5lKVxCX0ZA1m
TqqOqBelleQLDOVcQUvz2btvK1AqP6reUf9lw763+g37oe1Y5UY=
=up1r
-----END PGP SIGNATURE-----
--- End Message ---
