Your message dated Thu, 10 Oct 2019 10:50:20 +0000
with message-id <[email protected]>
and subject line Bug#940901: fixed in python2.7 2.7.17~rc1-1
has caused the Debian Bug report #940901,
regarding python2.7: CVE-2019-16056
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
940901: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940901
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python2.7
Version: 2.7.16-4
Severity: important
Tags: security upstream
Forwarded: https://bugs.python.org/issue34155
Control: found -1 2.7.16-2
Control: found -1 2.7.13-2+deb9u3
Control: found -1 2.7.13-2
Hi,
The following vulnerability was published for python2.7.
CVE-2019-16056[0]:
| An issue was discovered in Python through 2.7.16, 3.x through 3.5.7,
| 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly
| parses email addresses that contain multiple @ characters. An
| application that uses the email module and implements some kind of
| checks on the From/To headers of a message could be tricked into
| accepting an email address that should be denied. An attack may be the
| same as in CVE-2019-11340; however, this CVE applies to Python more
| generally.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-16056
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056
[1] https://bugs.python.org/issue34155
[2]
https://github.com/python/cpython/commit/4cbcd2f8c4e12b912e4d21fd892eedf7a3813d8e
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python2.7
Source-Version: 2.7.17~rc1-1
We believe that the bug you reported is fixed in the latest version of
python2.7, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <[email protected]> (supplier of updated python2.7 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 10 Oct 2019 12:26:01 +0200
Source: python2.7
Architecture: source
Version: 2.7.17~rc1-1
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <[email protected]>
Changed-By: Matthias Klose <[email protected]>
Closes: 940901
Changes:
python2.7 (2.7.17~rc1-1) unstable; urgency=medium
.
* Python 2.7.17 release candidate 1.
- CVE-2019-16056, don't parse domains containing @. Closes: #940901.
* Bump standards version.
Checksums-Sha1:
382fc4d8c360f41f692e77def8c22a50de1c2d11 3393 python2.7_2.7.17~rc1-1.dsc
ae86dccde5852a5c33054a6c33bbdda19b1f5842 17539373
python2.7_2.7.17~rc1.orig.tar.gz
58e4bb699e89e2c9a7ae1b55a7ac861d4ed6eb2f 286056 python2.7_2.7.17~rc1-1.diff.gz
ac9e609fcbc71c913be217536970edbf193a08d0 9750
python2.7_2.7.17~rc1-1_source.buildinfo
Checksums-Sha256:
aa75ad37cb320dad690aaf3892a163ed3604bfc4ff0e026349c1e6bdfefddab1 3393
python2.7_2.7.17~rc1-1.dsc
ec020b417d5507c78c100d4ff3fb23187bb1405801aeb7aa620d4f5023a4e226 17539373
python2.7_2.7.17~rc1.orig.tar.gz
886f08048984f58f1b5a0f98b067e4ff6de8c080a413ba93ef4d2afa366cebc8 286056
python2.7_2.7.17~rc1-1.diff.gz
d15b69260cb104d875d88cd2868f17268a016a4bd3c005bf48ac1b651e7820d7 9750
python2.7_2.7.17~rc1-1_source.buildinfo
Files:
aeec6155566336b294fb5623b9fee77b 3393 python optional
python2.7_2.7.17~rc1-1.dsc
2a5d61fca4006729e9ec5a739312f092 17539373 python optional
python2.7_2.7.17~rc1.orig.tar.gz
a501aaa4861bc0cc6bcd75ec070e65dc 286056 python optional
python2.7_2.7.17~rc1-1.diff.gz
5380e8e26b4743955b2788fe445bc28e 9750 python optional
python2.7_2.7.17~rc1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAl2fCUgQHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9fOVD/9YE32XH2pnNOaWkmV1XwuEOyE1niyQJPfj
ZWmBn1L7t6O34Po3Ibv7rWQBlSVH8NRu83vAskAViWRUPGuaNmBkFbqpB0EiXqZ4
H1ofnZDOijt2BYJkKroYrbmHkqY6QDUlDUyd+qUw/yA5XSEB5UMR0Ks3O+4aBoN/
lrfEbWy6AYh+WzeHllHVBbMy0oP5Wy4sOEi6GM9E1t0B9xIGsIEezDC7OVnzRb1+
H9YCGQfSDyYdwT7lbNwbO9nfOgKyExz2K41fl1YNu6jBQ69GS0CriKHQsshNFV8U
uTSJU4nDbhpD6UEzt/gt85yhIK3UInPZODgn4ruJjUeNal0Cv+6iQEWSRLL3fyhh
mLps+YYaMWVaPiOCzSYj2R8q9UhQKwcSOShTqR7U5+tgJKrSoEnhvYxdvul4BFmn
q74OQvRvmtF8Uae0WBINmlW3b74X5LQnX7BnZJjocUA0cLmu04/qQVAO3i8Paydk
EAIHq0FXlzYVtuvgj1weeZgiWI8mwLc2x7TRqZtrfYzeTC0iqq4+ECDXOjJEQo1i
eQkdcwQYs+/9ESDTbujTE7OUQgNCWyE3DgbdGW5fIPqL7/M+G0pkiocbCxyVjj0s
Aaj9WSW1HXcDDZ7Mf4HhqqQdR90FQnN3ALiR7o/iTTfyXFIXZvdHA/2UFOc0oJEc
afjgbL5cnw==
=0ghz
-----END PGP SIGNATURE-----
--- End Message ---
