Bug#946230: marked as done (Bug in python3-dateutil)

[Debian Bug Tracking System]

Your message dated Fri, 6 Dec 2019 00:05:13 +0000
with message-id <20191206000513.ga128...@espresso.pseudorandom.co.uk>
and subject line Re: Bug#946230: Bug in python3-dateutil
has caused the Debian Bug report #946230,
regarding Bug in python3-dateutil
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
946230: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946230
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: python3-dateutil

Hi,
 Here is the package which is removed from pypi.org but still are in debian
 repos. So kindly remove them.

 Reference:
 https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/


Abdullah

https://abdullah.today

C20F 2707 3025 2569 BAC5
534B 7820 6670 C19D 1580

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

On Fri, 06 Dec 2019 at 03:04:18 +0500, Abdullah wrote:
>  Here is the package which is removed from pypi.org but still are in debian
>  repos. So kindly remove them.
> 
>  Reference:
>  
> https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/

The python3-dateutil package in Debian is the
original, non-malicious version of dateutil, available
from <https://pypi.org/project/python-dateutil/> and
<https://github.com/dateutil/dateutil/>. It does not appear to contain
the malicious code referred to in that article, and I've confirmed
that apart from Debian changes, it matches the 2.7.3 tag from
<https://github.com/dateutil/dateutil/>.

(I don't maintain this library myself and I haven't done a security audit,
only looked at it briefly.)

Debian always uses the name python3-foo for a library for Python 3
that is loaded with "import foo", even if that doesn't match its name
on PyPI. The author of the malicious library that was removed from
https://pypi.org/project/python3-dateutil/ deliberately chose that name
to make it easy to confuse with Debian, Fedora, Ubuntu, etc. packages
of the real dateutil library.

    smcv

--- End Message ---