Your message dated Sat, 25 Apr 2020 15:17:26 +0000 with message-id <e1jsmyy-000ahv...@fasolo.debian.org> and subject line Bug#942763: fixed in python-reportlab 3.3.0-2+deb9u1 has caused the Debian Bug report #942763, regarding python-reportlab: CVE-2019-17626: remote code execution in colors.py to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 942763: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942763 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: python-reportlab Version: 3.5.28-1 Severity: important Tags: security upstream Forwarded: https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code Hi, python-reportlab is affected by the following vulnerability: CVE-2019-17626[0]: "ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code." If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-17626 regards, Hugo -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4Csignature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: python-reportlab Source-Version: 3.3.0-2+deb9u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of python-reportlab, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 942...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated python-reportlab package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2020 23:58:32 +0200 Source: python-reportlab Architecture: source Version: 3.3.0-2+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Matthias Klose <d...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 942763 Changes: python-reportlab (3.3.0-2+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Address remote code execution in colors.py (CVE-2019-17626) (Closes: #942763) Checksums-Sha1: 4a08c73dea4e4fe59395a883824539288b86a7de 3035 python-reportlab_3.3.0-2+deb9u1.dsc 04c20507ec324918d05e852ddc3c8d7b6ec51c19 1959255 python-reportlab_3.3.0.orig.tar.gz 5c9d5cbefb7e26b573787be50557ab16bdd942db 12612 python-reportlab_3.3.0-2+deb9u1.debian.tar.xz Checksums-Sha256: 2ff099291c934c3034141aede19454bee440a3cfebb185c08c9ba18a51dd4d3d 3035 python-reportlab_3.3.0-2+deb9u1.dsc f48900b9321bcb2871a46543993bd995148d769a11a9e24495f25b4ec0bbe267 1959255 python-reportlab_3.3.0.orig.tar.gz 8005c483838ca3e43b2479249122139dd31e651479b9defacea161d9e261d049 12612 python-reportlab_3.3.0-2+deb9u1.debian.tar.xz Files: ca5eada5539db1c7fe49e1ab6f67ec51 3035 python optional python-reportlab_3.3.0-2+deb9u1.dsc 8ad6181b69ec515d4f6d8bb894682d5d 1959255 python optional python-reportlab_3.3.0.orig.tar.gz 2b7266f2705a758f46692eed4a8b44b3 12612 python optional python-reportlab_3.3.0-2+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl6jYeZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89ErhoQAJd+VzqT73uT+BJZlXzRn1W9E8MhpZGj RVOrNb5q8eOiLs8GJyWqe3LrSZzhbwvFRSioncFoEZ3+Ki2Lnb5tXhnITTkqSJMI 8Z6DLfsGbLtpN/oX4QtLn0Ztb0qN2s/+j5SYh4d2fEQOK9v2omYmh8kbAcN/FXU5 CMdwhbPFlMljsPlKyG4i3Q6QuiagCBStKf3D4w9JI1bYnENgUf5RiN03LgN4rvUk vnwD7VTkMwCPOOa9fkuQfyy5Y5Ba3f/RT29XmpNrkk8Wxa4sfyBKZdsA9EGFeLTY XNWuu9y4/Bl4Mq7Kejn5qjMNmcjndgj5fZVV8Q4ow4UFg1VV+Uq3MeVzTkPk/ym4 rJbfiXH+C4oVWPz51Ff6euMqaVnoWQ1jst/UkEjzmQq86XbymNc6z7T4C8qxPa0a AV3BWndXFCNs8T+7OtJanhxtcoEoFHqNp8slRSPnezSJCy9pMBL2J8427rFFpVFa IADO+RjSpRbJhGYPbRPhxrULDTNL2vseFIJaeOOAqreU3Lt9LLG5D/CCDB8Qgma3 C8KiAe2TPyZmaqSfSt6Gra4WQoZsbC57a9AARblIGHgYwfSbKdPEb49RxU558Gza O03Mpahxya4bJc86lehOVYi6lJZvjc8N0a4SkjMfFwdmM9so5adyVIClesWL+lFP jyMoYjDHgjiR =p6Hs -----END PGP SIGNATURE-----
--- End Message ---