Your message dated Mon, 1 Mar 2021 16:49:21 +0100
with message-id <[email protected]>
and subject line Re: Accepted jinja2 2.11.3-1 (source) into unstable
has caused the Debian Bug report #982736,
regarding jinja2: CVE-2020-28493
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
982736: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982736
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jinja2
Version: 2.11.2-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/pallets/jinja/pull/1343
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.10-2
Hi,
The following vulnerability was published for jinja2.
CVE-2020-28493[0]:
| This affects the package jinja2 from 0.0.0 and before 2.11.3. The
| ReDOS vulnerability of the regex is mainly due to the sub-pattern
| [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ This issue can be mitigated by
| Markdown to format user content instead of the urlize filter, or by
| implementing request timeouts and limiting process memory.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-28493
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28493
[1] https://github.com/pallets/jinja/pull/1343
[2] https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jinja2
Source-Version: 2.11.3-1
On Mon, Mar 01, 2021 at 11:48:35AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Format: 1.8
> Date: Mon, 01 Mar 2021 12:05:52 +0100
> Source: jinja2
> Architecture: source
> Version: 2.11.3-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Piotr Ożarowski <[email protected]>
> Changed-By: Hans-Christoph Steiner <[email protected]>
> Changes:
> jinja2 (2.11.3-1) unstable; urgency=medium
> .
> * Team upload.
> .
> [ Ondřej Nový ]
> * d/control: Update Vcs-* fields with new Debian Python Team Salsa
> layout.
> .
> [ Debian Janitor ]
> * Apply multi-arch hints.
> + python-jinja2-doc: Add Multi-Arch: foreign.
> .
> [ Sandro Tosi ]
> * Use the new Debian Python Team contact name and address
> .
> [ Hans-Christoph Steiner ]
> * New upstream release
The new upstream releases fixed CVE-2020-28493 (#982736) so closing
the bug.
Regards,
Salvatore
--- End Message ---
