Your message dated Thu, 13 May 2021 21:04:15 +0000
with message-id <[email protected]>
and subject line Bug#987824: fixed in python-babel 2.8.0+dfsg.1-7
has caused the Debian Bug report #987824,
regarding python-babel: CVE-2021-20095
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
987824: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987824
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-babel
Version: 2.8.0+dfsg.1-6
Severity: important
Tags: security upstream
Forwarded: https://github.com/python-babel/babel/pull/782
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.6.0+dfsg.1-1
Hi,
The following vulnerability was published for python-babel.
CVE-2021-20095[0]:
| Relative Path Traversal in Babel 2.9.0 allows an attacker to load
| arbitrary locale files on disk and execute arbitrary code.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-20095
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20095
[1] https://github.com/python-babel/babel/pull/782
[2] https://www.tenable.com/security/research/tra-2021-14
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-babel
Source-Version: 2.8.0+dfsg.1-7
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-babel, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated python-babel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 01 May 2021 17:13:14 +0200
Source: python-babel
Architecture: source
Version: 2.8.0+dfsg.1-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 987824
Changes:
python-babel (2.8.0+dfsg.1-7) unstable; urgency=medium
.
* CVE-2021-20095: Relative Path Traversal in Babel 2.9.0 allows an attacker
to load arbitrary locale files on disk and execute arbitrary code. Applied
upstream patch: Run locale identifiers through `os.path.basename()`.
(Closes: #987824).
Checksums-Sha1:
d6ce076bc41c0e6bc1c1de23820a906e35b0f919 2343 python-babel_2.8.0+dfsg.1-7.dsc
de48785b69c243851347c0cf1378746d12327603 13700
python-babel_2.8.0+dfsg.1-7.debian.tar.xz
f7e5843ef42090d9bbf26ec44a01042879e68d98 8258
python-babel_2.8.0+dfsg.1-7_amd64.buildinfo
Checksums-Sha256:
a88c1f9bee68819f2677f8e5864811d3aca558dc1edbf94a5f3308449f60bc16 2343
python-babel_2.8.0+dfsg.1-7.dsc
5a429cf185cc77af648204459cd7e7a0f41f15189a6c639b35af1baece9e129b 13700
python-babel_2.8.0+dfsg.1-7.debian.tar.xz
48efaa600a43e7c904f781f4243a25d0219d53ac44fec602a061d33f4a9a92ee 8258
python-babel_2.8.0+dfsg.1-7_amd64.buildinfo
Files:
808d29ee3b11b0286e18e88cbe8e9620 2343 python optional
python-babel_2.8.0+dfsg.1-7.dsc
47ef1a56dd29ab0dab5c216d428429a6 13700 python optional
python-babel_2.8.0+dfsg.1-7.debian.tar.xz
c206635bf7a07df5a3cc5a8282f4417e 8258 python optional
python-babel_2.8.0+dfsg.1-7_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmCdkNEACgkQ1BatFaxr
Q/6xZQ//XQ1i1tfQmg+UvRQv+MwcMGXRtvylzGteMGm7YY9bYDzr2les5Mz7KtEm
J/lc4ZIuqFrhiPmNw8LsBm2iG1Jkq+YQaBqx2eETfHlJKom3FcjvitRsAh4Woh9O
XybviDqg+GTjPusqCjQ4+VpBm4XCilt81BLV0G6kVJBNs4bUwiCiOZzQkmTQR4Xl
/etPOF5viT8QiIIo7AA9wwsukKuUFmypXFhI1Gp5C3k6DX1GmRqfOLEj+AcWp0KK
BjcxysAhHkioH7YF3Qg4SMF6w/2Z1FNU+daeMNMMfHQuFNRX2r2liIxShfjQwpAW
YnwpS6LqH6jLjhXkUxg9w4xWTfviLC8uhKyyFejZtwN//zRZ7eEHwAMK4m29XRhB
NeCCBIpxwUf6vPjkLQSNyBlCdMUb5/OiGfKpheCJ0Yxy4Lve3VxzTKVgO/I8YzAU
p/HgZUoP0BOXQZw7BW1bJbJWOZnxTRdEFKAPbMNYJwvRhRMwOsa2s0sEcvfBDIw6
XFBq8/RNckDNJ1JfadTMHjqlx7LzMh+N2TWyrjQ2AgpPD4SAzAmcJ2AsShYhIcqh
9Jn8CdirX382qxn/iI0EmmEqAuaL5R6HPWgvSooyGTRXW6bal2tKDdvmJWwS0sC7
HliuVH1DEwn4fkkw4z2/HOpbjrTJOtYNY2UmQKTGEaPm9i58R+Y=
=AqZn
-----END PGP SIGNATURE-----
--- End Message ---
