Your message dated Tue, 20 Jan 2026 19:49:14 +0100
with message-id <[email protected]>
and subject line Re: Bug#1125085: python-parsl: CVE-2026-21892
has caused the Debian Bug report #1125085,
regarding python-parsl: CVE-2026-21892
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125085: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125085
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-parsl
Version: 2026.01.05+ds-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-parsl.
CVE-2026-21892[0]:
| Parsl is a Python parallel scripting library. A SQL Injection
| vulnerability exists in the parsl-visualize component of versions
| prior to 2026.01.05. The application constructs SQL queries using
| unsafe string formatting (Python % operator) with user-supplied
| input (workflow_id) directly from URL routes. This allows an
| unauthenticated attacker with access to the visualization dashboard
| to inject arbitrary SQL commands, potentially leading to data
| exfiltration or denial of service against the monitoring database.
| Version 2026.01.05 fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-21892
https://www.cve.org/CVERecord?id=CVE-2026-21892
[1] https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58
[2]
https://github.com/Parsl/parsl/commit/013a928461e70f38a33258bd525a351ed828e974
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Version: 2026.01.05+ds-1
I believe it is fine to close this bug. The version in unstable
was fixed in 2026.01.05+ds-1 and security fixes made it to
trixie-security. Formal closure in trixie ought to happen
automatically on next point release I believe.
--
.''`. Étienne Mollier <[email protected]>
: :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da
`. `' sent from /dev/pts/1, please excuse my verbosity
`- on air: Kino - Keep the Faith
signature.asc
Description: PGP signature
--- End Message ---
