Your message dated Thu, 22 Jan 2026 13:06:16 +0000
with message-id <[email protected]>
and subject line Bug#1126078: fixed in jaraco.context 6.0.1-2
has caused the Debian Bug report #1126078,
regarding jaraco.context: CVE-2026-23949
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126078: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126078
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jaraco.context
Version: 6.0.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for jaraco.context.
CVE-2026-23949[0]:
| jaraco.context, an open-source software package that provides some
| useful decorators and context managers, has a Zip Slip path
| traversal vulnerability in the `jaraco.context.tarball()` function
| starting in version 5.2.0 and prior to version 6.1.0. The
| vulnerability may allow attackers to extract files outside the
| intended extraction directory when malicious tar archives are
| processed. The strip_first_component filter splits the path on the
| first `/` and extracts the second component, while allowing `../`
| sequences. Paths like `dummy_dir/../../etc/passwd` become
| `../../etc/passwd`. Note that this suffers from a nested tarball
| attack as well with multi-level tar files such as
| `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a
| traversal `dummy_dir/../../config/.env` that also gets translated to
| `../../config/.env`. Version 6.1.0 contains a patch for the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-23949
https://www.cve.org/CVERecord?id=CVE-2026-23949
[1]
https://github.com/jaraco/jaraco.context/security/advisories/GHSA-58pv-8j8x-9vj2
[2]
https://github.com/jaraco/jaraco.context/commit/7b26a42b525735e4085d2e994e13802ea339d5f9
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jaraco.context
Source-Version: 6.0.1-2
Done: Jeroen Ploemen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jaraco.context, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeroen Ploemen <[email protected]> (supplier of updated jaraco.context package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 22 Jan 2026 12:52:08 +0000
Source: jaraco.context
Built-For-Profiles: noudeb
Architecture: source
Version: 6.0.1-2
Distribution: unstable
Urgency: high
Maintainer: Jeroen Ploemen <[email protected]>
Changed-By: Jeroen Ploemen <[email protected]>
Closes: 1126078
Changes:
jaraco.context (6.0.1-2) unstable; urgency=high
.
* Watch, upstream: switch to git mode and check upstream signatures.
* Patches: add 01_path_traversal. (CVE-2026-23949; closes: #1126078)
* Copyright: bump packaging years, switch license for debian/* to
Expat.
* Bump Standards-Version to 4.7.3 (from 4.7.0).
Checksums-Sha1:
c9899b28b5519f07af843789fed1671f85cb02f6 2184 jaraco.context_6.0.1-2.dsc
53a1fbc7f755df5cd3d931e1514da39ddc9f279d 6424
jaraco.context_6.0.1-2.debian.tar.xz
76af392991c4067c0a34e65a7434c564fda2fe57 15628
jaraco.context_6.0.1-2_source.buildinfo
Checksums-Sha256:
0df319147733ff83d940edcf0e5a3b51dc6441fbfe96b29907ddb8a2c6a1a2f4 2184
jaraco.context_6.0.1-2.dsc
c8899f6f8c645beb62eb7694fcb61edb42fa81417923eecd7e40c8122e7e4209 6424
jaraco.context_6.0.1-2.debian.tar.xz
93af79f32bdd45738948c72393e65282850f415b67435a1453c77063d955408f 15628
jaraco.context_6.0.1-2_source.buildinfo
Files:
effa2278f44ed7435de3f1240fe05e6f 2184 python - jaraco.context_6.0.1-2.dsc
5aeca8befc606e6b0291e5330ac010be 6424 python -
jaraco.context_6.0.1-2.debian.tar.xz
f36f41fc85eb79df84b3088f3ea62e4d 15628 python -
jaraco.context_6.0.1-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEd8lhnEnWos3N8v+qQoMEoXSNzHoFAmlyHZwACgkQQoMEoXSN
zHp45g//TJmb7MSS58HGQ7+bjk2OaKd8hmd7sQrTEzLEXxM1j0tK17VeYUKkHj2E
r6QDsLwv7GYP9vqsZNuQFhF/iM9Z8dczbsGafpCHj7JVb0Iw980EdX3AwyKFTdPp
/NDHy2NfRwYzpQUq+mk7GPfcR33Smx4rQbTjCKFwwv9I9y+sHLzpdXPAwbxSSf+K
O6gHaedI7JOw6vdKjBxhtOOSOx+1jfwHvDsm3++E1PrCymTk36Xpn3eVCCSfp6NV
NcZmP/syNN1xpwSimN3VEwTb2HZeBc5wc2yiBxAbjwctH1zNukvHUFhku6kkPp12
gIzVFnwW1PA94Tk4bLqL3BOrgnL2eeZTBIHlZdS2OGbVpwfpHbdKLchChO+oeyAt
t8ayWV9D+3IUpORFT68/h6YZX2sKFSCMsl8Soc0m8jkgTLA8m439rBvXH+qq8zgf
cHcPo0Roi9+GdjjbrIywvNcOp7ipmvKN3boWrMC9zKlCzpVp0waHE8kMKdzL2VzI
rpA6h2LdlYSPcrf7h1Fx0u5qvKcW9zdyNKpptDRP+ToKs0ImoO0aspVAgzsw1Qgl
uvMiygz3knUX10FJEvD47wzhrZ9efEMre+qkfobkw/4hDJHadUo8TyFfctpaI+0q
Ebm8W5gFNfoAn9xEnKcMYgQaCfckD0A0hpEIVag4uEETjEE2I0U=
=0D5j
-----END PGP SIGNATURE-----
pgpVDv5KvWKyz.pgp
Description: PGP signature
--- End Message ---
