Your message dated Sat, 24 Jan 2026 11:04:16 +0000
with message-id <[email protected]>
and subject line Bug#1125085: fixed in python-parsl 2025.01.13+ds-1+deb13u1
has caused the Debian Bug report #1125085,
regarding python-parsl: CVE-2026-21892
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125085: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125085
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-parsl
Version: 2026.01.05+ds-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-parsl.
CVE-2026-21892[0]:
| Parsl is a Python parallel scripting library. A SQL Injection
| vulnerability exists in the parsl-visualize component of versions
| prior to 2026.01.05. The application constructs SQL queries using
| unsafe string formatting (Python % operator) with user-supplied
| input (workflow_id) directly from URL routes. This allows an
| unauthenticated attacker with access to the visualization dashboard
| to inject arbitrary SQL commands, potentially leading to data
| exfiltration or denial of service against the monitoring database.
| Version 2026.01.05 fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-21892
https://www.cve.org/CVERecord?id=CVE-2026-21892
[1] https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58
[2]
https://github.com/Parsl/parsl/commit/013a928461e70f38a33258bd525a351ed828e974
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-parsl
Source-Version: 2025.01.13+ds-1+deb13u1
Done: Étienne Mollier <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-parsl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Étienne Mollier <[email protected]> (supplier of updated python-parsl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 09 Jan 2026 20:02:48 +0100
Source: python-parsl
Architecture: source
Version: 2025.01.13+ds-1+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Étienne Mollier <[email protected]>
Closes: 1125085
Changes:
python-parsl (2025.01.13+ds-1+deb13u1) trixie-security; urgency=medium
.
* CVE-2026-21892.patch: new: fix sql injection vulnerability.
This change addresses the CVE-2026-21892. (Closes: #1125085)
Checksums-Sha1:
e1b66a50578dbedb561ec4b23ed96127eced9ff4 3117
python-parsl_2025.01.13+ds-1+deb13u1.dsc
6b9100bade032f06fb35df731ba29e8f47f6d509 8013640
python-parsl_2025.01.13+ds.orig.tar.xz
5af4cfc16a92c530db064a877358dfd2529e4bcb 11364
python-parsl_2025.01.13+ds-1+deb13u1.debian.tar.xz
153ff104e444d804e27f4616252194cfa51ffee7 12180
python-parsl_2025.01.13+ds-1+deb13u1_amd64.buildinfo
Checksums-Sha256:
50684f415c4f85ae3e08eaf0689e992583e51e6982b523d130f1993918a8fff9 3117
python-parsl_2025.01.13+ds-1+deb13u1.dsc
13607e3cb8e680be19503d6f97a1f071e1a24ef815d7336f35abc8bda0594301 8013640
python-parsl_2025.01.13+ds.orig.tar.xz
f0292886bc6057b19e1f1445a1b427447fd42ee6f3989e6bf64d2fa6b32f5edf 11364
python-parsl_2025.01.13+ds-1+deb13u1.debian.tar.xz
c500db31975be86578c77377cca36b9a08d867898d94d0a0c158a341eb13e3a4 12180
python-parsl_2025.01.13+ds-1+deb13u1_amd64.buildinfo
Files:
1db2db6049f258de453d62ea0cf0adb0 3117 python optional
python-parsl_2025.01.13+ds-1+deb13u1.dsc
0ac56390b0da865ff71c0207ab2d1f28 8013640 python optional
python-parsl_2025.01.13+ds.orig.tar.xz
e6d3ada0f4737652ac12b66ae7c9422e 11364 python optional
python-parsl_2025.01.13+ds-1+deb13u1.debian.tar.xz
c47c8c43c5fef94cd8d2f7c3b74a719c 12180 python optional
python-parsl_2025.01.13+ds-1+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmliHwAUHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdpPNhAApdNhYPEayxlFsWUOVgCK8m1/iHbZ
gGSPmQRXn7BTI/nMtS7oWSiSf9hnY6SDvxFrCShGR+ffTDozwNgzPogvqazTMMmo
LdIwOERvLhHmR8LzxG0oSFUQGOHJDAM6JnOSomK2ucjaaxUyxz/SOOhIKk4iPg0B
SQZdj/BorzN/Gk7Ef9E6cc672ub24g5i5YudCOfIe13+Esh+v23YBZJZtKDJBY8R
quVGZ8F2HMsJ3VPNsJcQBV2BPm5K82S/XlhRo/b88kAr5l/wLfnYbCQlOw3pbvK9
mDJmXK5pRSj+0tDjThFMYocCI2QZcawUJgnA6nulPuKGAIuSJA6Wld5rz7y3Zr8v
QJx/rC3gtufFODoc0Uah8Sac0n2HaJWVf4Yf9Ue/2SbROyL6amtb3i2IflIberms
X35E20h+U0j3DoNnLPC4VZ9VyUO1/8NXGDj3pxr77Wd0s9jh3XMLmg4jOJOkOMkq
xg82xiewytVhjnVZGb6s6DcjCY+Vc/8KEar2pK6rS3/9dDewqTvvjFW9g0vvxkjH
E/B5TIf+iUoKIxuNIkFnILjaVvdlJxWRZQGAuWvZb4otFd6bD5FjdXpibqCVwdAY
JogYmwR3ClZ4jDDiqA7SDFOQFqePIRf7RhnJm0/PgdYYTJIbVvXx9LTCP+ppMqkk
rmgVkNbq7LHLEO4=
=g6g0
-----END PGP SIGNATURE-----
pgp028UBHcoSL.pgp
Description: PGP signature
--- End Message ---
