Your message dated Wed, 18 Mar 2026 13:20:09 +0000
with message-id <[email protected]>
and subject line Bug#1129259: fixed in ormar 0.23.0-1
has caused the Debian Bug report #1129259,
regarding ormar: CVE-2026-26198
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129259: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129259
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ormar
Version: 0.22.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ormar.
CVE-2026-26198[0]:
| Ormar is a async mini ORM for Python. In versions 0.9.9 through
| 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL
| expressions by passing user-supplied column names directly into
| `sqlalchemy.text()` without any validation or sanitization. The
| `min()` and `max()` methods in the `QuerySet` class accept arbitrary
| string input as the column parameter. While `sum()` and `avg()` are
| partially protected by an `is_numeric` type check that rejects non-
| existent fields, `min()` and `max()` skip this validation entirely.
| As a result, an attacker-controlled string is embedded as raw SQL
| inside the aggregate function call. Any unauthorized user can
| exploit this vulnerability to read the entire database contents,
| including tables unrelated to the queried model, by injecting a
| subquery as the column parameter. Version 0.23.0 contains a patch.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-26198
https://www.cve.org/CVERecord?id=CVE-2026-26198
[1] https://github.com/collerek/ormar/security/advisories/GHSA-xxh2-68g9-8jqr
[2]
https://github.com/collerek/ormar/commit/a03bae14fe01358d3eaf7e319fcd5db2e4956b16
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ormar
Source-Version: 0.23.0-1
Done: Edward Betts <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ormar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Edward Betts <[email protected]> (supplier of updated ormar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 18 Mar 2026 12:56:30 +0000
Source: ormar
Architecture: source
Version: 0.23.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Edward Betts <[email protected]>
Closes: 1129259
Changes:
ormar (0.23.0-1) unstable; urgency=medium
.
* New upstream release.
* Fix CVE-2026-26198. (Closes: #1129259)
Checksums-Sha1:
0e0060b5e53f017526c1a08fdcc38c6edd3f46f8 2538 ormar_0.23.0-1.dsc
51e156eed4a505c244575aa1bd6749a639b7675a 408324 ormar_0.23.0.orig.tar.gz
a43470427ab5fff7d57948065069ac64c977dbd0 4388 ormar_0.23.0-1.debian.tar.xz
979f8a765afa49a18f97d7fc1a6b4d1c58d09a27 6974 ormar_0.23.0-1_source.buildinfo
Checksums-Sha256:
e027a35ad978c19faa4e52c847ed76b37546691c9a75108b0df9929ea268bda6 2538
ormar_0.23.0-1.dsc
652b18f4e7b47d61de1d741ab7b54504310503de3ade8102c5d362ce1b0df266 408324
ormar_0.23.0.orig.tar.gz
15a05fa1f97e14877b0fa1bf4a60845915e46800df258afe617b85c361e71de3 4388
ormar_0.23.0-1.debian.tar.xz
aa8d37cb64cab1f5079153ac540b660a410808b79b5e0d05288199e2964e8b86 6974
ormar_0.23.0-1_source.buildinfo
Files:
afa1cfed55673e4249c3df24c78959d3 2538 python optional ormar_0.23.0-1.dsc
3da9d3fb2adaa59f56387b540e4a9e1e 408324 python optional
ormar_0.23.0.orig.tar.gz
070c6391377a415b902aeddc108e53c9 4388 python optional
ormar_0.23.0-1.debian.tar.xz
28dd57b020cdeb5a1431116875173f8e 6974 python optional
ormar_0.23.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+4rPp4xyYInDitAmlgWhCYxjuSoFAmm6otoACgkQlgWhCYxj
uSo6MxAAgH+EMyKn16iy9kd3jSNtxpkxxwNz3Nc0Im5OSCYFpIdy6OVJ3X+N7NR0
3uK7UqdwKY0BZCM4qg3YaU6D1/6WJRcpvXighjbPKb7N0IuoLZN2abeOAFmNwECJ
iDdi+xC39bBej6sT/Hhfq8dP+8b+LkzHM3N1fA8WlqsJLL3VzTh/WOPa1EkL++Nf
rsEALZqPuaQiUfdFGLxrNuxqk59rDRscFCQy1Evresl93EUJU/12gEkiwaVtbi7C
SnGHKeGtOxzKLi2gRWQGuHK1BhcKtLt0gjDFKcUb8hcNXx27qbg5n2xET8zrxN51
NItvnQVA4+nrZiBhFz9+MnnywS83iyy5DQCBKgH4gsYv/ozoapO/y3KvqcRqmdd2
6S5L9YnL+vJLVLPX4zhyCAipiqwjpfQm/CGHebTwkZp7pz7EnlbKgSgNfKi7LfF6
yPJpREmNFIYrkSWV7anR++dWVwi3dhKF9LOsi2F/V45HtV64XGjdkzsL3PT8BKwI
DiK/K3Bv/g5F9qMjPSkQ1dwhjqKChTIzNK+LCWeopeqtG56Dg2N2Ne6bb6t5e+Zc
G7aOQWrIUJc0RtJLb8aMp6R6oz6v9pzc9a+7O7xkm551nREIx+WpLHKP17whLaZG
qH1kgKv80Ul2v4seyt9uSr+w/BvXiBuXszsEXbW5mAfB9luu8l0=
=XWMp
-----END PGP SIGNATURE-----
pgpY7zn4fHKDe.pgp
Description: PGP signature
--- End Message ---
