Your message dated Sun, 22 Mar 2026 12:55:07 +0000
with message-id <[email protected]>
and subject line Bug#1131476: fixed in python-dynaconf 3.2.13-1
has caused the Debian Bug report #1131476,
regarding python-dynaconf: CVE-2026-33154
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131476: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131476
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-dynaconf
Version: 3.2.12-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-dynaconf.
CVE-2026-33154[0]:
| dynaconf is a configuration management tool for Python. Prior to
| version 3.2.13, Dynaconf is vulnerable to Server-Side Template
| Injection (SSTI) due to unsafe template evaluation in the @Jinja
| resolver. When the jinja2 package is installed, Dynaconf evaluates
| template expressions embedded in configuration values without a
| sandboxed environment. This issue has been patched in version
| 3.2.13.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33154
https://www.cve.org/CVERecord?id=CVE-2026-33154
[1] https://github.com/dynaconf/dynaconf/security/advisories/GHSA-pxrr-hq57-q35p
[2]
https://github.com/dynaconf/dynaconf/commit/2fbb45ee36b8c0caa5b924fe19f3c1a5e8603fa7
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-dynaconf
Source-Version: 3.2.13-1
Done: Alexandre Detiste <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-dynaconf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexandre Detiste <[email protected]> (supplier of updated python-dynaconf
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 Mar 2026 13:00:52 +0100
Source: python-dynaconf
Architecture: source
Version: 3.2.13-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Alexandre Detiste <[email protected]>
Closes: 1131476
Changes:
python-dynaconf (3.2.13-1) unstable; urgency=medium
.
* Team Upload
* New upstream version 3.2.13 (Closes: #1131476)
Fix CVE-2026-33154: Server-Side Template Injection (SSTI)
Checksums-Sha1:
848dd97d701ef282d106522bf3e96f51f140c56c 2235 python-dynaconf_3.2.13-1.dsc
153cba50f2da3488882656c7ff952f7c1cc236dc 283507
python-dynaconf_3.2.13.orig.tar.gz
de69570965f34fd247fa075604a8615aa1f4157c 2632
python-dynaconf_3.2.13-1.debian.tar.xz
4eacbad34575257e07d993fe39011a3df412981b 7284
python-dynaconf_3.2.13-1_source.buildinfo
Checksums-Sha256:
3762b5e3b7f9132601cd5fe521b732410be8dd68ed7ae1e03dc0497fd0c89421 2235
python-dynaconf_3.2.13-1.dsc
d79e0189d97b3f226b8ebb1717e2ce05d1a05cdf6ea05de66d24625fdb5a0cbd 283507
python-dynaconf_3.2.13.orig.tar.gz
80fd757217d8af77f36ded482ac19b8fcd99b7a3cddb0cd33d45c2893bfd3823 2632
python-dynaconf_3.2.13-1.debian.tar.xz
6f065080608bf571a593787bf0585249ef105b1d50fc499b98b6048a8c1fdba5 7284
python-dynaconf_3.2.13-1_source.buildinfo
Files:
8b49517f7aa654895db585020cb29de3 2235 python optional
python-dynaconf_3.2.13-1.dsc
9e5192fa47451315d6ec162f72a5397f 283507 python optional
python-dynaconf_3.2.13.orig.tar.gz
0facda2a1d3a12b12024eac7aad9ec38 2632 python optional
python-dynaconf_3.2.13-1.debian.tar.xz
37e563dbcb14df540a400bab30de9495 7284 python optional
python-dynaconf_3.2.13-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEj23hBDd/OxHnQXSHMfMURUShdBoFAmm/3CQRHHRjaGV0QGRl
Ymlhbi5vcmcACgkQMfMURUShdBrN1xAAnMQqpUrvgFSV5eLB7pxX64AHOvwaWHEj
A52pH8LPPKsptJG7bpBHOE5OJZmRcIcKN2xZshz1buOGT/lH/LLDL1hBkQTRX+Kq
bR8tq1hEBCPY/zbFAlf/LvgOgQWuJyBo2z86ATgsiaZRczo+KzqCgHCnH185a2DR
e8n6vOo4BRtxoZMdF6nns9NHAnsEVLyFYF+xzP2j1OepRz42bySbEEFJYapwHjjQ
SaziYzHLZ0R/fD/5dE8gcgdp0+1nVqree7A7Usty+Il78ZEbgPNCFmh4PF/vFRR3
8LK0h6Mhovq1zBP1zdglBbbVeKPvMnvC+MdX7bhMxkRM1/yrpuz6tUMLZ9e1JVP+
A2y4CWkpof/evKQQocWeAWTviY1tgEw62roHpESzP7lMdBYJFFYq+NtlDI2TJkUA
Uxg7cgVHp4p/PWmsNbPgvTJpzUJOI8WqVDTu/TiodcxtBqiNRr4FmQpdI3hmyJNi
Q/UNQyOjgDpliIPBxCZ7yLU0I8Y55mmCSMw5CyIsoyhGHOBF2KJ2e28So1ixJayp
oEy2laHLGBzKfpLqF+Lbn0gPjYlmc7T3YbmHMVVA+NPPe6OCMkz54VVBvgolLqOh
6ZGpuxb9wyvWv2YxOnnSYhmOG6LpXMKtifmP11fhTS5+WjJIoBiKu2MKvVGnZF2x
UpW9bp4lrHg=
=XFa2
-----END PGP SIGNATURE-----
pgpCjUMqTkAp6.pgp
Description: PGP signature
--- End Message ---
