Your message dated Wed, 25 Mar 2026 11:34:04 +0000
with message-id <[email protected]>
and subject line Bug#1130875: fixed in simpleeval 1.0.7-1
has caused the Debian Bug report #1130875,
regarding simpleeval: CVE-2026-32640
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1130875: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130875
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: simpleeval
Version: 1.0.3-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for simpleeval.
CVE-2026-32640[0]:
| SimpleEval is a library for adding evaluatable expressions into
| python projects. Prior to 1.0.5, objects (including modules) can
| leak dangerous modules through to direct access inside the sandbox.
| If the objects you've passed in as names to SimpleEval have modules
| or other disallowed / dangerous objects available as attrs.
| Additionally, dangerous functions or modules could be accessed by
| passing them as callbacks to other safe functions to call. The
| latest version 1.0.5 has this issue fixed. This vulnerability is
| fixed in 1.0.5.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-32640
https://www.cve.org/CVERecord?id=CVE-2026-32640
[1]
https://github.com/danthedeckie/simpleeval/security/advisories/GHSA-44vg-5wv2-h2hg
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: simpleeval
Source-Version: 1.0.7-1
Done: Mathias Behrle <[email protected]>
We believe that the bug you reported is fixed in the latest version of
simpleeval, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathias Behrle <[email protected]> (supplier of updated simpleeval package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 25 Mar 2026 09:01:21 +0100
Source: simpleeval
Architecture: source
Version: 1.0.7-1
Distribution: unstable
Urgency: high
Maintainer: Debian Tryton Maintainers <[email protected]>
Changed-By: Mathias Behrle <[email protected]>
Closes: 1130875
Changes:
simpleeval (1.0.7-1) unstable; urgency=high
.
* Merging upstream version 1.0.7 (Closes: #1130875)
This release contains fixes for CVE-2026-32640
* Adjust d/copyright.
Checksums-Sha1:
951be06fdcdc8ed352acd630d44008d04f20d181 2158 simpleeval_1.0.7-1.dsc
d2097f792515df869465b2ec1a65186bace5a46f 30250 simpleeval_1.0.7.orig.tar.gz
580710b14565cd3217c8ac0cab6769ba955228d2 4052 simpleeval_1.0.7-1.debian.tar.xz
f54a0452ac719790f88484013e75fcad5c8f78f3 6974
simpleeval_1.0.7-1_amd64.buildinfo
Checksums-Sha256:
754eee965ca0710b20b3fb8a98ec0abf2b028d0ad2fbec471dc9ae5f90116f4f 2158
simpleeval_1.0.7-1.dsc
1e10e5f9fec597814444e20c0892ed15162fa214c8a88f434b5b077cf2fef85b 30250
simpleeval_1.0.7.orig.tar.gz
f8910aa263f42c830fac50e0580b53833f5ab658c6c87678c4c0af3689fbb471 4052
simpleeval_1.0.7-1.debian.tar.xz
2fff686b463e7bf1b179f9dc9bae5bd7b681db71072171db9d3d6f712648c174 6974
simpleeval_1.0.7-1_amd64.buildinfo
Files:
486110c5e241dad5cd94903dbb332d7b 2158 python optional simpleeval_1.0.7-1.dsc
69c5680c655e3e29874fec6a957049ce 30250 python optional
simpleeval_1.0.7.orig.tar.gz
f23afae87520f065cdfe87de85884c95 4052 python optional
simpleeval_1.0.7-1.debian.tar.xz
e135663227e0a22e51109d9e7ce0fee3 6974 python optional
simpleeval_1.0.7-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
Comment: Signed by Mathias Behrle
iQIzBAEBCgAdFiEErCl+XEa50LYccXaB1tCb5IQFu/YFAmnDwvkACgkQ1tCb5IQF
u/Zugg/6A2hQJGyJWz0Br5NSDRtAXRBnWQpxqzPHZc9PHqOypWrlN+172fu9DhhZ
acMi9MadyX15QyTKS0ZNoTGmdMmRRk7E6c8Kl65mHecqFrUXmKWTfwl9gSSFEsxY
lL1N94OrN51iicDsLN8k4mcAVl7PHg6WV+ZBqkq9cHojgLnPverA0opwd6I8aTp7
gMEC+utDT+P6Ty+N5uVg2VYuR41t9yGgDN663swMBpQTIBE+eCwbv9pGyiUiN8YT
CAqqX7LuKfTmFBMfv32Fc8GCt+D37yr3RZwqSUzJQn5+6LQvVeLwsKs9+Ng24pMT
V04ldMg5GT6uoUAuH6VOqGK3x6twUIFhz2FD92JqVujFXEQsrxs8Ig+gB4bKdQ1q
patrUpW73yiOLep+wG3zjRp0zGFxydigUoOkFzYJ9IbE5iPACoFfkZudrnuZHyyK
7llPgWoJm1juIvYlNyBYKhKxdQ2sKx6XUJDwWsC+F1rMwqvu/9YHuxvNxnsGETni
HJDicLroeo3AaX5tyuQfJ6gb6Z+1PJDU9OeQRRPUExZdA0fX+qUHlNPM7pEYTs0/
4VfdeUMVg248R6Ot9dReRh/8vgBpH89fZIOnCM7bn5+V2LTHRrWmL45cuHGinbUO
P9XxrkjkJKUXP9+A5PtZXdz5U4x69P+IOKKYtHaW1gY+SpYUk7o=
=8PmK
-----END PGP SIGNATURE-----
pgpSgUm12VpcU.pgp
Description: PGP signature
--- End Message ---
