Your message dated Fri, 27 Mar 2026 19:17:52 +0100
with message-id <[email protected]>
and subject line Re: Accepted black 26.3.1-1 (source) into unstable
has caused the Debian Bug report #1130657,
regarding black: CVE-2026-32274
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1130657: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130657
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: black
Version: 26.1.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/psf/black/pull/5038
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for black.
CVE-2026-32274[0]:
| Black is the uncompromising Python code formatter. Prior to 26.3.1,
| Black writes a cache file, the name of which is computed from
| various formatting options. The value of the --python-cell-magics
| option was placed in the filename without sanitization, which
| allowed an attacker who controls the value of this argument to write
| cache files to arbitrary file system locations. Fixed in Black
| 26.3.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-32274
https://www.cve.org/CVERecord?id=CVE-2026-32274
[1] https://github.com/psf/black/pull/5038
[2] https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m
[3] https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: black
Source-Version: 26.3.1-1
On Fri, Mar 27, 2026 at 06:03:54PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Fri, 27 Mar 2026 13:59:07 +0100
> Source: black
> Architecture: source
> Version: 26.3.1-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Python Team <[email protected]>
> Changed-By: Michael R. Crusoe <[email protected]>
> Changes:
> black (26.3.1-1) unstable; urgency=medium
> .
> * Team upload.
> * New upstream version. Fixes CVE-2026-32274
> * Refreshed the patches, removed docs-makefile which was applied
> upstream.
> * Added new patch about where the version mismatch error messages go.
> Checksums-Sha1:
> f4a7932cd2ffccd8a780c0b6fec660e01755350d 2720 black_26.3.1-1.dsc
> 8acc5632198e6d5b46940696b932e3f9d472d16d 1280710 black_26.3.1.orig.tar.gz
> a5a9d76a0b52b6a86cc7ec757861fe34055d653f 14044 black_26.3.1-1.debian.tar.xz
> 4d470f612c87f4a80fd73a0cd341baf472bfeb10 10834
> black_26.3.1-1_source.buildinfo
> Checksums-Sha256:
> f32b74b98a266642e83993d65f75cfc3691e70894f9416fdd33305c615e0d9b1 2720
> black_26.3.1-1.dsc
> 12d2ae4eb36f6af3c36dede7779e2f01f4d4b6a639fb56bbfda68f8f484b014e 1280710
> black_26.3.1.orig.tar.gz
> 7873359a0552bdfad625f2699b8c9f88ada64f2ff5b3596248ed78a51980dd30 14044
> black_26.3.1-1.debian.tar.xz
> 478e46dbc97177d0e53ad969dcedd7acdb271991cb01685cea6259b6f064c207 10834
> black_26.3.1-1_source.buildinfo
> Files:
> 4adec1d80962f5740679d2d24cd33106 2720 python optional black_26.3.1-1.dsc
> 7359133aa4335f027a84c96b46a25308 1280710 python optional
> black_26.3.1.orig.tar.gz
> 7f29224b94a3a825471e69cde9839df3 14044 python optional
> black_26.3.1-1.debian.tar.xz
> 6055e954c2fc1a25b2e2c733fb030f59 10834 python optional
> black_26.3.1-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQJGBAEBCgAwFiEEck1gkzcRPHEFUNdHPCZ2P2xn5uIFAmnGxB8SHGNydXNvZUBk
> ZWJpYW4ub3JnAAoJEDwmdj9sZ+bi7SYP+QEsgWVCO2UAkV0W1TOsp0ol/9MydcXy
> v/v0ggQ+dT9VRUZDdDtnIhRYzpv4+Ncgq4riWGSNAR9WhGGysWZfqztnfNej5y9G
> wMyZl2pPp2KvWeuA74R29jeGKfEYAa9URsOtg0aZi3b6dHWeyB8O70WPjBwWnXNT
> lwtxqMjQjTvvjaGcFwSMmDPm0HEVuKf/8U8o0nDNJHXiwm9Yb8TvBfbALQWHxREP
> c4e2OGOx+3WPeS4sukZoely7pf+Rh6H43KzJQmEpX7CBZnCDVT1nSTSAvJFZVBT+
> bQV60HlE5USKehcut8ATRjj1iuyqlYEIr+/+zr5WslbN1/ni0j1geKA7lFsR9ZNe
> lVMDpAJAJn7WsnG0QpPi63I4mBQue63+hexugFz85f0l/GdsQArFRMnnvfLLf7Yl
> FlJGK3HywphySjaJGo5vcIS5hSgPgwADxyr701jk1fowu0Q4tV4+AigCrrFhDBu1
> EAx/4wUKmZl5kdqyqDxrYtBQTo3Jnr4nVZ7l3z2HW1t3Pj/YDrUa3vrVms1EoYqX
> YXgUiB091KkXgfmcwV301J8m1AERwRVNyn52DJwBtQD50eL5i9GzSNn0FD80wEfi
> 92yZFldO6uY0fKnSqq/JCz809fuoujlWg/ItwuLIr7Y3CzrYsU5kawSml2okgHuT
> rwVbilroQKms
> =/g/x
> -----END PGP SIGNATURE-----
--- End Message ---
