Your message dated Thu, 28 May 2026 17:25:09 +0000
with message-id <[email protected]>
and subject line Bug#1131372: fixed in python-memray 1.19.3+dfsg-1
has caused the Debian Bug report #1131372,
regarding python-memray: CVE-2026-32722
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131372: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131372
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-memray
Version: 1.17.0+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-memray.
CVE-2026-32722[0]:
| Memray is a memory profiler for Python. Prior to Memray 1.19.2,
| Memray rendered the command line of the tracked process directly
| into generated HTML reports without escaping. Because there was no
| escaping, attacker-controlled command line arguments were inserted
| as raw HTML into the generated report. This allowed JavaScript
| execution when a victim opened the generated report in a browser.
| Version 1.19.2 fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-32722
https://www.cve.org/CVERecord?id=CVE-2026-32722
[1] https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9
[2]
https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-memray
Source-Version: 1.19.3+dfsg-1
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-memray, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated python-memray package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 28 May 2026 13:56:00 +0100
Source: python-memray
Architecture: source
Version: 1.19.3+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1131372
Changes:
python-memray (1.19.3+dfsg-1) unstable; urgency=medium
.
* Team upload.
* New upstream release:
- CVE-2026-32722: Ensure the command line is properly HTML escaped when
writing it into flamegraph and table reports (closes: #1131372).
.
python-memray (1.19.1+dfsg-1) unstable; urgency=medium
.
* New upstream version 1.19.1.
* d/control:
- Bump Standards-Version to 4.7.3.
- Remove Rules-Requires-Root.
- Remove Priority.
* Update patches 001-fix-html-privacy-breach.patch and
003-rm-distutils-from-setup.patch for new upstream version.
* d/copyright: update debian/* copyright year.
* d/watch: bump to version 5.
Checksums-Sha1:
a87620677922eb9c454e8da1296f4b3f6accdea7 3310 python-memray_1.19.3+dfsg-1.dsc
2e243ab47d1b259f3fed2a6162e841c4b8671748 17110440
python-memray_1.19.3+dfsg.orig.tar.xz
0fe8bcd5132443f383d475980903c8a5a7045a9d 12716
python-memray_1.19.3+dfsg-1.debian.tar.xz
Checksums-Sha256:
fa4065155b9c4c508c8ccf28483c9380d1d50014a965ad3e5672ee49cb66813f 3310
python-memray_1.19.3+dfsg-1.dsc
b59efcdb1915a64455c652d1e0442d3c54339ab2bedec6e5da1d073039e100a5 17110440
python-memray_1.19.3+dfsg.orig.tar.xz
6e23d36174efcb5eb95ffbf443168bb8faf53ac66766a26cab7ab55047f04228 12716
python-memray_1.19.3+dfsg-1.debian.tar.xz
Files:
79dfcc1971944a251bf2675f8710e3be 3310 python optional
python-memray_1.19.3+dfsg-1.dsc
6c864e91ea27b11b7161efb3310c6e27 17110440 python optional
python-memray_1.19.3+dfsg.orig.tar.xz
caecda3c5ce7f73168b6b4fb5a4b2afc 12716 python optional
python-memray_1.19.3+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmoYO9gACgkQOTWH2X2G
UAtFXRAAmKeF3gxwjOaPJFVrE96B0+FLmNQ82qcm8knzI2FvYltA7o+InwnWx09f
MPB3SVX4rqHvB46zcWbAowytE7N3XQulXMr5MtApHWjKF/+TGfX/o5Xqj1LpGA2k
j5SRhzvHjdrk5NP/yyQu86r3W+fGnal+jKEmtlev6lMFStjMQTUXBSyMG7zrth2N
hGm1y17J8v+crushOUVZZkaji2YaqBjypM5fe4cBi06G1NcQEdU31xNYNikEiHOe
zJwZ79Ge1jZ6O1Be+1241zfvpiqDkiRXJRsY7ml47cAt4I2u2VBpSF5xFfdrZBto
ShGABTHVzZAi0ARKVgDRQaZgYZOatcVMu4epjRCGRpAbibKXW1NC3X+MAKo5I6HF
pGNVekt8AAEj885EFpevBF5BVZZOJ1Z9YBy6d5vtp8xi9ISJhMK5YoPpV5Jeg/vj
esnZ5bACiqsK6TXWHwEhoSwgXA5U9suxFL2wBSsBW4Gi9XJBggM8XA8nYqSw8K3U
QCv3v97p8iUihmjZdv1gnz0c1mhI1uY1HoR1Vg1mXwZAPz23gwTwfrrq8tgEmf6O
ShKOn3EKarLe0/t4Pj/icTAQe6svPCG3vdUgYdFHnN2iQzR2ob7qfQbTRNYoVnQ2
SuH8+vD8JsPHQdqQOpomji9cxxU+REwU2hm+wdY5XuZFMP2Q/+M=
=PsJV
-----END PGP SIGNATURE-----
pgpfF6jcMvli9.pgp
Description: PGP signature
--- End Message ---
