Your message dated Sat, 04 Jul 2026 10:03:09 +0000
with message-id <[email protected]>
and subject line Bug#1131372: fixed in python-memray 1.17.0+dfsg-1+deb13u1
has caused the Debian Bug report #1131372,
regarding python-memray: CVE-2026-32722
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131372: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131372
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-memray
Version: 1.17.0+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-memray.
CVE-2026-32722[0]:
| Memray is a memory profiler for Python. Prior to Memray 1.19.2,
| Memray rendered the command line of the tracked process directly
| into generated HTML reports without escaping. Because there was no
| escaping, attacker-controlled command line arguments were inserted
| as raw HTML into the generated report. This allowed JavaScript
| execution when a victim opened the generated report in a browser.
| Version 1.19.2 fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-32722
https://www.cve.org/CVERecord?id=CVE-2026-32722
[1] https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9
[2]
https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-memray
Source-Version: 1.17.0+dfsg-1+deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-memray, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated python-memray package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 27 Jun 2026 16:51:20 +0300
Source: python-memray
Architecture: source
Version: 1.17.0+dfsg-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1131372
Changes:
python-memray (1.17.0+dfsg-1+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* CVE-2026-32722: XSS in generated HTML reports via unescaped
command-line metadata (Closes: #1131372)
Checksums-Sha1:
5991c0d5f7dcde9cc5760796e346fa76d08bee88 3219
python-memray_1.17.0+dfsg-1+deb13u1.dsc
abc076aeebb781e34cfb6e6484f65d1af2b9d254 16030696
python-memray_1.17.0+dfsg.orig.tar.xz
758895abba86cf97ddef5d38575c3541a9374a01 13092
python-memray_1.17.0+dfsg-1+deb13u1.debian.tar.xz
Checksums-Sha256:
238825e682b78b0fa3b0cdbef10df86c1afb13831df6fb926a600769ff7c7b3c 3219
python-memray_1.17.0+dfsg-1+deb13u1.dsc
f9ddee9cd8b4212c6326eaa4bffed0de9efe36669aafd347a198e6d7b13a8a3b 16030696
python-memray_1.17.0+dfsg.orig.tar.xz
9a71f14936c50db4c621aea3cb2c627d91c64d0d90b5737a2fdb6fe34d654153 13092
python-memray_1.17.0+dfsg-1+deb13u1.debian.tar.xz
Files:
18d7d1ca1277178648918d856259dc0b 3219 python optional
python-memray_1.17.0+dfsg-1+deb13u1.dsc
906dd6cb2f5a106959fe02fe5c6c18ae 16030696 python optional
python-memray_1.17.0+dfsg.orig.tar.xz
d31934b528df8e27835304ab96c5e89f 13092 python optional
python-memray_1.17.0+dfsg-1+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmpABKcACgkQiNJCh6LY
mLEauxAAsYjmuE4/1azCuPnnb6Uly5+PcxiMDW/RadjPnyOnK93czChB7auTwdAT
WKLYD8Qv2FlyLkzXpL/02VtEDjOD5VInfDK6dHiAlT8wkSXbijx0iAp5HtijO9bq
jysYnLHrOB9TyHcIoOahvOEw7gT9kEajqah+S3ImoNtZKc/DEYh1u2dcYHvUU/u2
oWLKRPs1ZqcsuLsbXtuVqgo87i6P39W/m6X8gAK4G7/9dxTWshDvNv0JmOX8nWJw
5CZNPuScHJUsTuybLVQTV8G8/xizlscQN3wVOhVmiG1CGR13RyJHIEe54RdeFjDN
epUZ/Qu8DaoxFwF+NvArMScMH8X1Bw/wGKbFD7/wLJzSV9C73cKhm7dm+A16JWP3
yvCxsUBNy/cG0AvmWQy69H2uqXtK3kV+Eb2A/POvjhsPXgeQLncO87AI6hs5lSfj
YNeZKFZWXxJNLcGucn6NsoSfsjv42lXanOrDbasPdWHMjL8Bj10trC/1qHQL3G97
hOqkclOUTNGik+r4iRuWPFh6xroBj697ZPaevXff25AXAbFptihEVua5jD1t/g/l
8uZWBiATqrlmr0HxXIRVEIzMBxHNZsf81xo0NGPJY7Rg8SctAlD731ahBUpW7yBC
2ch+pCAQ0AeVMQkiiXDaVclNo+iwASBDIw9DB3UoQngopbLhVDU=
=2EUQ
-----END PGP SIGNATURE-----
pgpzO1oa5W8mx.pgp
Description: PGP signature
--- End Message ---