Your message dated Sat, 04 Jul 2026 15:48:35 +0000
with message-id <[email protected]>
and subject line Bug#1132609: fixed in poetry 2.1.2+dfsg-1+deb13u1
has caused the Debian Bug report #1132609,
regarding poetry: CVE-2026-34591
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132609: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132609
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: poetry
Version: 2.3.2+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/python-poetry/poetry/pull/10792
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for poetry.
CVE-2026-34591[0]:
| Poetry is a dependency manager for Python. From version 1.4.0 to
| before version 2.3.3, a crafted wheel can contain ../ paths that
| Poetry writes to disk without containment checks, allowing arbitrary
| file write with the privileges of the Poetry process. It is
| reachable from untrusted package artifacts during normal install
| flows. (Normally, installing a malicious wheel is not sufficient for
| execution of malicious code. Malicious code will only be executed
| after installation if the malicious package is imported or invoked
| by the user.). This issue has been patched in version 2.3.3.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-34591
https://www.cve.org/CVERecord?id=CVE-2026-34591
[1] https://github.com/python-poetry/poetry/pull/10792
[2]
https://github.com/python-poetry/poetry/security/advisories/GHSA-2599-h6xx-hpxp
[3]
https://github.com/python-poetry/poetry/commit/e068177d1bfef65de4c55cf71c36de27057f10e7
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: poetry
Source-Version: 2.1.2+dfsg-1+deb13u1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
poetry, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated poetry package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 03 Jul 2026 18:25:04 +0300
Source: poetry
Architecture: source
Version: 2.1.2+dfsg-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1132609
Changes:
poetry (2.1.2+dfsg-1+deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* CVE-2026-34591: Wheel Path Traversal Leading to Arbitrary File Write
(Closes: #1132609)
Checksums-Sha1:
81c371096778ae7a01596d6582c009a04534fa2b 3299 poetry_2.1.2+dfsg-1+deb13u1.dsc
5846f4d992fd0a9a8a577646e2c0a8990f2069e3 4086308 poetry_2.1.2+dfsg.orig.tar.xz
dd927dd3f249d7bdbdc05e63cf773a72783aa673 11760
poetry_2.1.2+dfsg-1+deb13u1.debian.tar.xz
Checksums-Sha256:
ebeaec7a6505be6c9a789ad908db08e947e8f46aa42f89af68bd25ffabe145f6 3299
poetry_2.1.2+dfsg-1+deb13u1.dsc
a3d219b433acd8c2cffdac25480d0a5c2429799147e2e555f7184b7fbc6cecea 4086308
poetry_2.1.2+dfsg.orig.tar.xz
6a6094c0dcb9088b4f82c34fa28cc27ceab7117cfe6ca5dc7da30f8f88fa47cb 11760
poetry_2.1.2+dfsg-1+deb13u1.debian.tar.xz
Files:
7f3bfde8bd085fa3de9a14b26b19775e 3299 python optional
poetry_2.1.2+dfsg-1+deb13u1.dsc
9911da39e14e82289a9ab5394415ccf9 4086308 python optional
poetry_2.1.2+dfsg.orig.tar.xz
61412994ea518472a9f984762a978bb7 11760 python optional
poetry_2.1.2+dfsg-1+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmpH3vQACgkQiNJCh6LY
mLFf0RAAkpKbZyx4Gv9joRV/+Ro2hEqbSCiw4hfqwubifRbSWXpJKrejCm5Y0qCa
rkHX552T+lG7Je23HwA391ER756x0bP5d0J2YPMyEIsAa8vDBzkLXSnKWvhTsdBr
vncTWIsZtuewmoZXuib5BA5Al64C/WEfEVv+//XGiKJTkOgAolRcqgoi0N9nef0Q
GvADrcVE9/vxPf4I5lreNm0qN3pWGA6buU2rO5iWx1isR4IftPWKRnFULH+PUdfq
dm++jBZ71tGI2sLWL7FguRp5kzOny30CpcSkmnV4lb5IhMDqmnKXvy9nDOC7faFw
RW2ZM5x02puwETl2SZrccQTZI8OsmuQ5UQAk29SH00g+MnASotIV6RUNtud1u/P5
XfszMy2UTjC/7FVBZ8CQvlckSz4BWQq7HiJVNzZZ67VovIDXtEd16xqKhQRrF2Ti
ez71Umqsxd7YPA5BtQ6IBzmE3wBBqWPx37ZpR5nXPZOXZbG4pbTnjBxWnyXa3bx6
M6oe2gqccuIEnBywvHqxeM8nZOaQwH4YWOqFDfXYd5uvC2jEX483RAOGIUdf6j6E
V/sQXJ1ooDhazxk+3aRkmJmpXFBqdIGaXVmwWfETfFurvFK8ZkkSmOskZCAt5y3T
mmCrvxrWaxITxJpQEIjUGUXxXBmgjU7d9Nk3hoWM5PxfWkQzj7M=
=w7DO
-----END PGP SIGNATURE-----
pgpsNSrGDYoQn.pgp
Description: PGP signature
--- End Message ---