Source: python-pyramid Version: 2.0+dfsg-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for python-pyramid. CVE-2023-40587[0]: | Pyramid is an open source Python web framework. A path traversal | vulnerability in Pyramid versions 2.0.0 and 2.0.1 impacts users of | Python 3.11 that are using a Pyramid static view with a full | filesystem path and have a `index.html` file that is located exactly | one directory above the location of the static view's file system | path. No further path traversal exists, and the only file that could | be disclosed accidentally is `index.html`. Pyramid version 2.0.2 | rejects any path that contains a null-byte out of caution. While | valid in directory/file names, we would strongly consider it a | mistake to use null-bytes in naming files/directories. Secondly, | Python 3.11, and 3.12 has fixed the underlying issue in | `os.path.normpath` to no longer truncate on the first `0x00` found, | returning the behavior to pre-3.11 Python, un an as of yet | unreleased version. Fixes will be available in:Python 3.12.0rc2 and | 3.11.5. Some workarounds are available. Use a version of Python 3 | that is not affected, downgrade to Python 3.10 series temporarily, | or wait until Python 3.11.5 is released and upgrade to the latest | version of Python 3.11 series. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40587 https://www.cve.org/CVERecord?id=CVE-2023-40587 [1] https://github.com/Pylons/pyramid/security/advisories/GHSA-j8g2-6fc7-q8f8 [2] https://github.com/Pylons/pyramid/commit/347d7750da6f45c7436dd0c31468885cc9343c85 Regards, Salvatore
