Control: fixed -1 2026.01.05+ds-1 Control: found -1 2025.01.13+ds-1 Hi Salvatore,
> The following vulnerability was published for python-parsl. > > CVE-2026-21892[0]: > | Parsl is a Python parallel scripting library. A SQL Injection > | vulnerability exists in the parsl-visualize component of versions > | prior to 2026.01.05. The application constructs SQL queries using > | unsafe string formatting (Python % operator) with user-supplied > | input (workflow_id) directly from URL routes. This allows an > | unauthenticated attacker with access to the visualization dashboard > | to inject arbitrary SQL commands, potentially leading to data > | exfiltration or denial of service against the monitoring database. > | Version 2026.01.05 fixes the issue. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2026-21892 > https://www.cve.org/CVERecord?id=CVE-2026-21892 > [1] https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58 > [2] > https://github.com/Parsl/parsl/commit/013a928461e70f38a33258bd525a351ed828e974 Thank you for the report, on trixie side, the patch applies without fuzz, which heavily suggests that the code is vulnerable indeed and I am wrapping something up tonight, in case a security upload is deemed needed. I have verified that the mitigation is already applied in the version 2026.01.05+ds-1 that I uploaded earlier this week in unstable. I proceeded without knowing about the CVE-2026-21892, so it's a bit late for the d/changelog on sid side. Should I do something in particular for the sid version, or that's all good as-is? python-parsl was not available in bookworm and older releases. I wish you the best for the upcoming year. :) -- .''`. Étienne Mollier <[email protected]> : :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da `. `' sent from /dev/pts/1, please excuse my verbosity `-
signature.asc
Description: PGP signature
