Hi Étienne, On Fri, Jan 09, 2026 at 07:56:42PM +0100, Étienne Mollier wrote: > Control: fixed -1 2026.01.05+ds-1 > Control: found -1 2025.01.13+ds-1 > > Hi Salvatore, > > > The following vulnerability was published for python-parsl. > > > > CVE-2026-21892[0]: > > | Parsl is a Python parallel scripting library. A SQL Injection > > | vulnerability exists in the parsl-visualize component of versions > > | prior to 2026.01.05. The application constructs SQL queries using > > | unsafe string formatting (Python % operator) with user-supplied > > | input (workflow_id) directly from URL routes. This allows an > > | unauthenticated attacker with access to the visualization dashboard > > | to inject arbitrary SQL commands, potentially leading to data > > | exfiltration or denial of service against the monitoring database. > > | Version 2026.01.05 fixes the issue. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2026-21892 > > https://www.cve.org/CVERecord?id=CVE-2026-21892 > > [1] https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58 > > [2] > > https://github.com/Parsl/parsl/commit/013a928461e70f38a33258bd525a351ed828e974 > > > Thank you for the report, on trixie side, the patch applies > without fuzz, which heavily suggests that the code is vulnerable > indeed and I am wrapping something up tonight, in case a > security upload is deemed needed.
Not yet sure, my gut feeling was as this is relevant for the visualization dashboard, that it would be enough to fix it in a point release, but then I'm not expert with Parsl, and so would appreciate your point of view. > I have verified that the mitigation is already applied in the > version 2026.01.05+ds-1 that I uploaded earlier this week in > unstable. I proceeded without knowing about the CVE-2026-21892, > so it's a bit late for the d/changelog on sid side. Should I do > something in particular for the sid version, or that's all good > as-is? Yes it is all good. I did a mistake here, I had the initial tracking even correct, I must have had a bad day as this was not the only mistake done. In http://salsa.debian.org/security-tracker-team/security-tracker/commit/a060535650a1285d9318f792fd3a32788d4a6fc9 I added the information on python-parsl, I even added the corret upstream tag containing the fix, but left the state for unstable unfixed. The later I filled a bug wihout rechecking which version we have in unstable and if it contains the fix. My bad, apologies for having wasted time for you. > python-parsl was not available in bookworm and older releases. Yupp so only trixie will be needed to get a fix. > I wish you the best for the upcoming year. :) I wish you the very very same! Regards, Salvatore
