Hi Salvatore, (Whoops, looks like our messages crossed paths with team security.)
Salvatore Bonaccorso, on 2026-01-09: > On Fri, Jan 09, 2026 at 07:56:42PM +0100, Étienne Mollier wrote: > > Thank you for the report, on trixie side, the patch applies > > without fuzz, which heavily suggests that the code is vulnerable > > indeed and I am wrapping something up tonight, in case a > > security upload is deemed needed. > > Not yet sure, my gut feeling was as this is relevant for the > visualization dashboard, that it would be enough to fix it in a point > release, but then I'm not expert with Parsl, and so would appreciate > your point of view. I'm not sure myself, I initially needed parsl as a dependency for another package and am not a direct user of it. My general impression is that upstream does not consider the issue to be a vulnerability in default configuration, quoting the commit description: >>> I think in the default configuration this isn't a security >>> vulnerability, because whatever is injected at these points is limited >>> in what it can do: the database is already public because thats what >>> parsl-visualize does, and sqlite will not allow other commands to be >>> executed alongside the query. However, they don't say what about non-default configurations, for which the nature is unclear to me. There is also the question that next point release is tomorrow, so already frozen and the next one will be in two months, in case time were to be of the essence. But, I don't have further arguments to push for trixie-security update. So, no strong opinion on my side, just trying to do my civic duty at this point. :) > > I have verified that the mitigation is already applied in the > > version 2026.01.05+ds-1 that I uploaded earlier this week in > > unstable. I proceeded without knowing about the CVE-2026-21892, > > so it's a bit late for the d/changelog on sid side. Should I do > > something in particular for the sid version, or that's all good > > as-is? > > Yes it is all good. I did a mistake here, I had the initial tracking > even correct, I must have had a bad day as this was not the only > mistake done. In > http://salsa.debian.org/security-tracker-team/security-tracker/commit/a060535650a1285d9318f792fd3a32788d4a6fc9 > I added the information on python-parsl, I even added the corret > upstream tag containing the fix, but left the state for unstable > unfixed. The later I filled a bug wihout rechecking which version we > have in unstable and if it contains the fix. My bad, apologies for > having wasted time for you. Nah, no worries. I'm happy to know it is all good as-is. :) > > I wish you the best for the upcoming year. :) > > I wish you the very very same! Thank you very much! Have a nice day, :) -- .''`. Étienne Mollier <[email protected]> : :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da `. `' sent from /dev/pts/3, please excuse my verbosity `- on air: Lifesigns - Lighthouse
signature.asc
Description: PGP signature
