Source: poetry Version: 2.3.2+dfsg-3 Severity: important Tags: security upstream Forwarded: https://github.com/python-poetry/poetry/pull/10792 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for poetry. CVE-2026-34591[0]: | Poetry is a dependency manager for Python. From version 1.4.0 to | before version 2.3.3, a crafted wheel can contain ../ paths that | Poetry writes to disk without containment checks, allowing arbitrary | file write with the privileges of the Poetry process. It is | reachable from untrusted package artifacts during normal install | flows. (Normally, installing a malicious wheel is not sufficient for | execution of malicious code. Malicious code will only be executed | after installation if the malicious package is imported or invoked | by the user.). This issue has been patched in version 2.3.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-34591 https://www.cve.org/CVERecord?id=CVE-2026-34591 [1] https://github.com/python-poetry/poetry/pull/10792 [2] https://github.com/python-poetry/poetry/security/advisories/GHSA-2599-h6xx-hpxp [3] https://github.com/python-poetry/poetry/commit/e068177d1bfef65de4c55cf71c36de27057f10e7 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
