Your message dated Wed, 01 Dec 2021 11:03:48 +0000
with message-id <[email protected]>
and subject line Bug#994841: fixed in sqlparse 0.4.2-1
has caused the Debian Bug report #994841,
regarding sqlparse: CVE-2021-32839
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
994841: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994841
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: sqlparse
Version: 0.4.1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for sqlparse.

CVE-2021-32839[0]:
| sqlparse is a non-validating SQL parser module for Python. In sqlparse
| versions 0.4.0 and 0.4.1 there is a regular Expression Denial of
| Service in sqlparse vulnerability. The regular expression may cause
| exponential backtracking on strings containing many repetitions of
| '\r\n' in SQL comments. Only the formatting feature that removes
| comments from SQL statements is affected by this regular expression.
| As a workaround don't use the sqlformat.format function with keyword
| strip_comments=True or the --strip-comments command line flag when
| using the sqlformat command line tool. The issues has been fixed in
| sqlparse 0.4.2.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-32839
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32839
[1] 
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf
[2] 
https://github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: sqlparse
Source-Version: 0.4.2-1
Done: Michael R. Crusoe <[email protected]>

We believe that the bug you reported is fixed in the latest version of
sqlparse, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael R. Crusoe <[email protected]> (supplier of updated sqlparse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 01 Dec 2021 11:42:26 +0100
Source: sqlparse
Architecture: source
Version: 0.4.2-1
Distribution: unstable
Urgency: medium
Maintainer: Andrii Senkovych <[email protected]>
Changed-By: Michael R. Crusoe <[email protected]>
Closes: 994841
Changes:
 sqlparse (0.4.2-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream version. Fixes CVE-2021-32839 (Closes: #994841)
   * Standards-Version: 4.6.0 (routine-update)
   * watch file standard 4 (routine-update)
Checksums-Sha1:
 b3ca812af6f9ec98e0d9d97a4851523836014c59 2462 sqlparse_0.4.2-1.dsc
 e8f821c53be3bf9874e9dbd033975e8859033d10 67771 sqlparse_0.4.2.orig.tar.gz
 bda982d52da952678421c0a8c377da9d5128edae 488 sqlparse_0.4.2.orig.tar.gz.asc
 dcbc1d072c1d7331c748e557a34604ef04dd89a2 6924 sqlparse_0.4.2-1.debian.tar.xz
 77c8724ed1f93900cf3a8fe5a820bf2c92fd8f57 8299 sqlparse_0.4.2-1_source.buildinfo
Checksums-Sha256:
 e7a4c6c04b42b2acf925ddc669530c57bcde8a4179da49fd792c7aa881a8ce23 2462 
sqlparse_0.4.2-1.dsc
 0c00730c74263a94e5a9919ade150dfc3b19c574389985446148402998287dae 67771 
sqlparse_0.4.2.orig.tar.gz
 728ea6ce0d5dbbef9114509f3dc1b9e98156d0fc1d1b9fa30199e60ce021fbc6 488 
sqlparse_0.4.2.orig.tar.gz.asc
 cf528ca8bcc69e1bca45d5a6dbf8892a447b8547a4d8928be6db08752afbd168 6924 
sqlparse_0.4.2-1.debian.tar.xz
 cd69a03daa6d8d4b429300276fcf35d95ac378d3b3226030869b97bbd826ec19 8299 
sqlparse_0.4.2-1_source.buildinfo
Files:
 a0c4d151803dd6c23cf04d5868384d27 2462 python optional sqlparse_0.4.2-1.dsc
 66dce30d92823589f5e5e043f90b4f16 67771 python optional 
sqlparse_0.4.2.orig.tar.gz
 e7f91c882d7f7530ea04cdcac540210f 488 python optional 
sqlparse_0.4.2.orig.tar.gz.asc
 9727ae5f2615730d0ac9f972922fc850 6924 python optional 
sqlparse_0.4.2-1.debian.tar.xz
 70d0e157e0b6dbf8f5f183da4609dcbc 8299 python optional 
sqlparse_0.4.2-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEck1gkzcRPHEFUNdHPCZ2P2xn5uIFAmGnUh4ACgkQPCZ2P2xn
5uL+bg/8CiMFg9hVWh4EjZDFlu5wNYvRQTAZqy7r8n2sbDxHwofW6y3IuMzgYnm+
bKVRL9h9qNkdVAif1gvqEsmmT+jJbVhZrTLyfMzFa0vkMClGJSvefs8mQqZcfNsF
4+kidaRuPDqR7URhOVv6px9gHeKvJdfvnm1qfIgvC7wzB8cU0q3EeR9ExpOZndxM
8WIC3N+mXV4EP6jjvsHI6MXRjKz4cHA0O8zpMG5H9XdQyPTe868tCUnMSFRgcK46
dNbo0SvJpbn1iQ/9NHEz36zbcSpjwxwH6aiTUpGg1gaqfUm3jKoiBRvXVrSvOVBt
XOAWDiZECSPk1Uz9s6BagrncybfWs2S97uWduRltZheVqe6YAjjAgS7TMKwXUK8n
KWLpcGz6w1/vjoRb8xQG8zX2rzCLZ8+Zaar9Glvx6uXIMWpiEK0AbgZ0ydPUTPTY
P1tCrR1A15UybWgyZJmGS2Lm8F6VrtP+YyqaFr1ODN2BmSBVE7hR5HuUn5/fQ3vO
OLTaW5u+JqOTCChxtjdPdxzaXcnYKw2eE1ULuZUDhFWqTooDnuiNLNaYqq+TAWQA
PCtP9269DoX6eWXPkGQcmP0c1F9YPJmfsGEY4wya2rGQ4QVP9KnMYlMFz4vX4s8B
3WU7gDWpVQly+InWA/EeuL/R/v+7D7tbLSC9Ib/eMuDodGzJNZE=
=eC86
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to