Your message dated Mon, 03 Jun 2024 05:33:39 +0000
with message-id <[email protected]>
and subject line Bug#1071628: fixed in python-pymysql 0.9.3-2+deb11u1
has caused the Debian Bug report #1071628,
regarding python-pymysql: CVE-2024-36039
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1071628: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071628
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-pymysql
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-pymysql.
We should also fix this in a DSA, could you prepare debdiffs for
bookworm-security and bullseye-security?
CVE-2024-36039[0]:
| PyMySQL through 1.1.0 allows SQL injection if used with untrusted
| JSON input because keys are not escaped by escape_dict.
https://github.com/advisories/GHSA-v9hf-5j83-6xpp
https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c
(v1.1.1)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-36039
https://www.cve.org/CVERecord?id=CVE-2024-36039
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: python-pymysql
Source-Version: 0.9.3-2+deb11u1
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-pymysql, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated python-pymysql package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 28 May 2024 08:56:57 +0200
Source: python-pymysql
Architecture: source
Version: 0.9.3-2+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Python Modules Team
<[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1071628
Changes:
python-pymysql (0.9.3-2+deb11u1) bullseye-security; urgency=medium
.
* CVE-2024-36039: PyMySQL through 1.1.0 allows SQL injection if used with
untrusted JSON input because keys are not escaped by escape_dict. Applied
upstream patch: forbid_dict_parameter.patch (Closes: #1071628).
Checksums-Sha1:
357ba0df0ea70e74d0756d7a7138876b80f7f5d4 2324
python-pymysql_0.9.3-2+deb11u1.dsc
26207ac507e7b9593816d9b060e52d7a9a9d2eec 86715 python-pymysql_0.9.3.orig.tar.gz
39eca8afcd43dc3670c08dfe9073298933be4c30 6648
python-pymysql_0.9.3-2+deb11u1.debian.tar.xz
3954f2d613ca33a11791dd0964be91318e845357 9750
python-pymysql_0.9.3-2+deb11u1_amd64.buildinfo
Checksums-Sha256:
9daa9535965b2ea9dff2034a2feb571d657ec2eaa60bb68a289c479d1cadd569 2324
python-pymysql_0.9.3-2+deb11u1.dsc
5a85599a69b51db185f9447ba5034501482496e481574bce972c7dcb5abe1d57 86715
python-pymysql_0.9.3.orig.tar.gz
ca3565d650c580e509598b5e7dfb550c16c863e3c739d33b52757e6bf8bc483c 6648
python-pymysql_0.9.3-2+deb11u1.debian.tar.xz
07195d35181d6fb4356782121c345e9b9156e1861777cfc17a68f9f9a64dffbc 9750
python-pymysql_0.9.3-2+deb11u1_amd64.buildinfo
Files:
1b4617b1718a045ffcd17122130c6b67 2324 python optional
python-pymysql_0.9.3-2+deb11u1.dsc
7afad735628571b6fffd74086ce451b7 86715 python optional
python-pymysql_0.9.3.orig.tar.gz
65545c35069130e979b35320e91c9182 6648 python optional
python-pymysql_0.9.3-2+deb11u1.debian.tar.xz
e9763923b6b442a29b8de2ab7e6c7b04 9750 python optional
python-pymysql_0.9.3-2+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmZWzvMACgkQ1BatFaxr
Q/4LdRAAkRb25uh0rg3P+SHY66zh1UtAI0FzFBW1K39JO44Usu/39rch8KWONR3z
izrPSDia2dgbrcs6EVlJO4kp/9RY1Ri0GDrx+Aeuu8GJDgFDEYTx0qwOmGBJMpXU
oQ8awoAHlKpm4maLNx9MonFDNIuZRvVS2iDAuDohxXrN+WPbGd8izRdTahmvFOIA
0sfa4uLwwrspV+xxte+3edr8nGRCu3UlC3m5mW+s0pRvltqZ7pAKBocqCNEua3hm
jRELrRgfINjzgdol24Dc78J9AE3xEBKrW0g5jW3HeHdV5yFpiGaegWQq2r+s2lx7
YayUk09WoFP63/hSmhlhSuVo3hlTy4qZO0SzKqPjNlKanCsL2l9lPwbjh8O+iLex
2tQzmUYwm5OiZ0nUJ4CpYSUYSjvZdKo6oTCvPx0Y8fSP60xmYWH2nL3w8RN271st
zEfPhHs8RIEpidDSHu1jWYfzVT0iaey71HxPJdFvZWZ3Xr/sYxYUVfCmWfkylVkE
UP3jd8pmJEaQeFiF+5u8aaRSFtJ6Hr1ElTx4WC/lOiXHOJGMXvqM3YrCb7+/DegL
ALIRPOpf+uE+//fUS6c1xXqJhA5vMc3p9c6SncCQHxCB8CDF3RTaG100Aybtpe9L
e6n4gjb4CechQIgQs39I5z9gjd3KXR1BnmHEpD1RccvkrQZVBR0=
=w+cC
-----END PGP SIGNATURE-----
pgp4YPQpmhCoK.pgp
Description: PGP signature
--- End Message ---
