Your message dated Thu, 30 Oct 2025 11:34:06 +0000
with message-id <[email protected]>
and subject line Bug#1118754: fixed in aiomysql 0.3.2-1
has caused the Debian Bug report #1118754,
regarding aiomysql: CVE-2025-62611
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118754: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118754
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: aiomysql
Version: 0.1.1-2
Severity: grave
Tags: security upstream
Forwarded: https://github.com/aio-libs/aiomysql/pull/1044
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for aiomysql.
I'm filling this as RC, even though it requires a rogue server to
connect to, to make sure fix land in forky. Not really sure it
warrants a DSA on its own.
CVE-2025-62611[0]:
| aiomysql is a library for accessing a MySQL database from the
| asyncio. Prior to version 0.3.0, the client-side settings are not
| checked before sending local files to MySQL server, which allows
| obtaining arbitrary files from the client using a rogue server. It
| is possible to create a rogue MySQL server that emulates
| authorization, ignores client flags and requests arbitrary files
| from the client by sending a LOAD_LOCAL instruction packet. This
| issue has been patched in version 0.3.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-62611
https://www.cve.org/CVERecord?id=CVE-2025-62611
[1] https://github.com/aio-libs/aiomysql/security/advisories/GHSA-r397-ff8c-wv2g
[2] https://github.com/aio-libs/aiomysql/pull/1044
[3]
https://github.com/aio-libs/aiomysql/commit/32c4520dae3711367ded74a4726dcb8bb8919538
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: aiomysql
Source-Version: 0.3.2-1
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
aiomysql, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated aiomysql package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 30 Oct 2025 11:22:16 +0000
Source: aiomysql
Architecture: source
Version: 0.3.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1118754
Changes:
aiomysql (0.3.2-1) unstable; urgency=medium
.
* Team upload.
* New upstream release:
- Properly check whether loading of local files is enabled (closes:
#1118754).
Checksums-Sha1:
7d9105337a8fd166b9a219cb9a148b59636c00ef 2605 aiomysql_0.3.2-1.dsc
b6c005987f09f24eed10e094a766b86782ebce1c 102519 aiomysql_0.3.2.orig.tar.gz
91cae3d9871215d211809cba3e8eaf7eda04f311 3904 aiomysql_0.3.2-1.debian.tar.xz
Checksums-Sha256:
82fd9e5780afd78ce348a2214d2b9b39dc6a22fac9da68e604da851565dc9578 2605
aiomysql_0.3.2-1.dsc
dd4cc43e905c5ac95cfedf7e301591093219e2df11bfa9120c27edc4c061ef76 102519
aiomysql_0.3.2.orig.tar.gz
aa653332c4a943bc82f2d6bca2ba4aac0334f84b42c4f660c98ebc93233f2d17 3904
aiomysql_0.3.2-1.debian.tar.xz
Files:
a62f47d21e88b7bcda7b616bf9a157bb 2605 python optional aiomysql_0.3.2-1.dsc
99c40d16db0588ec7a44377c8707562c 102519 python optional
aiomysql_0.3.2.orig.tar.gz
aaf9321f254afb54f2f81d46272bb555 3904 python optional
aiomysql_0.3.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmkDSqQACgkQOTWH2X2G
UAtkFRAAmFhBtdAnR1WhtPgEZHRQG4rqHALj1x4nm8BmAIwjOErqRVXm+IGHylvv
y1cU7b8pTX4Xm2FCXosEMgs4ZX22eP8Ud+biYeP3uzOuT6jD5tEdZPK9R3KvBuI0
BHXXhqniXtWqQi3KVKF3a/4hnhRnrawezsjJGwIUvqlhhEV+4stuUQIxfIr5yp29
NAkElrwSlV3iy4orLVPSFH6x0tHARSWs/sTepdz08CwYk6ZG0ktncVYChfqmp+/K
oUJ0oBc04ZFevYw30gxF5cCbS5bePYlnUcPXkIZrQi81arZa6UfULAKzrpklQl7O
GwOd9jTXuc3FLnMWlqJ3cB8QRawzd7Qf8odc2SxvkzV4THeTrlbWiBxOGffKSuIJ
dZQsptQ1sThe2TLILvPuKwOD1pGq68n3n3zjPqSFDRbJJGdxza0/9LGU9ZxhXP8F
117yHy1eaFf1dHt4Y1dmzMrUZL4wJHBY9WwujBYSWlYzofjodSNbtJsC0NSNe/0U
8DXIff7LApfS/K4b1X3vrUop26lQCnfeDk/7SYi1axTe1+QwMHmAWJFi9y91c271
kjC4O1GN/ff6gckNs4m7ybN5El1gYSESFBmNz76v6IKGgeaPdGWQTrNTUH2+q2NN
xADyUTIR2oResUKsJOliB53f6kWUWnnGmKf07/AWkMyIMc94QwA=
=iiv1
-----END PGP SIGNATURE-----
pgpQYUhNOTVXK.pgp
Description: PGP signature
--- End Message ---
