I took the opportunity to upload the source package too (sentry-python_1.9.10-2+deb12u1_source.changes); but do let me know if I got something wrong.
On Mon, 25 May 2026 at 06:03, Christopher Obbard <[email protected]> wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: [email protected], [email protected] > Control: affects -1 + src:sentry-python > User: [email protected] > Usertags: pu > > [ Reason ] > sentry-python is affected by CVE-2024-40647 (Bug#1083189). > > The subprocess integration incorrectly treats an explicitly empty environment > (env={}) as if no environment had been provided. As a result, when Sentry > injects tracing environment variables into a subprocess call, it can copy the > parent process environment into the child process instead of preserving > the explicitly empty environment. > > This issue is marked no-dsa in the security tracker so this update is intended > for the next bookworm point release rather than security.debian.org. > > [ Impact ] > Applications using sentry-python's subprocess integration may expose the > parent > process's environment variables to child processes when calling > subprocess.Popen() (or related helpers with env={}). Depending on the > application, > that environment may contain sensitive values such as tokens or credentials. > > If this update is not approved, bookworm will remain affected by > CVE-2024-40647. > > [ Tests ] > The upstream regression test for this issue is included in the patch. It > checks > that a subprocess started with env={} does not include any variables from the > parent process environment. > > The package was rebuilt successfully in a clean bookworm environment. The > cherry-picked patch from upstream also includes a minimal test-suite for > the new behaviour. > > [ Risks ] > The added patch is both small and targeted. It changes the fallback condition > from truthiness checking to an explicit None check: > > dict(x or os.environ) > > becomes: > > dict(x if x is not None else os.environ) > > This preserves the previous behaviour when no env argument is provided while > correctly allowing explicitly empty environments. > > The regression risk is low. The changed code only affects subprocess > environment handling in the Sentry stdlib integration. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > * Backport upstream patch for CVE-2024-40647: > https://github.com/getsentry/sentry-python/commit/763e40aa4cb57ecced467f48f78f335c87e9bdff > - Preserve explicitly empty subprocess environments. > - Only fall back to os.environ when the env argument is None. > - Include the upstream regression test. > > [ Other info ] > CVE-2024-40647 is marked no-dsa in the Debian security tracker.
