Your message dated Wed, 17 Sep 2025 14:55:04 +0000
with message-id <[email protected]>
and subject line Bug#1102010: fixed in ros-dynamic-reconfigure 1.7.6-1
has caused the Debian Bug report #1102010,
regarding ros-dynamic-reconfigure: CVE-2024-39780
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1102010: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102010
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ros-dynamic-reconfigure
Version: 1.7.3-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/ros/dynamic_reconfigure/pull/202
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.7.3-2
Hi,
The following vulnerability was published for ros-dynamic-reconfigure.
CVE-2024-39780[0]:
| A YAML deserialization vulnerability was found in the Robot
| Operating System (ROS) 'dynparam', a command-line tool for getting,
| setting, and deleting parameters of a dynamically configurable node,
| affecting ROS distributions Noetic and earlier. The issue is caused
| by the use of the yaml.load() function in the 'set' and 'get' verbs,
| and allows for the creation of arbitrary Python objects. Through
| this flaw, a local or remote user can craft and execute arbitrary
| Python code. This issue has now been fixed for ROS Noetic via commit
| 3d93ac13603438323d7e9fa74e879e45c5fe2e8e.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-39780
https://www.cve.org/CVERecord?id=CVE-2024-39780
[1] https://github.com/ros/dynamic_reconfigure/pull/202
[2]
https://github.com/ros/dynamic_reconfigure/commit/9975cc8b55b3039115da6662cc7279cc65303844
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ros-dynamic-reconfigure
Source-Version: 1.7.6-1
Done: Timo Röhling <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ros-dynamic-reconfigure, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Röhling <[email protected]> (supplier of updated ros-dynamic-reconfigure
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 17 Sep 2025 15:17:51 +0200
Source: ros-dynamic-reconfigure
Architecture: source
Version: 1.7.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Science Maintainers
<[email protected]>
Changed-By: Timo Röhling <[email protected]>
Closes: 1102010
Changes:
ros-dynamic-reconfigure (1.7.6-1) unstable; urgency=medium
.
* Migrate debian/watch to version 5 format
* New upstream version 1.7.6
* Refresh patches (no functional changes)
* Wrap and sort Debian package files
* Bump Standards-Version to 4.7.2
* Fix CVE-2024-39780: Use safe loader for YAML input (Closes: #1102010)
Checksums-Sha1:
6076e3f6a289d9e87b749474d35154a89065741c 3026
ros-dynamic-reconfigure_1.7.6-1.dsc
4fda94ad892fbfde9bddcdde4602cedd173b32b2 41313
ros-dynamic-reconfigure_1.7.6.orig.tar.gz
7a53f3ecba5ad2cd705ffaffe4b59d02a7501810 6296
ros-dynamic-reconfigure_1.7.6-1.debian.tar.xz
Checksums-Sha256:
c7fe17211a634c11c5d0f0fd242646c8ffd54e78bf35a3f5130bda0e267de6c0 3026
ros-dynamic-reconfigure_1.7.6-1.dsc
f0e0d5e2402e46fc2b60ca9490ef5a7cdea29278ad49f07769b12abd79278636 41313
ros-dynamic-reconfigure_1.7.6.orig.tar.gz
809ae8ba02c6fe16c24fbfa3a0fbe177ca7e34fdd570405582a25419f145b19c 6296
ros-dynamic-reconfigure_1.7.6-1.debian.tar.xz
Files:
2ec636f8b64b38cff155144d33011def 3026 libs optional
ros-dynamic-reconfigure_1.7.6-1.dsc
5cb8c93458255411b3066c0e7f8a5816 41313 libs optional
ros-dynamic-reconfigure_1.7.6.orig.tar.gz
dc5233aa67697dca56461c311a6b1d5b 6296 libs optional
ros-dynamic-reconfigure_1.7.6-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEmwPruYMA35fCsSO/zIxr3RQD9MoFAmjKuIcUHHJvZWhsaW5n
QGRlYmlhbi5vcmcACgkQzIxr3RQD9MrS5A//TyeLcwoGCYoX1sicBVpFba3O/Kv2
tZKNXCGrKr7rSSinyH4K0Bbju7tNclk1aPCe5ODqNQ6bCBj6rO/Z048JsG9jUfvD
bJWP6UBf9grIrtOC6oX4EGKCrjlOpn5LzOp9N2xvfEf6Wl1bMBbhesthB+VZbgIj
zL1GTpJsXFU4LdvvpvinqBQ8/C5kqADLmku2Tx1AbU02Vhb+xYYhYepa+UhNiM6/
9+TwthaIVd3GX07QDw93pTiuRDEHWlzgyWQI09pO/rAkHCj2UqBnH8xrP7htuEtw
erxh+KwRHTL5u7qTyovYnj59azD8/VvLbSi5iTxIHXBJGqZpigpiGSDQaoB5FkWV
2TbO2OIQQfUuhpW+TYWB16AYPkKOaRUEpDPMQzUXH0FYbosAzAm//iu1Nl8qtamS
bAho65m5PeRrt9L8nMfXEVnOXmZ5WkElzwUJZE35WoQus7QAc6yw3i3tk8CGaIbJ
l10xuypShiXtWyVOX1CKDptFmGl/hY7isdt/tZl7fSQhEXk/BzlcMJRTBkK++pmq
vmGdzpx0tPLUYPzvE/DxBPRYoT24xAdVv+fdyI3PKkVZTR7N/unTrvIeJoayGE01
xrl+m03P8VtSGm3/GKZBPDWoiE6WxQougCgd4hxeY6s+97222gOXVGY6KJ7yjghj
PZUI8T8MJPmJ8xI=
=Stp2
-----END PGP SIGNATURE-----
pgpmrpedUORUs.pgp
Description: PGP signature
--- End Message ---
--
debian-science-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
