Your message dated Sun, 07 Jul 2013 15:05:11 +0000
with message-id <[email protected]>
and subject line Bug#605183: fixed in sqlobject 0.12.4-3
has caused the Debian Bug report #605183,
regarding python-sqlobject: Use of PYTHONPATH env var in an insecure way
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
605183: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605183
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-sqlobject
Version: 0.12.4-2
Severity: important
Tags: security
User: [email protected]
Usertags: pythonpath
Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in
an insecure way. Those packages do something like:
PYTHONPATH=/spam/eggs:$PYTHONPATH
This is wrong, because if PYTHONPATH were originally unset or empty,
current working directory would be added to sys.path.
[1] http://lists.debian.org/debian-python/2010/11/msg00045.html
Your package turns out to ship vulnerable examples or contains
insecure advices: you can find a complete log at [2].
[2] http://people.debian.org/~morph/mbf/pythonpath.txt
Some guidelines on how to fix these bugs: in the case given above, you
can use something like
PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}
(If you don't known this construct, grep for "Use Alternative Value"
in the bash/dash manpage.)
Also, in cases like
PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH
or
PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py
you shouldn't need to touch PYTHONPATH at all.
Feel free to contact [email protected] in case of
help.
--- End Message ---
--- Begin Message ---
Source: sqlobject
Source-Version: 0.12.4-3
We believe that the bug you reported is fixed in the latest version of
sqlobject, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Neil Muller <[email protected]> (supplier of updated sqlobject
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 07 Jul 2013 15:59:05 +0200
Source: sqlobject
Binary: python-sqlobject
Architecture: source all
Version: 0.12.4-3
Distribution: unstable
Urgency: low
Maintainer: Debian Python Modules Team
<[email protected]>
Changed-By: Neil Muller <[email protected]>
Description:
python-sqlobject - object relational manager providing an object interface to
your d
Closes: 605183 633843 695233
Changes:
sqlobject (0.12.4-3) unstable; urgency=low
.
* Acknowledge NMUs (Closes: #695233, #633843)
* Use canonical URIs for Vcs-* fields (fix by Jakub Wilk)
* Apply patch from upstream for insecure use of PYTHONPATH (Closes: #605183)
* Add myself to the Uploaders
* debian/copyright
- Replaced (C) with © in the copyright mention (Fix by Carl Chenet)
* debian/watch
- Changed the regex to skip beta version in the remote repository
(Fix by Carl Chenet)
- Use https url for cheeseshop (fix from Stefano Rivera)
* Update Build-Depends
- Remove obsolete quilt dependancy (unneeded with source 3.0)
- Update debhelper dependancy
* Bump standards version to 3.9.4 (no further changes needed)
Checksums-Sha1:
5c81360f2b223f7b4580c9afc0448e935f9a278f 2059 sqlobject_0.12.4-3.dsc
d6a8c52b93c38ae972398dcadfb01430e67666a3 8403 sqlobject_0.12.4-3.debian.tar.gz
b500ba838e84e4f5166b3c3f194516250d9e87d1 199972
python-sqlobject_0.12.4-3_all.deb
Checksums-Sha256:
e8289ef443eba77db0df24b7ccdad4059baf6d1869890c43af691861a0afceb3 2059
sqlobject_0.12.4-3.dsc
c7c0c6d79cdec68cb2c9a63d7aad3ffdcae34540fc2783167a43527c8c1d74a1 8403
sqlobject_0.12.4-3.debian.tar.gz
a11e04793ea21e4efe0931ebd7697cd9b4a64ef9a8288dba2a737adcdbe45872 199972
python-sqlobject_0.12.4-3_all.deb
Files:
28e129e16e80ec19d2f5990289cf51e2 2059 python optional sqlobject_0.12.4-3.dsc
5f5b17285df06b28896e50701a6821ee 8403 python optional
sqlobject_0.12.4-3.debian.tar.gz
ff17791e699ae8d950bc60b72695a903 199972 python optional
python-sqlobject_0.12.4-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJR2XVPAAoJEACQ/CG1zRrMrUYP/RwNM0NEwppeUi5kvwjmx319
jzNfc5QDbexSOKkQPdt5L6a8beXJw3LVVrtmSPMobipJwOz4SEIXOMN0+Dj4Y8kT
zumm5c2YZldRI/dQaAOYafIjCQ9pVHDWdyFXcOYKLlQ/kKO1w6DyNwNyDj/zyBga
Tyhem/3GJJrLfK4SvhyrPJBMO5472WC1i80GqkIXzJ5hb5/0qDqjaKEmc1kLWZPE
KNRzJYqhONWST/7qdNM0evF9QJ/Fg9rNvJA5glW/vsJ7DcuPW/aR/biHuLa9/+5i
IHDj3Tbc0GJWvYzZv6w3oYH2AzXb787jYxGQbhOlYn+fm4gYonzICf4BpPCckxxJ
DcYTYtEwRAgvbgFei4JJ5iLadBk9beH3TriTKFZcynIVPnQhfTG0QlgMmOW7vnlW
CM/iN5cUiQ6fPmx4bJmoDn+r8fpQ2OlfZyg93g59CArgDtK32MDLl9at3mQgthoV
5ReDIH4DOmSOYWqwzRB+rI44ghV3kEbsctyyd79TWEZIs4E+lq78wQ3rAcHbI+S5
ajAPi993o8s/OX0LflDOD01RsoclnbDTR3ZIY24ak624g/dUAtxFyClMnfkq6nVv
bPNqVIIkntFGml++DCULo5zWnlMc02RdZCxKkKyU9Du5HGM2ui+soJiWCZvV2W3g
CtyHBtmtMR3mq1C4joUb
=ZI+r
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
