Your message dated Sun, 09 Oct 2022 09:20:31 +0000
with message-id <e1ohsu3-004x9k...@fasolo.debian.org>
and subject line Bug#1020820: fixed in joblib 1.2.0-1
has caused the Debian Bug report #1020820,
regarding joblib: CVE-2022-21797
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1020820: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020820
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: joblib
Version: 1.1.0-2
Severity: grave
Tags: security
Justification: user security hole
Forwarded: https://github.com/joblib/joblib/issues/1128
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for joblib.
CVE-2022-21797[0]:
| The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary
| Code Execution via the pre_dispatch flag in Parallel() class due to
| the eval() statement.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-21797
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21797
[1] https://github.com/joblib/joblib/issues/1128
[2]
https://github.com/joblib/joblib/commit/b90f10efeb670a2cc877fb88ebb3f2019189e059
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: joblib
Source-Version: 1.2.0-1
Done: Chiara Marmo <marmochia...@gmail.com>
We believe that the bug you reported is fixed in the latest version of
joblib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1020...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chiara Marmo <marmochia...@gmail.com> (supplier of updated joblib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 09 Oct 2022 14:09:39 +0530
Source: joblib
Architecture: source
Version: 1.2.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Science Maintainers
<debian-science-maintain...@lists.alioth.debian.org>
Changed-By: Chiara Marmo <marmochia...@gmail.com>
Closes: 1020820
Changes:
joblib (1.2.0-1) unstable; urgency=medium
.
* Team upload.
* Update upstream version (Closes: #1020820)
* Refresh patches
Checksums-Sha1:
ef953f965382f8061afa8e804224658fdff5ca23 2269 joblib_1.2.0-1.dsc
268888a23da574bf0cd83c5907e8d7ab7f0bdedd 345345 joblib_1.2.0.orig.tar.gz
d45a8e4b405dcf38c4f245f63f0ece663a7671cb 7440 joblib_1.2.0-1.debian.tar.xz
e79615f5d51b994b8b66e3f6e6de2b28e65803d8 6874 joblib_1.2.0-1_amd64.buildinfo
Checksums-Sha256:
c27bfeaf649cf63c04a8b761775ddf7e0efa02d3c9f11077414e25f7ca9e86a7 2269
joblib_1.2.0-1.dsc
574eca5aaeb0a06c4fe0a8e8e67b24715218fb0f9d0fdc9d4f30519100885e53 345345
joblib_1.2.0.orig.tar.gz
f79ce95599689217175eb4cd3aeea1e47a67ab55fa93f86159068f5294502061 7440
joblib_1.2.0-1.debian.tar.xz
d820b91ab39faabdad51ab81fce2b5444663d4027d4f799bf50bf814c48e48d2 6874
joblib_1.2.0-1_amd64.buildinfo
Files:
f6cecb252f7331bb737ae9a70053eed5 2269 python optional joblib_1.2.0-1.dsc
d51f8e86fe75ed94b88be83604c3f43d 345345 python optional
joblib_1.2.0.orig.tar.gz
d459e8a4f6f652cf5c4348dec0ffb0bb 7440 python optional
joblib_1.2.0-1.debian.tar.xz
cc802c7f73b7dac56077f17022eb5e56 6874 python optional
joblib_1.2.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEPpmlJvXcwMu/HO6mALrnSzQzafEFAmNCjfwSHG5pbGVzaEBk
ZWJpYW4ub3JnAAoJEAC650s0M2nxJAsP+gJ+2BNp6busmFwlY0oW05UldkNWHDqH
pJ2IxXfpI93qS6kg9rdUfHV9xwyaU1NtegBSlrD9uSv/n+xuheiyI15fJ76Kgb1y
d5D5ylcF/4skOIMPwkVprJcJrt5VOBrojIHMcPFTcthXY/hTzLzqMeTBs65Ho1sQ
UHttVzBIb88llZjf73PlX/lyTWC6Cg83J6E5XxB+B4Cl9+M2F21FWx+SMoeFUVwk
o8qz4j1RchDOj4PWCijLrd4XsXR1cLPoe3YJSUCtXiy3Ct4Hpx+5jvTWbkxP0+8s
yqoMLPvKPy+utKzLgYwiy1vd7EoofBh/GOxHYBXtTPXs2lz0csutFiURXJ7LQVVr
jc65NjomNU7Le6w7UUrGmbuwiinOrp63/GzhtmEfLWrH6Uii0wBqrF37/8C5Ct9B
ysaVn1GRJAesSAdgD4MLKhUxX5GPuoqqI7rfxOFXQ/yKLyLEzDpMQUaD7LL6lv4P
kppgJgUy5XprTqgaGOAZeaZJK6dQRbtIV8GU3Soa1tcUPpK32Mdr+Y2j7D9WrMto
7c3uzckYgwpAw0lThTYpTHNwvye1GSLqt2AWQlTOBC8Syk3OR35Wv+uCOwY7bB8M
Z22lmOgJLkgSbjeyLMyv+HTDdKJTamDnY9H0qPGZe4MLPTsOfoJoE4PBoHmlx5y9
ZWruQ7jDQVDZ
=PSuH
-----END PGP SIGNATURE-----
--- End Message ---
