Your message dated Sat, 09 Jan 2021 04:18:57 +0000 with message-id <e1ky5il-00098g...@fasolo.debian.org> and subject line Bug#969276: fixed in python-uvicorn 0.13.3-1 has caused the Debian Bug report #969276, regarding python-uvicorn: CVE-2020-7694 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 969276: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969276 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: python-uvicorn Version: 0.11.5-1 Severity: important Tags: security upstream Forwarded: https://github.com/encode/uvicorn/issues/723 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 0.11.3-1 Hi, The following vulnerability was published for python-uvicorn. CVE-2020-7694[0]: | This affects all versions of package uvicorn. The request logger | provided by the package is vulnerable to ASNI escape sequence | injection. Whenever any HTTP request is received, the default | behaviour of uvicorn is to log its details to either the console or a | log file. When attackers request crafted URLs with percent-encoded | escape sequences, the logging component will log the URL after it's | been processed with urllib.parse.unquote, therefore converting any | percent-encoded characters into their single-character equivalent, | which can have special meaning in terminal emulators. By requesting | URLs with crafted paths, attackers can: * Pollute uvicorn's access | logs, therefore jeopardising the integrity of such files. * Use ANSI | sequence codes to attempt to interact with the terminal emulator | that's displaying the logs (either in real time or from a file). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7694 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7694 [1] https://snyk.io/vuln/SNYK-PYTHON-UVICORN-575560 [2] https://github.com/encode/uvicorn/issues/723 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: python-uvicorn Source-Version: 0.13.3-1 Done: Sandro Tosi <mo...@debian.org> We believe that the bug you reported is fixed in the latest version of python-uvicorn, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 969...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sandro Tosi <mo...@debian.org> (supplier of updated python-uvicorn package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 08 Jan 2021 23:00:04 -0500 Source: python-uvicorn Architecture: source Version: 0.13.3-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Sandro Tosi <mo...@debian.org> Closes: 969275 969276 Changes: python-uvicorn (0.13.3-1) unstable; urgency=medium . [ Ondřej Nový ] * d/control: Update Maintainer field with new Debian Python Team contact address. * d/control: Update Vcs-* fields with new Debian Python Team Salsa layout. . [ Sandro Tosi ] * New upstream release - Closes: #969275 CVE-2020-7695 - Closes: #969276 CVE-2020-7694 * debian/control - run wrap-and-sort - add httpx, pytest-mock, trustme to b-d, needed for tests - bump Standards-Version to 4.5.1 (no changes needed) Checksums-Sha1: ebfffe1323ccaa7bf32e3b422edfc514ba717c6e 2468 python-uvicorn_0.13.3-1.dsc b3ff2458e7ba2fcb4eac0b38ba9f4e568c180840 495096 python-uvicorn_0.13.3.orig.tar.xz 2320db0df048272af97c5acaa8ac96227584686e 7420 python-uvicorn_0.13.3-1.debian.tar.xz ff3499d217ce24817fc8cb67d191f072ff51f105 8519 python-uvicorn_0.13.3-1_source.buildinfo Checksums-Sha256: 2b4a0d914b9599dc236ed28f342588accc511ec112d1bf1a8d5da8ef92fa7bfd 2468 python-uvicorn_0.13.3-1.dsc ffe16af85ccab64387830953972ea91aa8b2647130d201e91305cb52e8516a87 495096 python-uvicorn_0.13.3.orig.tar.xz efa714dde12db5f1e7aeff37184130de6e58873ee01be9ca038d066d18581147 7420 python-uvicorn_0.13.3-1.debian.tar.xz c36e46bdb3f1254f555ddf03fa3285b48e851f8a1b08c5dbe8e9dc20e5b4d9a9 8519 python-uvicorn_0.13.3-1_source.buildinfo Files: db891cbd806a54fdc2e74b5ecd154aff 2468 python optional python-uvicorn_0.13.3-1.dsc 5ece58af87b38d46040c14ea07859eb7 495096 python optional python-uvicorn_0.13.3.orig.tar.xz 9021abc4d659376b54ddd535595a8380 7420 python optional python-uvicorn_0.13.3-1.debian.tar.xz 5f57743d4a1996f8ef7cf33fba17e840 8519 python optional python-uvicorn_0.13.3-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEufrTGSrz5KUwnZ05h588mTgBqU8FAl/5KmIACgkQh588mTgB qU8Qtg//czIVIokl7RJaLBZAKG/vrYIsLhr2uX9TcHKSUMFDBp1o8WhSlZgDBfnh GrXvstt9dcUQGoozFmdID9lsZXDVj+8HktOp6pkyeJUtNt16Vpg+yoYbMkrK1xZN wmc6aLeL0jg5SOKTnPHlnLzzs3mzU9PiG2AUpgoASL63UE3tkXMd0gAVhBqYpVv2 HgC8UjUWsKUJakvZUOahKMmIsrIZFdxWphVMVk2q+MaQjgAjkuio4OnnRCF8ubJt g/UUAlZhaTRUUJ13N7t3h1UfriT+6l+h3T19cLF1vAqWlB6de3/vvtLGcu0G+te3 OAp8AbROp6DkzlJA5l6+qEVkg+jlTm6dstttnBXd22prmIvIjSKUZh4SjrDdaD/u +RsuQaMTEBuk2tlfCbNB8JRDEvy3pHjj58O+CeJgZHBOoG4pSiAVhdFFMV0S1YpK yt/ppc0e1bG4no7Dixnj3pwiNZVazyppWCNggldueDBGhLz39ejr+Sx24XQTz8Lv hL3MnRDsZZNHmIn6TsX9Ae+VDEqN4kfDNFpANf3YaHqwvFMcV+WMUWrAD8jY3U9Y /uKQ8genXDbC/MQbkSEL5BRHY89xVbjzL3HAWZyKg82YsP4VJmz/SSe3lBS8xEIp R2Nvhvn3gvskQIgXbwc7mdAp5na/d4EOKdxVYgf7U6ecnS4anJg= =YGqM -----END PGP SIGNATURE-----
--- End Message ---
