Your message dated Mon, 07 Jun 2021 09:33:41 +0000 with message-id <e1lqbdd-000j0v...@fasolo.debian.org> and subject line Bug#985574: fixed in pygments 2.7.1+dfsg-2.1 has caused the Debian Bug report #985574, regarding pygments: CVE-2021-27291 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 985574: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985574 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: pygments Version: 2.7.1+dfsg-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for pygments. CVE-2021-27291[0]: | In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming | languages rely heavily on regular expressions. Some of the regular | expressions have exponential or cubic worst-case complexity and are | vulnerable to ReDoS. By crafting malicious input, an attacker can | cause a denial of service. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-27291 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27291 [1] https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: pygments Source-Version: 2.7.1+dfsg-2.1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of pygments, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 985...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated pygments package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 05 Jun 2021 11:00:18 +0200 Source: pygments Architecture: source Version: 2.7.1+dfsg-2.1 Distribution: unstable Urgency: medium Maintainer: Piotr Ożarowski <pi...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 985574 Changes: pygments (2.7.1+dfsg-2.1) unstable; urgency=medium . * Non-maintainer upload. * Fix several exponential/cubic complexity regexes (CVE-2021-27291) (Closes: #985574) Checksums-Sha1: ff2149f090cd1acd90676e6e71e48833bac78683 2399 pygments_2.7.1+dfsg-2.1.dsc 241e9c67d7315747d938cff4ac4857026ff12177 11128 pygments_2.7.1+dfsg-2.1.debian.tar.xz Checksums-Sha256: d9ff2f859c2929de9c8bbad59ca8a303c34ae04da31af4d05efa44587aa2a86d 2399 pygments_2.7.1+dfsg-2.1.dsc bc91af658ccfd9923faccaaa79d7d81c73865e64ecc2021f11d24d44b0364add 11128 pygments_2.7.1+dfsg-2.1.debian.tar.xz Files: d6fb40d19cd28f1b354c5fc6ca5c1054 2399 python optional pygments_2.7.1+dfsg-2.1.dsc 5042982ee0b7434cddf79372fa0f62c4 11128 python optional pygments_2.7.1+dfsg-2.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmC7PgdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EbrgQAJJPzUMKTgfgSYxg/iOLtqQ19ccEd5TP vhPpTxsLr2TwsHS3bHSwkLrHi3eggbTDLIgyPGvtqjT1JGun9XZrhD4S6JDON4/1 yWS5c8PJxC9hpqofkVSaDaXGkZ+OHA/CHqwoMM1NVYTQt5562SYGwzHGr26lJAVi PYroUxarQrEbJxKJffDyUFyTzGfg3uqWQTdGJoFJBtWIImyzOPAy6R4AadJ+FgXI w1ArcPuWr4gIER3e0g5N5/Paqorean9+bfy9daa9yKRziFCb4mcB5lHO4zzq7I+p 4sJ/x2VXmclShm9nJzgEBIJNiGJPhldioqEBrP1vj7MH2UhiKIX2uKobXeG043XI 7uuyY4+Q2bP95jskbQgMMhkAYPgQ0tJX0h41L7m6zKPKVCr+QdItarDoow2ZsvHi Pq+bwj6NiprvoN/4OkwHGYWzBaGhbS7nxHIOaP/V+NnlFCPK+gFgB3sNZI8nZj8T FrgS3wItW5TB3joIsaPVHDcCM6OxnYtoBYHuSxe4bDi9F9PNGnmqX3IKc+PyoAFJ MW4GGtrIasxyHPjSgftpK7dmg0uL+QKD21OIXLMi82Y/v7XirTH4CJb2+vEM+Shc mz4WUnvYknUtQALPeiupFB7Z+vAK11wg7yTWLSVplOPuEuo8Po8VJ+BC8yntcqNQ WCcPU/f66HWI =ab1P -----END PGP SIGNATURE-----
--- End Message ---
