Your message dated Fri, 21 May 2021 20:21:01 +0000
with message-id <e1lkbdl-000djp...@fasolo.debian.org>
and subject line Bug#988480: fixed in pydantic 1.7.4-1
has caused the Debian Bug report #988480,
regarding pydantic: CVE-2021-29510
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
988480: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988480
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: pydantic
Version: 1.7.3-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for pydantic.
Note, strictly speaking the severity is slightly choosen inaproritate
for the type of security issue. Making it RC given pydantic is only in
testing and unstable, and a fix should go into bullseye before the
bullseye release.
CVE-2021-29510[0]:
| Pydantic is a data validation and settings management using Python
| type hinting. In affected versions passing either `'infinity'`,
| `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date`
| fields causes validation to run forever with 100% CPU usage (on one
| CPU). Pydantic has been patched with fixes available in the following
| versions: v1.8.2, v1.7.4, v1.6.2. All these versions are available on
| pypi(https://pypi.org/project/pydantic/#history), and will be
| available on conda-forge(https://anaconda.org/conda-forge/pydantic)
| soon. See the changelog(https://pydantic-docs.helpmanual.io/) for
| details. If you absolutely can't upgrade, you can work around this
| risk using a validator(https://pydantic-
| docs.helpmanual.io/usage/validators/) to catch these values. This is
| not an ideal solution (in particular you'll need a slightly different
| function for datetimes), instead of a hack like this you should
| upgrade pydantic. If you are not using v1.8.x, v1.7.x or v1.6.x and
| are unable to upgrade to a fixed version of pydantic, please create an
| issue at https://github.com/samuelcolvin/pydantic/issues requesting a
| back-port, and we will endeavour to release a patch for earlier
| versions of pydantic.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-29510
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29510
[1]
https://github.com/samuelcolvin/pydantic/security/advisories/GHSA-5jqp-qgf6-3pvh
[2]
https://github.com/samuelcolvin/pydantic/commit/7e83fdd2563ffac081db7ecdf1affa65ef38c468
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pydantic
Source-Version: 1.7.4-1
Done: Stefano Rivera <stefa...@debian.org>
We believe that the bug you reported is fixed in the latest version of
pydantic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 988...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefano Rivera <stefa...@debian.org> (supplier of updated pydantic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 21 May 2021 16:05:17 -0400
Source: pydantic
Architecture: source
Version: 1.7.4-1
Distribution: unstable
Urgency: medium
Maintainer: Michael Banck <mba...@debian.org>
Changed-By: Stefano Rivera <stefa...@debian.org>
Closes: 988480
Changes:
pydantic (1.7.4-1) unstable; urgency=medium
.
* Team upload.
* New upstream point release.
- Fixes CVE-2021-29510: Date and datetime parsing could cause an infinite
loop by passing either 'infinity' or float('inf') (Closes: #988480)
* Update watch file to version 4 with current uscan(1) recommended regex.
Checksums-Sha1:
69202697049601ced5f46f424081e1e13ceb7861 1482 pydantic_1.7.4-1.dsc
3389b69caa9d7d7568a77c8969746dd82bd1f957 267198 pydantic_1.7.4.orig.tar.gz
cd933972cf0c8957e09dbc6b935fc95f8c74770d 2980 pydantic_1.7.4-1.debian.tar.xz
ae026e87242dc2daa2f62345f132bf2b8eccafba 6211 pydantic_1.7.4-1_source.buildinfo
Checksums-Sha256:
2f3cabe8157c5c304ef26dc66ae1150a8b4bb368c3c718625d3ac76c32cf0534 1482
pydantic_1.7.4-1.dsc
b0d2081726dbe6697465f2e1ebba51da3b1415008936ad003cf63fa2c48253f6 267198
pydantic_1.7.4.orig.tar.gz
7dc53241d7401fd9c436467fdf4013b7f2c406a9eda571e02d2dff55e327fd5a 2980
pydantic_1.7.4-1.debian.tar.xz
abc58cdc0ad77a0b4aee19b15f3db4dcd95d7d8dcddc262404f0d14e02309235 6211
pydantic_1.7.4-1_source.buildinfo
Files:
1885d2409e3ecb7201a555f6da349286 1482 python optional pydantic_1.7.4-1.dsc
9e15c372e343528d15ded9d2d99efdd5 267198 python optional
pydantic_1.7.4.orig.tar.gz
06e5d7a79f7ef9133298413b83e2ce0a 2980 python optional
pydantic_1.7.4-1.debian.tar.xz
81b10dfa62a2afc0d98d26bd574313dd 6211 python optional
pydantic_1.7.4-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQTumtb5BSD6EfafSCRHew2wJjpU2AUCYKgS5QAKCRBHew2wJjpU
2BJOAQC3oIrv3CF1yTTPTP4zfwC4sgohNoRJLvvb5qiJ1yoKPAD9E0sdFNJA77vB
I9EGFIdnigwMgisd/h798CfhGcbxGQc=
=iAzg
-----END PGP SIGNATURE-----
--- End Message ---
