Your message dated Sat, 07 Jan 2023 18:40:07 +0000
with message-id <[email protected]>
and subject line Bug#1027163: fixed in python-git 3.1.30-1
has caused the Debian Bug report #1027163,
regarding python-git: CVE-2022-24439
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1027163: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027163
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-git
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-git.
CVE-2022-24439[0]:
| All versions of package gitpython are vulnerable to Remote Code
| Execution (RCE) due to improper user input validation, which makes it
| possible to inject a maliciously crafted remote URL into the clone
| command. Exploiting this vulnerability is possible because the library
| makes external calls to git without sufficient sanitization of input
| arguments.
https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858
https://github.com/gitpython-developers/GitPython/issues/1515
https://github.com/gitpython-developers/GitPython/pull/1521
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24439
https://www.cve.org/CVERecord?id=CVE-2022-24439
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: python-git
Source-Version: 3.1.30-1
Done: Jochen Sprickerhof <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-git, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jochen Sprickerhof <[email protected]> (supplier of updated python-git
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 07 Jan 2023 15:36:58 +0100
Source: python-git
Architecture: source
Version: 3.1.30-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Jochen Sprickerhof <[email protected]>
Closes: 1018503 1027163
Changes:
python-git (3.1.30-1) unstable; urgency=medium
.
[ Debian Janitor ]
* Team upload.
* Update standards version to 4.6.1, no changes needed.
.
[ Jochen Sprickerhof ]
* Switch d/watch to Github
* New upstream version 3.1.30 (Closes: #1027163)
- CVE-2022-24439: Remote Code Execution
* Minimize d/rules
* Update (build) dependencies (Closes: #1018503)
* Add autopkgtest
* Drop salsa-ci.yml
* Bump policy version (no changes)
* Move package description to source package
* Add R³
Checksums-Sha1:
47be56d2419f5b9b88c56c04c6bc142f86ec188c 2742 python-git_3.1.30-1.dsc
182e33029e675dc700d90006c6508e31a2579b10 477652 python-git_3.1.30.orig.tar.gz
f43bd6d90ebf49287b367c73fed35cc9f2448abf 6864 python-git_3.1.30-1.debian.tar.xz
c56e518f0076cb997d310fd4e7f609f976b071a7 7471
python-git_3.1.30-1_source.buildinfo
Checksums-Sha256:
902263de7b2dae1a27293582ee79c46d0157f20ad80fbd1947a58ab42835820b 2742
python-git_3.1.30-1.dsc
faa4b66b0b75f172358fbb75243c9d2a70b26623232eef365739fc96e9ecffc8 477652
python-git_3.1.30.orig.tar.gz
bb5c80a375b1ebac16a400565e458696c5c2acc9e3eb159b7fb00b3b45380b19 6864
python-git_3.1.30-1.debian.tar.xz
537fe7ae5c9430fabae5ed3c41c3dba2845df6886ea8bf6da8aeae3f39690df2 7471
python-git_3.1.30-1_source.buildinfo
Files:
cf803b9b3173100a59151b4b3c7dc49a 2742 python optional python-git_3.1.30-1.dsc
50bee4876f7e4ac3a67111c0aa602d0d 477652 python optional
python-git_3.1.30.orig.tar.gz
ff7e9a14718b141d0c39e03c7bdc1d66 6864 python optional
python-git_3.1.30-1.debian.tar.xz
2bbcbcaa974dceba4e20c75ea679720f 7471 python optional
python-git_3.1.30-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEc7KZy9TurdzAF+h6W//cwljmlDMFAmO5iEkACgkQW//cwljm
lDMC1hAAjYgSmM+2Ew8k4SiMUe+aQOp38v9K4duGX4STtvgO2tqojqnXOT2Bwy27
kKq691cnZIeOpOmjFWa6QbxmQGrs4gJABcKiDIHexR3yYOLmmoamWj5nXJWF8Xms
XXKlAnL/FA64wnGSdWXBUjZBiKZ1lHc8tyP610joswpfyNkeqFVn8JyKj3gHyUIn
QMVjDFjVR7YtmMTnvRCcy3hYHXhBEqsVVK3e+B3GvovQySyx8Ye+BuesaMDllOjJ
bpUj73AiS0QkXW3UjW4AN+Nb966DqDUhnpYjg6+Rsqh5+qIjpHP8ajfiCf4/SrQY
02IPzF2j6hyD3OqihcCwRoASV3cUFZxE15Bx0HOcVjd/zUdbr3PHmaDrMGLPtjKk
6P4eprXyAaLlUkvNm1tboXmTx2WYbOO9C8aLOokpcgOl1kQA02AzteZVEaVBXmlt
btp5GooqeVhpVzOFaKBEj0/q4LWnvyXafu8gi50Ak5ljywTXaoQuo6kufkTU/Cch
d3o78YpDgOSDmuJpYuDK1SWDZGoBs5nLEPAQhIeF8Z5CcetjZPp3hYvL0aDk/gVy
luOQ5t3w6Vl3Qx7i8xH4xp/wPyPVwyGPPdpbACdvQ40pPUANHow/mUKnTnPGI7gl
O7ocN9sZ9JgrEeqEDr4yMpIVN/GC3adgEo+oV5P5ux4TVSdLQTc=
=gpgj
-----END PGP SIGNATURE-----
--- End Message ---
