Your message dated Fri, 07 Apr 2023 10:02:08 +0000 with message-id <e1pkiv2-009dio...@fasolo.debian.org> and subject line Bug#1033295: fixed in cairosvg 2.5.0-1.1+deb11u1 has caused the Debian Bug report #1033295, regarding cairosvg: CVE-2023-27586: SSRF & DOS vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1033295: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033295 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: cairosvg Version: 2.5.2-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for cairosvg. CVE-2023-27586[0]: | CairoSVG is an SVG converter based on Cairo, a 2D graphics library. | Prior to version 2.7.0, Cairo can send requests to external hosts when | processing SVG files. A malicious actor could send a specially crafted | SVG file that allows them to perform a server-side request forgery or | denial of service. Version 2.7.0 disables CairoSVG's ability to access | other files online by default. I am planning to look in the current bullseye version for a security upload, and can have a look as well for doing a NMU reaching bookworm. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-27586 https://www.cve.org/CVERecord?id=CVE-2023-27586 [1] https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv [2] https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: cairosvg Source-Version: 2.5.0-1.1+deb11u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of cairosvg, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1033...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated cairosvg package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 23 Mar 2023 20:51:51 +0100 Source: cairosvg Architecture: source Version: 2.5.0-1.1+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1033295 Changes: cairosvg (2.5.0-1.1+deb11u1) bullseye-security; urgency=high . * Non-maintainer upload by the Security Team. * Don't allow fetching external files unless explicitly asked for (CVE-2023-27586) (Closes: #1033295) Checksums-Sha1: 6dafb710f0e598b2ad145e058950f646eeba681b 2397 cairosvg_2.5.0-1.1+deb11u1.dsc 12a1e41cef6167f7e207ca6d128fe39ee46f0158 8340610 cairosvg_2.5.0.orig.tar.gz 9c4f5e448f74931af7413728ec01746a3e5bdb18 7992 cairosvg_2.5.0-1.1+deb11u1.debian.tar.xz 353c64eefc0894ce2b463af02c67e26cca23c0b7 7692 cairosvg_2.5.0-1.1+deb11u1_source.buildinfo Checksums-Sha256: fb962bb09f09dbbaebb2c2205e3bb97e93e050b2ac13078d87a14574cb035799 2397 cairosvg_2.5.0-1.1+deb11u1.dsc 1560c66c119a1f74348293f484be4aef837b9691502c228e5e0f4824a0b6dfa5 8340610 cairosvg_2.5.0.orig.tar.gz 69d2e1ea6934de434af38355e8186b6d72a4ceb2e517b03190db9e3e664e620d 7992 cairosvg_2.5.0-1.1+deb11u1.debian.tar.xz ae18d2d715d923e9bb3707e0456c5a4bb99f2d98bb5fa29e9c3024b6c3996680 7692 cairosvg_2.5.0-1.1+deb11u1_source.buildinfo Files: 633383b28b5c6209e492211a078ea4af 2397 python optional cairosvg_2.5.0-1.1+deb11u1.dsc 08fafc33e0f747b9240558e4865af3e9 8340610 python optional cairosvg_2.5.0.orig.tar.gz aede5f5ba2213942aafb0d687ebb88ac 7992 python optional cairosvg_2.5.0-1.1+deb11u1.debian.tar.xz 89d81645ccd59a846d68520808bf5cea 7692 python optional cairosvg_2.5.0-1.1+deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQcrn1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EAuwP/jIyIL+pqxZXcBWdxZD9EgBSgGmEjLQp QasYSX6PzKR50ndriotx0lr0eiy6NLjGibu8VekYyXhdQVDej2c2kRqQAuBED1Ei p1PoNt0bbeCehiaWeIRxC67As1HNtvNO4g+CvsnRArqq/NamIUvA22ClGRtK9NVT WBbocAZUw2YuRQwZ8/CbRPNH3USUjTunCzc03XhV5aZoxSpW6lqJoV0G5o6EM51R DUTXNPP6Kx0/Eki0czYoGAjElbgWK2MysV1UKsumK2mtZllw/GxoVWJdT0C/qrTm e9ev6+7koJLYgM+Fn4ziPcTeS7fqV/73JKSWV7SwL2wfRb8ul55PqoF1RWiiNiWP Ooq98VOCxaeV/Y4vEbIYYA2YkrAOAQ3ZPoZfy4WnRpzSzZCTSIvc5ZgF/wQIlg3/ k5peat6pvI7G0KYwg60qzzHH0JvrnDSUx0X86EUdXES3jraCnCVo14RzYDh8GEEd k9+Y36jtge41OcSfhAVoeX+IVUqrxCXEdTZPF1B7mujyIyZTCdY+Tpk6ZGTcbGkv ZD5N9oLDVCRC5G4n2Il16g3S+m0KMNsVtpbFPpUQ4tcrMHgANe4QrCq2ocQE8z/I pY32Rot8me+YFdA4hyiGqGqDEBUAxqcn49xDkzEPlc7kmPa0pjlyuRbHVNkZid76 VNuFUUFJ3vAv =X8KN -----END PGP SIGNATURE-----
--- End Message ---
