Discussion:
Bug#1091547: bookworm-pu: package sqlparse/0.4.2-1+deb12u1
Add Reply
Guilhem Moulin
2024-12-28 13:50:01 UTC
Reply
Permalink
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: ***@packages.debian.org
Control: affects -1 + src:sqlparse
User: ***@packages.debian.org
Usertags: pu

[ Reason ]

Fix 2 no-dsa vulnerabilities: CVE-2023-30608 and CVE-2024-4340.

[ Impact ]

Users would remain vulnerable. Furthermore the issues are fixed in
Bullseye LTS, leading to a regression when upgrading.

[ Tests ]

Both patches come with unit tests, and the package's comprehensive test
suite is run at build time. I also manually checked the reporters' PoC
against 0.4.2-1 vs. 0.4.2-1+deb12u1.

[ Risks ]

Low: Both patches come from upstream and trivially applied to 0.4.2-1.

[ Checklist ]

[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable

[ Changes ]

* Fix CVE-2023-30608: Parser contains a regular expression that is
vulnerable to ReDOS. (Closes: #1034615)
* Fix CVE-2024-4340: Parsing of heavily nested list leads to Denial of
Service. (Closes: #1070148)
* Adjust d/salsa-ci.yml for bookworm.
--
Guilhem.
Debian Bug Tracking System
2024-12-28 13:50:01 UTC
Reply
Permalink
Post by Guilhem Moulin
affects -1 + src:sqlparse
Bug #1091547 [release.debian.org] bookworm-pu: package sqlparse/0.4.2-1+deb12u1
Added indication that 1091547 affects src:sqlparse
--
1091547: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091547
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Adam D. Barratt
2025-01-02 20:50:01 UTC
Reply
Permalink
Control: tags -1 + confirmed
Post by Guilhem Moulin
Fix 2 no-dsa vulnerabilities: CVE-2023-30608 and CVE-2024-4340.
Please go ahead.

Regards,

Adam
Debian Bug Tracking System
2025-01-02 20:50:02 UTC
Reply
Permalink
Post by Adam D. Barratt
tags -1 + confirmed
Bug #1091547 [release.debian.org] bookworm-pu: package sqlparse/0.4.2-1+deb12u1
Added tag(s) confirmed.
--
1091547: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091547
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Adam D Barratt
2025-01-03 18:40:03 UTC
Reply
Permalink
package release.debian.org
tags 1091547 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: sqlparse
Version: 0.4.2-1+deb12u1

Explanation: fix regular expression-related denial of service issue [CVE-2023-30608]; fix denial of service issue [CVE-2024-4340]
Debian Bug Tracking System
2025-01-03 18:40:02 UTC
Reply
Permalink
Post by Adam D Barratt
package release.debian.org
Limiting to bugs with field 'package' containing at least one of 'release.debian.org'
Limit currently set to 'package':'release.debian.org'
Post by Adam D Barratt
tags 1091547 = bookworm pending
Bug #1091547 [release.debian.org] bookworm-pu: package sqlparse/0.4.2-1+deb12u1
Added tag(s) pending; removed tag(s) confirmed.
Post by Adam D Barratt
thanks
Stopping processing here.

Please contact me if you need assistance.
--
1091547: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091547
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2025-01-11 11:20:09 UTC
Reply
Permalink
Your message dated Sat, 11 Jan 2025 11:03:09 +0000
with message-id <E1tWZGn-009jbi-***@coccia.debian.org>
and subject line Close 1091547
has caused the Debian Bug report #1091547,
regarding bookworm-pu: package sqlparse/0.4.2-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
1091547: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091547
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...