1. Forum
  2. Usenet
  3. LINUX.DEBIAN.CHANGES

  • Accepted jinja2 3.1.2-1+deb12u2 (source) into proposed-updates

    From Debian FTP Masters@21:1/5 to All on Sat Mar 1 12:40:02 2025
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    Format: 1.8
    Date: Thu, 27 Feb 2025 22:30:54 +0100
    Source: jinja2
    Architecture: source
    Version: 3.1.2-1+deb12u2
    Distribution: bookworm
    Urgency: medium
    Maintainer: Piotr O┼╝arowski <piotr@debian.org>
    Changed-By: Lee Garrett <debian@rocketjump.eu>
    Changes:
    jinja2 (3.1.2-1+deb12u2) bookworm; urgency=medium
    .
    * Non-maintainer upload by the LTS security team.
    * Fix CVE-2024-56201:
    In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler
    allows an attacker that controls both the content and filename of a template
    to execute arbitrary Python code, regardless of if Jinja's sandbox is used.
    To exploit the vulnerability, an attacker needs to control both the filename
    and the contents of a template. Whether that is the case depends on the type
    of application using Jinja. This vulnerability impacts users of applications
    which execute untrusted templates where the template author can also choose
    the template filename.
    * Fix CVE-2024-56326:
    Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects
    calls to str.format allows an attacker that controls the content of a
    template to execute arbitrary Python code. To exploit the vulnerability, an
    attacker needs to control the content of a template. Whether that is the
    case depends on the type of application using Jinja. This vulnerability
    impacts users of applications which execute untrusted templates. Jinja's
    sandbox does catch calls to str.format and ensures they don't escape the
    sandbox. However, it's possible to store a reference to a malicious string's
    format method, then pass that to a filter that calls it. No such filters are
    built-in to Jinja, but could be present through custom filters in an
    application. After the fix, such indirect calls are also handled by the
    sandbox.
    Checksums-Sha1:
    b55c4a354e43e7336867a4e40c4e4a83860c2e23 2953 jinja2_3.1.2-1+deb12u2.dsc
    b5bd9b7d9b49f510774c872a3ef71d5b16b7ae0a 15156 jinja2_3.1.2-1+deb12u2.debian.tar.xz
    b79618ce5fa292bbc3f99dc97ff0607df34a3142 9016 jinja2_3.1.2-1+deb12u2_amd64.buildinfo
    Checksums-Sha256:
    98bdf88f226bf3d5448ebea10da99f72e02208e996b01711148ca9f17f060d3d 2953 jinja2_3.1.2-1+deb12u2.dsc
    2e4745acbd0bb0b868a55348cf8f2f6a8d19fbefddb6f25306b62d215b8318ef 15156 jinja2_3.1.2-1+deb12u2.debian.tar.xz
    1b08348c7dbd8bce732d8c2757b2d211e5ca6c6b02d360beaddc419e360d03c6 9016 jinja2_3.1.2-1+deb12u2_amd64.buildinfo
    Files:
    e80e4b95cb42677d1a230a35573533c7 2953 python optional jinja2_3.1.2-1+deb12u2.dsc
    4339bee737ba1bead35c4dac2676293a 15156 python optional jinja2_3.1.2-1+deb12u2.debian.tar.xz
    2932e1c05ded00b766c83a17f5c8048b 9016 python optional jinja2_3.1.2-1+deb12u2_amd64.buildinfo

    -----BEGIN PGP SIGNATURE-----

    iQQzBAEBCgAdFiEE2EfGJRCpwv8kLOAs1gShxII+4PgFAmfA4LUACgkQ1gShxII+ 4PgMIx/+MqkEDiaZhPpughHFTu0A2zZoNMJZO4ZoeKydiLULAuzknY8YYSBr1vZu 4JfSnLb9XFK73NAYUiDzQQB5kSHYy43hGr6/l6383IKEY5FhBP0UhoUhtf1yugN6 +2HNSTiBHWPqkyvAOcBvVaaOacqcAwd5Mg0NrEr3RAJkPabK8tM4PGQcK9pOVdXQ qz0rvzZ0LeXXk/0mYnaUzFv0xylTNx+FdHG9lS6ikSSVJkxF0UDK+Tt7EctsyuFI Mka7A79rzU4vRMr5q80b8qdW+EC1qexo8ljtunvGrPBzUuNula9ajcAR+cS8Rxhc Xdl+O2QufgMoGh4nmKtY6P+rq/m9wrt1CmqMrgI451yAmospCdp768rAk3kbNnua ruYeEjwe2jdKkguGcQwuC+FWKOPLw6JNUgSMa1IKWMZOV0pUpGXaxj5nDXmBOVkC I50HHPz9J0JMD1tecEmd6G5UOpJnGHBPAdRH0BgbtsXxhFHqA4HW4GgHVDo7Ubiw pzVwcrhJZXRVMW2m9o6dafqtxpnjGtWXhQTCwC/oevD5aby9Mkpda2A2eLik8BFf SXhJczKTz/sNU2Y3FjCXM8egu/I/Z5IGuQuydJgGS0rV7RBkXVPSNmQcolXidnts Htfi3rYkO5J0foaoR0PHrsIbUQ3Kc29rg2iNfQiIoThxw7Et0RgbvJZZvtAReEds 5E2WGOQio8pPZcOwv8old3Pt7KAdoomLBtOVslmgCPZgy7W+rdDWPkgkbecY95Wi 1IOAIZhfKESi2p9r7hObauBjFUVJnTA/tOOAQ3BSnUyV39wxkeUcPmY46DBlBx/9 yqLKCNop7/SRzbLDSmH0ikcEJQ3+jtiZtF3kXbIC6V5A1MXJS2Oi2EojgA3T3gOW 9El0N7YEQ33zbLJJkWAjZTySwRjbqaddQMEtXakJUH3tFCbuqjUKhGmfubkmxSwA iLVJGERhNutDHdz3UjjROSwTkFvUAL+y6GcM2f+CmnF1ECGp7BNc4j2F+0IoBG+X pu2uuduz82VIRKY6kJFCOaQDS3bQN7qLTEZhWlcUYH2Mep0RdTdz1uZFoABRBoBp AWYsPUEb2zcqCZpeO3rURCrFq002GzygJ49ZNHHvYRTtksJnjl8ZM1LWQx9G9BvQ fJtkpniTMpnmvV6EbcV5515r4UwZQO15fGRwbNafmwCY5vup9BNkWKQ1NsSnPea7 6lKEFGjIyA3fOW2BfSsub+lPc499Vw6bfVl/5aNyptul0DKskAc8RFn/Nu+NKj1e 1NA7jpBc2vsMWzoMoFtfCyAtj5pQQDSsvrT155bWhTq7v0XIFpvTnV7JKEbvf9wO L2gaK0hmftPMDbVBYk02zgSSTFh+1Q==
    =Szm3
    -----END PGP SIGNATURE-----


    --==============é17451210299802052=Content-Type: application/pgp-signature

    -----BEGIN PGP SIGNATURE-----

    iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCZ8LwOAAKCRCb9qggYcy5 IWJUAQDnzxH4O3Mb/zn5fWIWQZdcgbHF+N1VeekCUc7JLVcyTAEAnsz7fEFJU8AX vzmSyU81ROTkq6AQC3OQcG6R3JSwAww=sxK1
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)