-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 28 May 2024 08:15:32 +0200 Source: python-pymysql Architecture: source Version: 1.0.2-2+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Thomas Goirand <zigo@debian.org> Closes: 1071628 Changes: python-pymysql (1.0.2-2+deb12u1) bookworm-security; urgency=medium . * CVE-2024-36039: PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict. Applied upstream patch: forbid_dict_parameter.patch (Closes: #1071628). Checksums-Sha1: 6ec696841cea1194260258aec8240ba940819b9c 2306 python-pymysql_1.0.2-2+deb12u1.dsc 3269e63ad14bc5ad5f1145a7b2e1b3f12da83f77 84985 python-pymysql_1.0.2.orig.tar.gz d29beeba5f5e6a1d155847510c8bc48bf29e94e1 7800 python-pymysql_1.0.2-2+deb12u1.debian.tar.xz 81d3a7bf817a8d6492da52fb74a0a408de6da04e 9754 python-pymysql_1.0.2-2+deb12u1_amd64.buildinfo Checksums-Sha256: 74dc5ec5575eaf7e50cf14ff665e0e59c29ff310fbe7a46d57e963dbc42ef332 2306 python-pymysql_1.0.2-2+deb12u1.dsc 44b19ebe16baa52b74b7d835bdaaf732bb83725339dca307fe0900439adddb6d 84985 python-pymysql_1.0.2.orig.tar.gz a56cfb010b18744ea3324faf719912ccc39f6f6dfb071fe72a797e1f8f03e99f 7800 python-pymysql_1.0.2-2+deb12u1.debian.tar.xz 2ac63a6638f0ee056883ae61be04684d1ded8ae9a0043516bf40d328c61fd9d5 9754 python-pymysql_1.0.2-2+deb12u1_amd64.buildinfo Files: 2aa5407a565a228eb3ce7f82f001ead7 2306 python optional python-pymysql_1.0.2-2+deb12u1.dsc 53c2cf64b0a583dbd14c24d3a8ac46ca 84985 python optional python-pymysql_1.0.2.orig.tar.gz 8e9f153e6b85d51192a3761d9863757c 7800 python optional python-pymysql_1.0.2-2+deb12u1.debian.tar.xz 3ba027da8f3d5d394babe013ab1d1641 9754 python optional python-pymysql_1.0.2-2+deb12u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmZWz0kACgkQ1BatFaxr Q/767Q//WUNozOnFTCLW9SnU7WqtgQnB/yBRgknK5VImy5SEn6RMdzXIVstkabU8 J1ltzrpI5xe6iTW/mlr1nQFuy7x3Z/CUhk+CLu13XNAp1oLmG5fzBRdje47uHP9l fU/fpL4BzLjCwpsu9h3L9VYj/9QiVdxC5WMjY/8KnqvcEE6xaoU8X+fGaC6osS2D m3xuEqecCU5PwzY1u2r3YEQaB5HadAGgKvM5Cl5DB7hP4crTpzPjXLFwkRTRIj20 zesVwDEdMVw7e3H9pVC+rwpn4QNp5MxKPgtj6yb16mFBicVk+neUACc34U546yWv gWraGRWIlDcpPIDJMGdQBF28W7vqQlNsUF8RlyzbQaWgQ5blYGpmflEo5aehhir4 vhP9I/0Mmdnvx4lZCpH5GIYke+oZAD0rt4AiioKAu9iWzatZ6syxHJFoYqnRWn36 OBi7GeGVQzjJJmIEpsqqIcQVcnpLJApIUObosJJ6ojzi39a9y+rxw1xCqhI+hGeQ 3JO+1jzv2jdNs6tBPxhPbEkFe53hYIvNWOYlPIJ8U4soihcuJstPwKQ/sKnkRpuI iMDwRpZDuLCnI1jqHQuHKaMVZ648AVUJAgZS4xxDzHY/a+vXnX22KPLsPLwW86c2 VOB7hoem0zkTQD6EXiSxZsbI9VXLhIJ0M3X5MIRRoSdQDu/zeng= =zpmW -----END PGP SIGNATURE-----