Debian Package Tracker - python-uvicorn

general

source: python-uvicorn (main)
version: 0.11.5-1
maintainer: Debian Python Modules Team (archive) (DMD)
uploaders: Michael Fladischer [DMD]
arch: all
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 0.3.24-1
unstable: 0.11.5-1

versioned links

0.3.24-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.11.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python-uvicorn-doc
python3-uvicorn
uvicorn

action needed

A new upstream version is available: 0.12.2 high

A new upstream version 0.12.2 is available, you should consider packaging it.

Created: 2020-07-20 Last update: 2020-10-30 01:07

lintian reports 3 errors and 1 warning high

Lintian reports 3 errors and 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2020-07-29 Last update: 2020-10-22 04:34

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2020-7694: This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file).
CVE-2020-7695: Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.

Please fix them.

Created: 2020-08-30 Last update: 2020-10-15 19:06

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2020-07-27 Last update: 2020-10-30 05:34

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 0.11.5-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit d8ca421020dba1867579df186b86e6ff742a9a15
Author: Ondřej Nový <onovy@debian.org>
Date:   Thu Sep 24 08:45:54 2020 +0200

    d/control: Update Vcs-* fields with new Debian Python Team Salsa layout

commit d5de4add2bed91d0e9b91f50395e27ba8ee1f671
Author: Ondřej Nový <onovy@debian.org>
Date:   Thu Sep 24 08:45:54 2020 +0200

    d/control: Update Maintainer field with new Debian Python Team contact address

https://salsa.debian.org/api/v4/projects/python-team%2Fmodules%2Fpython-uvicorn API request failed: 404 Not Found at /srv/qa.debian.org/data/vcswatch/vcswatch line 379.

Created: 2020-09-26 Last update: 2020-10-27 16:06

2 ignored security issues in buster low

There are 2 open security issues in buster.

2 issues skipped by the security teams:

CVE-2020-7694: This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file).
CVE-2020-7695: Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.

Please fix them.

Created: 2020-08-30 Last update: 2020-10-15 19:06

testing migrations

excuses:
- Migration status: Blocked. Can't migrate due to a non-migratable dependency. Check status below.
- Blocked by: python-watchgod
- Migration status for python-uvicorn (- to 0.11.5-1): BLOCKED: Cannot migrate due to another item, which is blocked (please check which dependencies are stuck)
- Issues preventing migration:
- Build-Depends(-Arch): python-uvicorn python-watchgod (not considered)
- Invalidated by build-dependency
- Additional info:
- Piuparts tested OK - https://piuparts.debian.org/sid/source/p/python-uvicorn.html
- 105 days old (needed 5 days)
- Not considered

news

[rss feed]

[2020-10-16] python-uvicorn REMOVED from testing (Debian testing watch)
[2020-07-16] Accepted python-uvicorn 0.11.5-1 (source) into unstable (Michael Fladischer)
[2020-06-26] python-uvicorn 0.11.3-1 MIGRATED to testing (Debian testing watch)
[2020-04-23] python-uvicorn REMOVED from testing (Debian testing watch)
[2020-03-07] python-uvicorn 0.11.3-1 MIGRATED to testing (Debian testing watch)
[2020-02-25] Accepted python-uvicorn 0.11.3-1 (source) into unstable (Michael Fladischer)
[2020-02-02] python-uvicorn 0.11.2-1 MIGRATED to testing (Debian testing watch)
[2020-01-23] Accepted python-uvicorn 0.11.2-1 (source) into unstable (Michael Fladischer)
[2020-01-10] python-uvicorn 0.11.1-1 MIGRATED to testing (Debian testing watch)
[2019-12-28] Accepted python-uvicorn 0.11.1-1 (source) into unstable (Michael Fladischer)
[2019-01-17] python-uvicorn 0.3.24-1 MIGRATED to testing (Debian testing watch)
[2019-01-06] Accepted python-uvicorn 0.3.24-1 (source all) into unstable (Michael Fladischer)
[2019-01-05] python-uvicorn 0.3.23-1 MIGRATED to testing (Debian testing watch)
[2018-12-24] python-uvicorn REMOVED from testing (Debian testing watch)
[2018-12-23] Accepted python-uvicorn 0.3.23-1 (source all) into unstable (Michael Fladischer)
[2018-12-22] Accepted python-uvicorn 0.3.22-2 (source) into unstable (Dmitry Shachnev)
[2018-12-18] Accepted python-uvicorn 0.3.22-1 (source all) into unstable (Michael Fladischer)
[2018-11-29] python-uvicorn 0.3.21-1 MIGRATED to testing (Debian testing watch)
[2018-11-23] python-uvicorn 0.3.20-1 MIGRATED to testing (Debian testing watch)
[2018-11-22] Accepted python-uvicorn 0.3.21-1 (source all) into unstable (Michael Fladischer)
[2018-11-14] Accepted python-uvicorn 0.3.20-1 (source all) into unstable (Michael Fladischer)
[2018-11-09] Accepted python-uvicorn 0.3.14-1 (source all) into unstable, unstable (Michael Fladischer)

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (3, 1)
buildd: logs, clang
popcon
browse source code
edit tags
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.11.5-1