restrictedpython - Debian Package Tracker

general

source: restrictedpython (main)
version: 8.0-1
maintainer: Debian Python Team (DMD)
uploaders: Christoph Berg [DMD]
arch: all
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.0~b3-2
oldstable: 4.0~b3-2
stable: 4.0~b3-3
testing: 8.0-1
unstable: 8.0-1

versioned links

4.0~b3-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0~b3-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-restrictedpython

action needed

A new upstream version is available: 8.1~a1.dev0 high

A new upstream version 8.1~a1.dev0 is available, you should consider packaging it.

Created: 2025-03-21 Last update: 2025-06-29 02:31

RFA: The maintainer wants to pass over package maintainance. normal

The current maintainer is looking for someone who can take over maintenance of this package. If you are interested in this package, please consider taking it over. Alternatively you may want to be co-maintainer in order to help the actual maintainer. Please see bug number #980149 for more information.

Created: 2021-01-15 Last update: 2021-01-15 15:05

3 low-priority security issues in bookworm low

There are 3 open security issues in bookworm.

3 issues left for the package maintainer to handle:

CVE-2023-37271: (needs triaging) RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into a trusted environment. RestrictedPython does not check access to stack frames and their attributes. Stack frames are accessible within at least generators and generator expressions, which are allowed inside RestrictedPython. Prior to versions 6.1 and 5.3, an attacker with access to a RestrictedPython environment can write code that gets the current stack frame in a generator and then walk the stack all the way beyond the RestrictedPython invocation boundary, thus breaking out of the restricted sandbox and potentially allowing arbitrary code execution in the Python interpreter. All RestrictedPython deployments that allow untrusted users to write Python code in the RestrictedPython environment are at risk. In terms of Zope and Plone, this would mean deployments where the administrator allows untrusted users to create and/or edit objects of type `Script (Python)`, `DTML Method`, `DTML Document` or `Zope Page Template`. This is a non-default configuration and likely to be extremely rare. The problem has been fixed in versions 6.1 and 5.3.
CVE-2023-41039: (needs triaging) RestrictedPython is a restricted execution environment for Python to run untrusted code. Python's "format" functionality allows someone controlling the format string to "read" all objects accessible through recursive attribute lookup and subscription from objects he can access. This can lead to critical information disclosure. With `RestrictedPython`, the format functionality is available via the `format` and `format_map` methods of `str` (and `unicode`) (accessed either via the class or its instances) and via `string.Formatter`. All known versions of `RestrictedPython` are vulnerable. This issue has been addressed in commit `4134aedcff1` which has been included in the 5.4 and 6.2 releases. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-47532: (needs triaging) RestrictedPython is a restricted execution environment for Python to run untrusted code. A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module. The problem will be fixed in version 7.3. As a workaround, If the application does not require access to the module string, it can remove it from RestrictedPython.Utilities.utility_builtins or otherwise do not make it available in the restricted execution environment.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-07-14 Last update: 2025-02-27 05:02

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.2.1).

Created: 2018-12-23 Last update: 2025-02-27 13:25

news

[rss feed]

[2025-01-30] restrictedpython 8.0-1 MIGRATED to testing (Debian testing watch)
[2025-01-27] Accepted restrictedpython 8.0-1 (source) into unstable (Colin Watson)
[2023-09-10] restrictedpython 6.2-1 MIGRATED to testing (Debian testing watch)
[2023-09-04] Accepted restrictedpython 6.2-1 (source) into unstable (Christoph Berg)
[2023-09-02] restrictedpython REMOVED from testing (Debian testing watch)
[2021-12-28] restrictedpython 4.0~b3-3 MIGRATED to testing (Debian testing watch)
[2021-12-22] Accepted restrictedpython 4.0~b3-3 (source) into unstable (Christoph Berg)
[2018-09-26] restrictedpython 4.0~b3-2 MIGRATED to testing (Debian testing watch)
[2018-09-24] Accepted restrictedpython 4.0~b3-2 (source) into unstable (Mattia Rizzolo)
[2018-04-22] restrictedpython 4.0~b3-1 MIGRATED to testing (Debian testing watch)
[2018-04-16] Accepted restrictedpython 4.0~b3-1 (source) into unstable (Christoph Berg)
[2018-02-04] restrictedpython 4.0~b2-1 MIGRATED to testing (Debian testing watch)
[2018-01-29] Accepted restrictedpython 4.0~b2-1 (source all) into unstable, unstable (Christoph Berg)

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 8.0-1
1 bug