restrictedpython - Debian Package Tracker

general

source: restrictedpython (main)
version: 8.0-1
maintainer: Debian Python Team (DMD)
uploaders: Christoph Berg [DMD]
arch: all
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.0~b3-2
oldstable: 4.0~b3-3
stable: 8.0-1
testing: 8.0-1
unstable: 8.0-1

versioned links

4.0~b3-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0~b3-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-restrictedpython

action needed

A new upstream version is available: 8.1 high

A new upstream version 8.1 is available, you should consider packaging it.

Created: 2025-03-21 Last update: 2025-10-27 18:00

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 8.1~a1.dev0-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit ac7b3866fa4d6aa58f3d6f22a88b0a343079a8bd
Merge: 53ea32a acb5df6
Author: Diwa Tomy <diwatomy04@gmail.com>
Date:   Mon Sep 29 00:53:03 2025 +0530

    Merge branch 'debian/master' into 'debian/master'
    
    Fix changelog
    
    See merge request python-team/packages/restrictedpython!4

commit acb5df666e2d39a783eaaff18178c0bc36f8506b
Author: Diwa Tomy <diwatomy04@gmail.com>
Date:   Mon Sep 29 00:53:02 2025 +0530

    Fix changelog

commit 53ea32a8b0ce71884d67c795d35a7602e96ca45d
Author: Diwa Tomy <diwatomy04@gmail.com>
Date:   Sun Sep 28 02:25:05 2025 +0530

    Edit changelog

commit 3160457173e1d2c5fb7b90e6d4e0900c65eb25c4
Merge: 4409101 fa39567
Author: Diwa Tomy <diwatomy04@gmail.com>
Date:   Sun Sep 28 01:59:06 2025 +0530

    Merge branch 'debian/master' into 'debian/master'
    
    New upstream release 8.1_a1.dev0
    
    See merge request python-team/packages/restrictedpython!2

commit fa39567736a89e59df604c7b41208efb5f82501a
Author: Diwa Tomy <diwatomy04@gmail.com>
Date:   Sun Sep 28 01:59:05 2025 +0530

    New upstream release 8.1_a1.dev0

Created: 2025-09-27 Last update: 2025-10-23 21:00

ITA: Someone intends to adopt this package. normal

This package has been orphaned, but someone intends to maintain it. Please see bug number #980149 for more information.

Created: 2021-01-15 Last update: 2025-09-26 10:00

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2025-09-11 Last update: 2025-09-11 00:04

3 low-priority security issues in bookworm low

There are 3 open security issues in bookworm.

3 issues left for the package maintainer to handle:

CVE-2023-37271: (needs triaging) RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into a trusted environment. RestrictedPython does not check access to stack frames and their attributes. Stack frames are accessible within at least generators and generator expressions, which are allowed inside RestrictedPython. Prior to versions 6.1 and 5.3, an attacker with access to a RestrictedPython environment can write code that gets the current stack frame in a generator and then walk the stack all the way beyond the RestrictedPython invocation boundary, thus breaking out of the restricted sandbox and potentially allowing arbitrary code execution in the Python interpreter. All RestrictedPython deployments that allow untrusted users to write Python code in the RestrictedPython environment are at risk. In terms of Zope and Plone, this would mean deployments where the administrator allows untrusted users to create and/or edit objects of type `Script (Python)`, `DTML Method`, `DTML Document` or `Zope Page Template`. This is a non-default configuration and likely to be extremely rare. The problem has been fixed in versions 6.1 and 5.3.
CVE-2023-41039: (needs triaging) RestrictedPython is a restricted execution environment for Python to run untrusted code. Python's "format" functionality allows someone controlling the format string to "read" all objects accessible through recursive attribute lookup and subscription from objects he can access. This can lead to critical information disclosure. With `RestrictedPython`, the format functionality is available via the `format` and `format_map` methods of `str` (and `unicode`) (accessed either via the class or its instances) and via `string.Formatter`. All known versions of `RestrictedPython` are vulnerable. This issue has been addressed in commit `4134aedcff1` which has been included in the 5.4 and 6.2 releases. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-47532: (needs triaging) RestrictedPython is a restricted execution environment for Python to run untrusted code. A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module. The problem will be fixed in version 7.3. As a workaround, If the application does not require access to the module string, it can remove it from RestrictedPython.Utilities.utility_builtins or otherwise do not make it available in the restricted execution environment.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-07-14 Last update: 2025-08-10 06:32

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.2.1).

Created: 2018-12-23 Last update: 2025-02-27 13:25

news

[rss feed]

[2025-01-30] restrictedpython 8.0-1 MIGRATED to testing (Debian testing watch)
[2025-01-27] Accepted restrictedpython 8.0-1 (source) into unstable (Colin Watson)
[2023-09-10] restrictedpython 6.2-1 MIGRATED to testing (Debian testing watch)
[2023-09-04] Accepted restrictedpython 6.2-1 (source) into unstable (Christoph Berg)
[2023-09-02] restrictedpython REMOVED from testing (Debian testing watch)
[2021-12-28] restrictedpython 4.0~b3-3 MIGRATED to testing (Debian testing watch)
[2021-12-22] Accepted restrictedpython 4.0~b3-3 (source) into unstable (Christoph Berg)
[2018-09-26] restrictedpython 4.0~b3-2 MIGRATED to testing (Debian testing watch)
[2018-09-24] Accepted restrictedpython 4.0~b3-2 (source) into unstable (Mattia Rizzolo)
[2018-04-22] restrictedpython 4.0~b3-1 MIGRATED to testing (Debian testing watch)
[2018-04-16] Accepted restrictedpython 4.0~b3-1 (source) into unstable (Christoph Berg)
[2018-02-04] restrictedpython 4.0~b2-1 MIGRATED to testing (Debian testing watch)
[2018-01-29] Accepted restrictedpython 4.0~b2-1 (source all) into unstable, unstable (Christoph Berg)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 8.0-1
1 bug