Debian alert DLA-1819-1 (pyxdg)

From:
             
 
"Chris Lamb" <lamby@debian.org> 
To:
             
 
debian-lts-announce@lists.debian.org 
Subject:
             
 
[SECURITY] [DLA 1819-1] pyxdg security update 
Date:
             
 
Sun, 16 Jun 2019 11:51:18 +0100
Message-ID:
             
 
<d04e3397-24b6-4998-bbe2-1577a5fac880@www.fastmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : pyxdg
Version        : 0.25-4+deb8u1
CVE ID         : CVE-2019-12761
Debian Bug     : #930099

It was discovered that there was a code injection issue in PyXDG, a
library used to locate "FreeDesktop.org" configuration/cache/etc.
directories.

A lack of sanitisation allowed arbitrary Python code embedded in
the Category element of a Menu XML document in a .menu file to
be executed.

For Debian 8 "Jessie", this issue has been fixed in pyxdg version
0.25-4+deb8u1.

We recommend that you upgrade your pyxdg packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl0GHwgACgkQHpU+J9Qx
HljKSQ//fM+lbOeSPR2kBF8fv+6VS/ZA4PYxpEL5C7z6ZJ77SmTwsVQHm9vsOb6c
ABTTQym3C1RVcqBNpMbCE34jeM46aa7+u16UuMaLqkzHLvteutiXezxZ5ZO3Lz8k
TCIn2EACIq6R044JQhkWLAjBzdUwKTAUV4rBjutniSKpy0FF+Gsim59X0NJDGZTS
tnzkOTcAgctfEFUo+b/1N6nDiFUR0QWtMF+WytHbagAH/58BJ7qPzC8ChVs3wqdr
3FaojJHbWSkf3X1etXGVoquBkxzn+wTWWMZ4JXMFGziNxmw66k/ldeA1N/GnrQrZ
jQnqjE1+rww/TNw1EO6eMFB5NAWGlXclMjXCuFjvnheAxkmEZ0RSYyjH2TFH9GFa
/0XVSQaRB3HTHcL/0X25o3HOmEN5MGX35JipROtffZwcIsskoFnd2GHvmMYXqXYE
TtUSfKN+EziZ77zsh6ZM+FO3f03RztGqPjlEcCctdDGZYf1rry2qXFCLf0rAsBvK
mknje4LWLsG3ovRRr+9kHx2McNc2ca4wLpWtytiIaa8Xjjq8J1QpJK+tRt9EoUaH
uQ7R+SNI0Ruzr1cuPRIX6XVWLn2iRQsAqpifYVT+d6eZ4jqnbfjzC353SUeXkuIU
TUbywQle7OBgjEKB34BvobJX1+Y9tam4EZ61/TQgSbKJtV3m/ac=
=c2VY
-----END PGP SIGNATURE-----