Debian alert DLA-3822-1 (python-pymysql)


From:
               Chris Lamb <lamby@debian.org>
To:
               debian-lts-announce@lists.debian.org
Subject:
               [SECURITY] [DLA 3822-1] python-pymysql security update
Date:
               Mon, 27 May 2024 11:36:13 +0100
Message-ID:
               <171680300303.39987.16552748281076125695@copycat>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3822-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
May 27, 2024                                  https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : python-pymysql
Version        : 0.9.3-1+deb10u1
CVE ID         : CVE-2024-36039
Debian Bug     : 1071628

It was discovered that there was a potential SQL injection attack
in python-pymysql, a MySQL client library for Python. This was
exploitable when python-pymysql was used with untrusted JSON input
as keys were not escaped by the escape_dict routine.

For Debian 10 buster, this problem has been fixed in version
0.9.3-1+deb10u1.

We recommend that you upgrade your python-pymysql packages.

For the detailed security status of python-pymysql please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-pymysql

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmZUVbkACgkQHpU+J9Qx
HlgBzRAAmJyWMsj/1+zWtqU5YlG4Tbssv4ZBb3S7LO2s/zg8tdrG8aGQ3KbqH3Qm
EblyQIV5OFQiwZv8NadFrQcM7dzZDJwoAbpb1EmWWJDjuaWGaG+wpUJSAqUaz7O1
LSJEgoPrSC/A/OrUrfvCA5bdYvt9BJtKKg4m42JKOnSYOrb93KDIoQ10TzD9Sycp
0CE9QpcUk+8729w99PtgGVwP2KNUdgTLacykVm14LFM7vO6P6FFNvf3aRKPitf2h
+KJDI08iAIz56WNwZOK1OvW97FjfIWlmvIeU3G7qldVls1XubjSoD4ovG9vGTM9c
LVW/GjjzQBlYwY2RinfYIDM8q0XHFpJAAZWKMmHhTUxtm5HhVDe3ZOr3VlEHeQ8i
/RF9KuwBlRSBvFyvLR88vLvVHKMV0txaH1Oknck0ajmtUCRmEyd8cETkiLpP2vhv
qPlfss4V2UAy1SqocGD2lOl5Y4ITqjhOBKS+eKXMwX8UTlDwvaSu4mXOlU2AKp4A
O6b5RapQFqA5kXNzm/kvSvYrQSr/0U5rOdTRJBfQmWrTYblghkAtw22xwqTa+2s0
ipqqKE0v6/AF3QrDI7SZSs3LcXxGfamJ3whGgjYrFrHopvXbZp2L95hEfbK30e5G
SZ2dNQBqKS8LEbeg18mIw5pZ8wI2pOWC+P6gDQut4WX6ejbj/yI=
=ds42
-----END PGP SIGNATURE-----

From:		Chris Lamb <lamby@debian.org>
To:		debian-lts-announce@lists.debian.org
Subject:		[SECURITY] [DLA 3822-1] python-pymysql security update
Date:		Mon, 27 May 2024 11:36:13 +0100
Message-ID:		<171680300303.39987.16552748281076125695@copycat>