From ${URL} : the Debian Security Team would like to request a CVE for an XML XEE discovered in Openpyxl by Marcin Ulikowski from F-Secure; Openpyxl resolves external entities by default: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854442 https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
@ Maintainer(s): Please bump to >=dev-python/openpyxl-2.4.2 which contains the bugfix.
References For CVE-2017-5992 http://www.cvedetails.com/cve/CVE-2017-5992/
@maintainers, ping. Please bump to latest release. Michael Boyle Gentoo Security Padawan
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f29859e1e34dcbe6c2b9656955aa3d98fcf30e6 commit 3f29859e1e34dcbe6c2b9656955aa3d98fcf30e6 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-07 17:25:30 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-07 17:25:30 +0000 dev-python/openpyxl: bump to 2.4.11 To avoid revdeps breaks and because this will be the target of a fast track stabilization (security), I avoid doing a double-major-version bump and limit the bump to the 2.4.x line. The 2.5 bump will be done separately with a regular stabilization process. Bug: https://bugs.gentoo.org/608714 Package-Manager: Portage-2.3.44, Repoman-2.3.10 dev-python/openpyxl/Manifest | 1 + dev-python/openpyxl/openpyxl-2.4.11.ebuild | 33 ++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+)
amd64, x86, please stabilize: dev-python/openpyxl-2.4.11 Thanks.
x86 stable
amd64 stable and GLSA vote: no
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=faa0d1e93590c9a89b98f7be63db9c9017c6b765 commit faa0d1e93590c9a89b98f7be63db9c9017c6b765 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-10 21:43:04 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-10 21:43:04 +0000 dev-python/openpyxl: remove old and vulnerable Bug: https://bugs.gentoo.org/608714 Package-Manager: Portage-2.3.45, Repoman-2.3.10 dev-python/openpyxl/Manifest | 2 -- dev-python/openpyxl/openpyxl-2.3.0.ebuild | 35 ------------------------------- dev-python/openpyxl/openpyxl-2.3.3.ebuild | 35 ------------------------------- 3 files changed, 72 deletions(-)
I had to revert. My cleanup broke the CI, sorry about the noise. Will make proper clean later.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a9b80fad012e382626a8e5384952cd049845da53 commit a9b80fad012e382626a8e5384952cd049845da53 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-11 23:16:13 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-11 23:16:13 +0000 dev-python/openpyxl: re-enable py34 on v2.4.11 I failed to see, before phasing it out, how many revdeps had a py34 enabled. If I want to be able to clean out old and vulnerable versions in a reasonable timeframe, I have to re-enable py34. Bug: https://bugs.gentoo.org/608714 Package-Manager: Portage-2.3.44, Repoman-2.3.10 dev-python/openpyxl/openpyxl-2.4.11.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c77c8cb20b9c5ac66e91a40d267d6babfb1cf73a commit c77c8cb20b9c5ac66e91a40d267d6babfb1cf73a Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-08-11 23:20:13 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-08-11 23:20:13 +0000 dev-python/openpyxl: remove old and vulnerable Bug: https://bugs.gentoo.org/608714 Package-Manager: Portage-2.3.44, Repoman-2.3.10 dev-python/openpyxl/Manifest | 2 -- dev-python/openpyxl/openpyxl-2.3.0.ebuild | 35 ------------------------------- dev-python/openpyxl/openpyxl-2.3.3.ebuild | 35 ------------------------------- 3 files changed, 72 deletions(-)
Thanks guys.
