From ${URL} : A vulnerability was found in SQLAlchemy 1.2.17. An SQL Injection when the order_by parameter can be controlled. Upstream issue: https://github.com/sqlalchemy/sqlalchemy/issues/4481 Upstream patch: https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74d676f319dab3f9e24d291d20906ca90b83196a commit 74d676f319dab3f9e24d291d20906ca90b83196a Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2019-04-29 12:12:54 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2019-04-29 12:13:49 +0000 dev-python/sqlalchemy: bump to 1.3.3 Bug: https://bugs.gentoo.org/678480 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> Package-Manager: Portage-2.3.62, Repoman-2.3.11 dev-python/sqlalchemy/Manifest | 1 + dev-python/sqlalchemy/sqlalchemy-1.3.3.ebuild | 63 +++++++++++++++++++++++++++ 2 files changed, 64 insertions(+)
Issue 4481 was addressed in upstream's 1.3 release. Arches, please stabilize. Thanks!
ppc stable
ppc64 stable
amd64 stable
sparc stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=06272e72a051f00d166ee600a04603b86a39ec9e commit 06272e72a051f00d166ee600a04603b86a39ec9e Author: Tobias Klausmann <klausman@gentoo.org> AuthorDate: 2019-05-06 18:03:49 +0000 Commit: Tobias Klausmann <klausman@gentoo.org> CommitDate: 2019-05-06 18:04:08 +0000 dev-python/sqlalchemy-1.3.3-r0: alpha stable Bug: http://bugs.gentoo.org/678480 Signed-off-by: Tobias Klausmann <klausman@gentoo.org> dev-python/sqlalchemy/sqlalchemy-1.3.3.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
arm stable
arm64 stable
x86 stable
hppa stable
s390 stable
ia64 stable
Cleanup done.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
GLSA Vote: No Thank you all for you work. Closing as [noglsa].