-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 27 Feb 2025 22:30:54 +0100 Source: jinja2 Architecture: source Version: 3.1.2-1+deb12u2 Distribution: bookworm Urgency: medium Maintainer: Piotr Ożarowski Changed-By: Lee Garrett Changes: jinja2 (3.1.2-1+deb12u2) bookworm; urgency=medium . * Non-maintainer upload by the LTS security team. * Fix CVE-2024-56201: In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. * Fix CVE-2024-56326: Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox. Checksums-Sha1: b55c4a354e43e7336867a4e40c4e4a83860c2e23 2953 jinja2_3.1.2-1+deb12u2.dsc b5bd9b7d9b49f510774c872a3ef71d5b16b7ae0a 15156 jinja2_3.1.2-1+deb12u2.debian.tar.xz b79618ce5fa292bbc3f99dc97ff0607df34a3142 9016 jinja2_3.1.2-1+deb12u2_amd64.buildinfo Checksums-Sha256: 98bdf88f226bf3d5448ebea10da99f72e02208e996b01711148ca9f17f060d3d 2953 jinja2_3.1.2-1+deb12u2.dsc 2e4745acbd0bb0b868a55348cf8f2f6a8d19fbefddb6f25306b62d215b8318ef 15156 jinja2_3.1.2-1+deb12u2.debian.tar.xz 1b08348c7dbd8bce732d8c2757b2d211e5ca6c6b02d360beaddc419e360d03c6 9016 jinja2_3.1.2-1+deb12u2_amd64.buildinfo Files: e80e4b95cb42677d1a230a35573533c7 2953 python optional jinja2_3.1.2-1+deb12u2.dsc 4339bee737ba1bead35c4dac2676293a 15156 python optional jinja2_3.1.2-1+deb12u2.debian.tar.xz 2932e1c05ded00b766c83a17f5c8048b 9016 python optional jinja2_3.1.2-1+deb12u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQQzBAEBCgAdFiEE2EfGJRCpwv8kLOAs1gShxII+4PgFAmfA4LUACgkQ1gShxII+ 4PgMIx/+MqkEDiaZhPpughHFTu0A2zZoNMJZO4ZoeKydiLULAuzknY8YYSBr1vZu 4JfSnLb9XFK73NAYUiDzQQB5kSHYy43hGr6/l6383IKEY5FhBP0UhoUhtf1yugN6 +2HNSTiBHWPqkyvAOcBvVaaOacqcAwd5Mg0NrEr3RAJkPabK8tM4PGQcK9pOVdXQ qz0rvzZ0LeXXk/0mYnaUzFv0xylTNx+FdHG9lS6ikSSVJkxF0UDK+Tt7EctsyuFI Mka7A79rzU4vRMr5q80b8qdW+EC1qexo8ljtunvGrPBzUuNula9ajcAR+cS8Rxhc Xdl+O2QufgMoGh4nmKtY6P+rq/m9wrt1CmqMrgI451yAmospCdp768rAk3kbNnua ruYeEjwe2jdKkguGcQwuC+FWKOPLw6JNUgSMa1IKWMZOV0pUpGXaxj5nDXmBOVkC I50HHPz9J0JMD1tecEmd6G5UOpJnGHBPAdRH0BgbtsXxhFHqA4HW4GgHVDo7Ubiw pzVwcrhJZXRVMW2m9o6dafqtxpnjGtWXhQTCwC/oevD5aby9Mkpda2A2eLik8BFf SXhJczKTz/sNU2Y3FjCXM8egu/I/Z5IGuQuydJgGS0rV7RBkXVPSNmQcolXidnts Htfi3rYkO5J0foaoR0PHrsIbUQ3Kc29rg2iNfQiIoThxw7Et0RgbvJZZvtAReEds 5E2WGOQio8pPZcOwv8old3Pt7KAdoomLBtOVslmgCPZgy7W+rdDWPkgkbecY95Wi 1IOAIZhfKESi2p9r7hObauBjFUVJnTA/tOOAQ3BSnUyV39wxkeUcPmY46DBlBx/9 yqLKCNop7/SRzbLDSmH0ikcEJQ3+jtiZtF3kXbIC6V5A1MXJS2Oi2EojgA3T3gOW 9El0N7YEQ33zbLJJkWAjZTySwRjbqaddQMEtXakJUH3tFCbuqjUKhGmfubkmxSwA iLVJGERhNutDHdz3UjjROSwTkFvUAL+y6GcM2f+CmnF1ECGp7BNc4j2F+0IoBG+X pu2uuduz82VIRKY6kJFCOaQDS3bQN7qLTEZhWlcUYH2Mep0RdTdz1uZFoABRBoBp AWYsPUEb2zcqCZpeO3rURCrFq002GzygJ49ZNHHvYRTtksJnjl8ZM1LWQx9G9BvQ fJtkpniTMpnmvV6EbcV5515r4UwZQO15fGRwbNafmwCY5vup9BNkWKQ1NsSnPea7 6lKEFGjIyA3fOW2BfSsub+lPc499Vw6bfVl/5aNyptul0DKskAc8RFn/Nu+NKj1e 1NA7jpBc2vsMWzoMoFtfCyAtj5pQQDSsvrT155bWhTq7v0XIFpvTnV7JKEbvf9wO L2gaK0hmftPMDbVBYk02zgSSTFh+1Q== =Szm3 -----END PGP SIGNATURE-----