-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 27 Feb 2025 22:30:54 +0100 Source: jinja2 Binary: python-jinja2-doc python3-jinja2 Architecture: all Version: 3.1.2-1+deb12u2 Distribution: bookworm Urgency: medium Maintainer: all / amd64 / i386 Build Daemon (x86-conova-02) Changed-By: Lee Garrett Description: python-jinja2-doc - documentation for the Jinja2 Python library python3-jinja2 - small but fast and easy to use stand-alone template engine Changes: jinja2 (3.1.2-1+deb12u2) bookworm; urgency=medium . * Non-maintainer upload by the LTS security team. * Fix CVE-2024-56201: In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. * Fix CVE-2024-56326: Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox. Checksums-Sha1: 8f7f1f1d9053f1db7b041d80e1842b5c2cbe3e0f 8056 jinja2_3.1.2-1+deb12u2_all-buildd.buildinfo ef267b23961305885bf866aee3721ac461286b03 196260 python-jinja2-doc_3.1.2-1+deb12u2_all.deb 491e54682d5792eecf10b450bd7975b911cfd298 120200 python3-jinja2_3.1.2-1+deb12u2_all.deb Checksums-Sha256: 7922cd8ddba8baf2265550150cab62a60be16a8a1a54265b9c02cec683a758d1 8056 jinja2_3.1.2-1+deb12u2_all-buildd.buildinfo 1715c595acb678bc567b2dbc8188058f4631a555f725d707ea8fd6fe0eeb3595 196260 python-jinja2-doc_3.1.2-1+deb12u2_all.deb 8c923ac1a9c43ebdf1bab888ac381964849b73b8f028a463e4e4ef0b552ea892 120200 python3-jinja2_3.1.2-1+deb12u2_all.deb Files: ce097323657a1fa2712311df944d8d2a 8056 python optional jinja2_3.1.2-1+deb12u2_all-buildd.buildinfo bca500d426bf00d9046f9fbd52f3a483 196260 doc optional python-jinja2-doc_3.1.2-1+deb12u2_all.deb 4e2255f3396793f4a1e0d863660f0235 120200 python optional python3-jinja2_3.1.2-1+deb12u2_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEErEDrIdpJkzFMm6K+PyQET5WCY90FAmfDH9QACgkQPyQET5WC Y93geA/9H5o9mmMmQma3xzpavrjoGeszE+yuVq8s7YdN8YM7Cl9Eim98v192lY3g Ti2VkpDM3vp+Yfj8yiyTzk5sTgc2CqfHYhL9AOVBzBUVeblJ6VJyHtlxOSjrmr8F 4BQKGcqU0caCgdd8ch0yfmvKMiuRuE8UG/8oKZ4M42sRzpWIoCxKQzIpBksc7PJs /JmBFtFoRJoXCoqcvAmHvH6STFOKlMh+fVz4wYXzkf50QiuwQ1KxO+q2UeM5Rvqr 093F/2akwU0kY8Mhau2Ls0tUmJ47HVO3XCNqtS07406a7QzxBzYGcdjQjwb48gMO KM3kF+vJuLtylU3pXIkYJyvsvUtYqHY2VolpoICglHiVk6ouNgblF/6txT1IsuaM 0XsusIDb8yj1UIAzmJTAv/q4hWNQOutN/AnLHoEZS53w/2ByzsWJ25kAzdowrpRb cT0AaJGazbnujL5r1NOOE6dxUzlORfPVBE4YK+w+mkH51HzgkJjy0UZ7FscIG8bn GWltTbM7V+A6zitkItPkB7OBt3Yt1GPejMrECdCXF3zfF2us+ES4IqHchqqp+fcT UOdcN3qKh3F5mSjhX71/B5EQWC9t7u7uA6Wn/maAw20EPAJORO2kLByMUQmsAAGG 72GbbEBCtQP0DApRpDxX7dF45Bqawj4JVhvmANZpGZR2gjnSREY= =TDzO -----END PGP SIGNATURE-----