[SECURITY] [DLA 2790-1] python-babel security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2790-1] python-babel security update
From: Sylvain Beucler <beuc@beuc.net>
Date: Thu, 21 Oct 2021 11:56:09 +0200
Message-id: <[🔎] 20211021095609.GA2255@mail.beuc.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2790-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Sylvain Beucler
October 21, 2021                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : python-babel
Version        : 2.3.4+dfsg.1-2+deb9u1
CVE ID         : CVE-2021-42771
Debian Bug     : 987824

Tenable discovered that in Babel, a set of tools for
internationalizing Python applications, Babel.Locale allows attackers
to load arbitrary locale .dat files (containing serialized Python
objects) via directory traversal, leading to code execution.  This
vulnerability was also previously addressed under CVE-2021-20095 in
other distributions and suites.

For Debian 9 stretch, this problem has been fixed in version
2.3.4+dfsg.1-2+deb9u1.

We recommend that you upgrade your python-babel packages.

For the detailed security status of python-babel please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-babel

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmFxN74ACgkQDTl9HeUl
XjBbHQ//V0e3pyFnYcIyqY5OPe9l/IGYlLihgc7l/J7QygHe8QdJJmP0FLlSRwiv
OJMnSs7YrJYUx3H9EghYDzgMwhgaM5nh0qHpiiZA/c9lgKKoBpUo5aQkGqviUNA2
CKh4L8y3hMtJEBJgd4MhBDBaZIE8E0/NqoIGl0OAr+mHcqiKyA65pXnEEB/l8ULw
TBrUabvibnMtzaZDbvrB6YEs5+YNnODLFgVT/CkvnHQapOTDRpa1KiaT2+G6QqmQ
/W0onLZh6daBCmT/oEwlWOUQy0anx9RXpF6W0KX5ZwGPy2kTBZO7EVZFrk+lqwa1
V6QICMSAmqZuzGzA4lE7+UUUX6gY6mseJKnz5ced3FL+cHYqpZ2GXJHVYMlh/Mvs
vXl73CD6MK088b4XEkrKl4M2LqBklfqZjAxZNQ4dOX803BgsslAgup57aPUHMm8i
haqp/ja5qAbpajF3IYIOT2zu86nB8SGfbxCszKdDzN8DDRUMEJS83OpC9LTRdCEH
ullNPUiwFHhRQAXP0hIdcWsf5EKxw/PoouKhEBnu+d1NOlvNaheAbqraPoUxbldj
F05iMEKBhsG+qRrphDOmQWihdQfrT6Q2c9kX9equK1OPAwdYlVPPRPYY1bNXSJmX
OUrW8fq+NMoi77GT94SyitWCa1QYAxgn19bvD4TBvg4gEClYvi4=
=FqUV
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2789-1] squashfs-tools security update
Next by Date: [SECURITY] [DLA 2791-1] mailman security update
Previous by thread: [SECURITY] [DLA 2789-1] squashfs-tools security update
Next by thread: [SECURITY] [DLA 2791-1] mailman security update
Index(es):
- Date
- Thread