Debian Bug report logs -
#988480
pydantic: CVE-2021-29510
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Michael Banck <mbanck@debian.org>
:
Bug#988480
; Package src:pydantic
.
(Thu, 13 May 2021 20:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Michael Banck <mbanck@debian.org>
.
(Thu, 13 May 2021 20:33:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pydantic
Version: 1.7.3-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for pydantic.
Note, strictly speaking the severity is slightly choosen inaproritate
for the type of security issue. Making it RC given pydantic is only in
testing and unstable, and a fix should go into bullseye before the
bullseye release.
CVE-2021-29510[0]:
| Pydantic is a data validation and settings management using Python
| type hinting. In affected versions passing either `'infinity'`,
| `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date`
| fields causes validation to run forever with 100% CPU usage (on one
| CPU). Pydantic has been patched with fixes available in the following
| versions: v1.8.2, v1.7.4, v1.6.2. All these versions are available on
| pypi(https://pypi.org/project/pydantic/#history), and will be
| available on conda-forge(https://anaconda.org/conda-forge/pydantic)
| soon. See the changelog(https://pydantic-docs.helpmanual.io/) for
| details. If you absolutely can't upgrade, you can work around this
| risk using a validator(https://pydantic-
| docs.helpmanual.io/usage/validators/) to catch these values. This is
| not an ideal solution (in particular you'll need a slightly different
| function for datetimes), instead of a hack like this you should
| upgrade pydantic. If you are not using v1.8.x, v1.7.x or v1.6.x and
| are unable to upgrade to a fixed version of pydantic, please create an
| issue at https://github.com/samuelcolvin/pydantic/issues requesting a
| back-port, and we will endeavour to release a patch for earlier
| versions of pydantic.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-29510
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29510
[1] https://github.com/samuelcolvin/pydantic/security/advisories/GHSA-5jqp-qgf6-3pvh
[2] https://github.com/samuelcolvin/pydantic/commit/7e83fdd2563ffac081db7ecdf1affa65ef38c468
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri May 14 12:43:45 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.