[SECURITY] [3803-1] astropy security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [3803-1] astropy security update
From: "Chris Lamb" <lamby@debian.org>
Date: Tue, 30 Apr 2024 17:24:39 +0100
Message-id: <[🔎] 171449238172.29111.14499303214415140992@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3803-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
April 30, 2024                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : astropy
Version        : 3.1.2-2+deb10u1
CVE ID         : CVE-2023-41334

It was discovered that there was a potential remote code execution
vulnerability in Astropy, a suite of tools, utilities and Python
utilities for astrophysics.

Improper input validation in the TranformGraph().to_dot_graph
function could have led to arbitary command execution as values were
passed as the first argument to subprocess.Popen. Although an error
will be raised, the command or script would still be executed
successfully.

For Debian 10 buster, this problem has been fixed in version
3.1.2-2+deb10u1.

We recommend that you upgrade your astropy packages.

For the detailed security status of astropy please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/astropy

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmYxE9wACgkQHpU+J9Qx
HlgyUxAArVX5hHzi3rCDimqataA19tVSRQCqag7uwpptaPqgv2bEDlPaW/tvOiQ4
Sr2MBovFMEpAk2JneqzYLqbqgk7sqz7A4ah7Ej4yWi1tz2KebtrzkEfclzOvQcQo
d1eoU7DyzvK5bvuBVpBjDc9yekxWqSn0EYhaJUXqkabFMWv1h+iN3CQON9570ELF
/4jXnravnqYwLZkMUERz1OeG9V68A5aR29Y3w2cGNbWYNdWP154izGO16sl1fOEJ
pu1fV14P5Jd5olcH+uvUeYmx+PU0xQkMqW4KQIctd03jrk7fhCIptOBbPPm3MyyL
OKTmzPfjZShUGouyErjYCD9rN7/81WVjwP7fU1Ycqc8QDRtcJYn9Qk+uiTtUpTMh
3WNA5GKHZJhqvMsA8pMhXxuMdmfYySUniDSMVJKjKZP4Zt60fmNwX//VkNZCtUhl
/wxMaaGmA/18/7V7fkrlGcaBX/JL8C2enOdvGfDA64vi4zs3NQoXqGe8jyusz1fD
AGScBOgsUUY07rPrLJgkEt9yS5pgFChXo4jZ55/6yQ5VBV+J14Nsy+yhy/fxG915
gMnl27VUJRa2X/Rbeq0Uwhxb79lAjP/KPY+dCZRkOat6n3Cy4XNSsXKbr7ZxNTbn
34cjIb0jJzWemS6gqYuqxghhQLsaHmYqwnXaZ35h5QLjO8RU7Go=
=yqxq
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3802-1] org-mode security update
Next by Date: [SECURITY] [DLA 3804-1] nghttp2 security update
Previous by thread: [SECURITY] [DLA 3802-1] org-mode security update
Next by thread: [SECURITY] [DLA 3804-1] nghttp2 security update
Index(es):
- Date
- Thread