[SECURITY] [DLA 4126-1] jinja2 security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4126-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Lucas Kanashiro
April 13, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : jinja2
Version : 2.11.3-1+deb11u3
CVE ID : CVE-2024-56326 CVE-2025-27516
Debian Bug : #1091331, #1099690
A couple of vulnerabilities were found in jinja2, a template engine. The
rendering of untrusted templates could lead to attackers executing arbitrary
Python code.
CVE-2024-56326
Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects
calls to str.format allows an attacker that controls the content of a
template to execute arbitrary Python code. To exploit the vulnerability, an
attacker needs to control the content of a template. Whether that is the
case depends on the type of application using Jinja. This vulnerability
impacts users of applications which execute untrusted templates. Jinja's
sandbox does catch calls to str.format and ensures they don't escape the
sandbox. However, it's possible to store a reference to a malicious string's
format method, then pass that to a filter that calls it. No such filters are
built-in to Jinja, but could be present through custom filters in an
application. After the fix, such indirect calls are also handled by the
sandbox.
CVE-2025-27516
Prior to 3.1.6, an oversight in how the Jinja sandboxed environment
interacts with the |attr filter allows an attacker that controls the
content of a template to execute arbitrary Python code. To exploit the
vulnerability, an attacker needs to control the content of a template.
Whether that is the case depends on the type of application using Jinja.
This vulnerability impacts users of applications which execute untrusted
templates. Jinja's sandbox does catch calls to str.format and ensures they
don't escape the sandbox. However, it's possible to use the |attr filter to
get a reference to a string's plain format method, bypassing the sandbox.
After the fix, the |attr filter no longer bypasses the environment's
attribute lookup.
For Debian 11 bullseye, these problems have been fixed in version
2.11.3-1+deb11u3.
We recommend that you upgrade your jinja2 packages.
For the detailed security status of jinja2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jinja2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAmf8AioACgkQ+COicpiD
yXwUig//SGqH7oqBGZWB4JSM4OPipzj1Z0TEWBCUlz6EskZtjyAKoweEXABWU4N1
kbZ3pcdXC2v73H1Dipr5PdZdjji6sA8PthIgED7IFwy4AyCGEf4RBMexypWMZeTu
4NH/k9sxwIbTGkFFisSo2wSc2wZON6N7wly3zdiQxrwF33VQwx97lF2tJ34+0II2
7NNQQ2bHNl2bgHS+jG86PdJLC54ufeqAqwBJvV0+Evx6WliBcRo3WzjhckV+HAd7
2FhtnZhFW9lCPa2zdd1xzwv8d3FXLIcJlpC7JW7HVyRWK9jJvE2fFQnY6I+39ySv
fjRl03AT9J1kHRuUloXlV23yZ5z4mZQPgAIWvbSZMF65Zf5HJOZMHyE5RyDuJnAZ
qGwDancWXecOR3+pMcQRwTjt3ibzU5aS29DE2pRs/GqNL8haV/0GWYnUqrABps4f
ein5aZCjhKU64J57aLjynSqJFNwmJueHXmZ7JAExbDloMP+C8hyNZF+88n1OjFE9
G4IZp/CO7my3jgpdetwN+LgHArY4UIa85mfo7xQgwUnEMuHqIhA8A2GGPRlCFCBl
tvc+sKkLw5ZOea5OapPagUJdiXRhemePbxRelIgcr8VSj9zFglPf626sV6s1uxmR
nvernWmC+GVcrcZKhlmVjY5iDXEvlZuaaZkLR9R8nBwI8qSs5Ks=
=KeS9
-----END PGP SIGNATURE-----
Reply to: