Bug 2336373
| Summary: | CVE-2024-56201 python-jinja2-time: Jinja has a sandbox breakout through malicious filenames [fedora-40] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Avinash Hanwate <ahanwate> |
| Component: | python-jinja2-time | Assignee: | fedepell <fede> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 40 | CC: | chedi.toueiti, fede, lbalhar, mhroncok |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | {"flaws": ["86e50811-8385-4179-baf9-8c5fcbbb22a2"]} | ||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2025-01-09 09:52:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2333854 | ||
|
Description
Avinash Hanwate
2025-01-08 09:21:14 UTC
How is python-jinja2-time affected by this? Yeah I believe the python-jinja2 component should be the correct one, not this extension. This project is not affected as it does not bundle the source code of jinja2. I've reported that issue to the Product Security team and their tooling and we'll be hopefully able to avoid unnecessary trackers in the future. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |