[Bug 2115949] Re: Sync jinja2 from debian for questing

Fri Jul 4 10:46:18 UTC 2025

This bug was fixed in the package jinja2 - 3.1.6-1
Sponsored for Nishit Majithia (0xnishit)

---------------
jinja2 (3.1.6-1) unstable; urgency=medium

  * Team upload.
  * New upstream release:
    - CVE-2025-27516: The |attr filter does not bypass the environment's
      attribute lookup, allowing the sandbox to apply its checks (closes:
      #1099690).

 -- Colin Watson <cjwatson at debian.org>  Tue, 25 Mar 2025 22:31:52 +0000

** Changed in: jinja2 (Ubuntu)
       Status: New => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-27516

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to jinja2 in Ubuntu.
https://bugs.launchpad.net/bugs/2115949

Title:
  Sync jinja2 from debian for questing

Status in jinja2 package in Ubuntu:
  Fix Released

Bug description:
  Ubuntu(3.1.5-2ubuntu1) is currently carrying
  debian/patches/CVE-2025-27516.patch which is added by debian in
  3.1.6-1 (debian bug: #1099690)

  In this case, there is no need for the diff we carry. We should sync
  jinja2 rather than merge.

  I have uploaded this package for testing here:
  https://launchpad.net/~0xnishit/+archive/ubuntu/devel-packages-ppa

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jinja2/+bug/2115949/+subscriptions