ELA-1100-1 python-pymysql security update

SQL injection vulnerability

2024-05-27
Packagepython-pymysql
Version0.7.10-1+deb9u1 (stretch)
Related CVEs CVE-2024-36039


It was discovered that there was a potential SQL injection attack in python-pymysql, a MySQL client library for Python. This was exploitable when python-pymysql was used with untrusted JSON input as keys were not escaped by the escape_dict routine.



For Debian 9 stretch, these problems have been fixed in version 0.7.10-1+deb9u1.

We recommend that you upgrade your python-pymysql packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.