Version in base suite: 1.9.10-2

Base version: sentry-python_1.9.10-2
Target version: sentry-python_1.9.10-2+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/sentry-python/sentry-python_1.9.10-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/s/sentry-python/sentry-python_1.9.10-2+deb12u1.dsc

 changelog                                                     |    7 +
 patches/CVE-2024-40647-dont-send-full-env-to-subprocess.patch |   68 ++++++++++
 patches/series                                                |    1 
 3 files changed, 76 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpc34osdnm/sentry-python_1.9.10-2.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpc34osdnm/sentry-python_1.9.10-2+deb12u1.dsc: no acceptable signature found
diff -Nru sentry-python-1.9.10/debian/changelog sentry-python-1.9.10/debian/changelog
--- sentry-python-1.9.10/debian/changelog	2022-12-02 17:19:30.000000000 +0000
+++ sentry-python-1.9.10/debian/changelog	2026-05-25 04:33:13.000000000 +0000
@@ -1,3 +1,10 @@
+sentry-python (1.9.10-2+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * d/patches: backport upstream fix for CVE-2024-40647 (Closes: #1083189)
+
+ -- Christopher Obbard <obbardc@debian.org>  Mon, 25 May 2026 05:33:13 +0100
+
 sentry-python (1.9.10-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru sentry-python-1.9.10/debian/patches/CVE-2024-40647-dont-send-full-env-to-subprocess.patch sentry-python-1.9.10/debian/patches/CVE-2024-40647-dont-send-full-env-to-subprocess.patch
--- sentry-python-1.9.10/debian/patches/CVE-2024-40647-dont-send-full-env-to-subprocess.patch	1970-01-01 00:00:00.000000000 +0000
+++ sentry-python-1.9.10/debian/patches/CVE-2024-40647-dont-send-full-env-to-subprocess.patch	2026-05-25 04:33:13.000000000 +0000
@@ -0,0 +1,68 @@
+From: Ivana Kellyer <ivana.kellyer@sentry.io>
+Date: Mon, 8 Jul 2024 09:38:14 +0200
+Subject: fix(integrations): don't send full env to subprocess (#3251)
+
+During the arguments modification to `subprocess.Popen.__init__`,
+an explicitly empty environment of `{}` is incorrectly confused with a `None`
+environment. This causes sentry to pass the entire environment of the
+parent process instead of sending just the injected environment variables.
+
+Fix it by only replacing the environment with `os.environ` if the variable
+is None, and not just falsy.
+
+This fixes CVE-2024-40647.
+
+Co-authored-by: Kevin Michel <kevin.michel@aiven.io>
+
+Origin: upstream, https://github.com/getsentry/sentry-python/commit/763e40aa4cb57ecced467f48f78f335c87e9bdff
+Applied-Upstream: 2.8.0, https://github.com/getsentry/sentry-python/commit/763e40aa4cb57ecced467f48f78f335c87e9bdff
+Bug-Debian: https://bugs.debian.org/1083189
+Reviewed-by: Christopher Obbard <obbardc@debian.org>
+Last-Update: 2026-05-25
+Signed-off-by: Christopher Obbard <obbardc@debian.org>
+---
+ sentry_sdk/integrations/stdlib.py            |  6 +++++-
+ tests/integrations/stdlib/test_subprocess.py | 13 +++++++++++++
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/sentry_sdk/integrations/stdlib.py b/sentry_sdk/integrations/stdlib.py
+index 9495d40..6a539b8 100644
+--- a/sentry_sdk/integrations/stdlib.py
++++ b/sentry_sdk/integrations/stdlib.py
+@@ -188,7 +188,11 @@ def _install_subprocess():
+             for k, v in hub.iter_trace_propagation_headers(span):
+                 if env is None:
+                     env = _init_argument(
+-                        a, kw, "env", 10, lambda x: dict(x or os.environ)
++                        a,
++                        kw,
++                        "env",
++                        10,
++                        lambda x: dict(x if x is not None else os.environ),
+                     )
+                 env["SUBPROCESS_" + k.upper().replace("-", "_")] = v
+ 
+diff --git a/tests/integrations/stdlib/test_subprocess.py b/tests/integrations/stdlib/test_subprocess.py
+index 31da043..702f8b5 100644
+--- a/tests/integrations/stdlib/test_subprocess.py
++++ b/tests/integrations/stdlib/test_subprocess.py
+@@ -179,6 +179,19 @@ def test_subprocess_basic(
+         assert sys.executable + " -c" in subprocess_init_span["description"]
+ 
+ 
++def test_subprocess_empty_env(sentry_init, monkeypatch):
++    monkeypatch.setenv("TEST_MARKER", "should_not_be_seen")
++    sentry_init(integrations=[StdlibIntegration()], traces_sample_rate=1.0)
++    with start_transaction(name="foo"):
++        args = [
++            sys.executable,
++            "-c",
++            "import os; print(os.environ.get('TEST_MARKER', None))",
++        ]
++        output = subprocess.check_output(args, env={}, universal_newlines=True)
++    assert "should_not_be_seen" not in output
++
++
+ def test_subprocess_invalid_args(sentry_init):
+     sentry_init(integrations=[StdlibIntegration()])
+ 
diff -Nru sentry-python-1.9.10/debian/patches/series sentry-python-1.9.10/debian/patches/series
--- sentry-python-1.9.10/debian/patches/series	2022-12-02 16:34:03.000000000 +0000
+++ sentry-python-1.9.10/debian/patches/series	2026-05-25 04:33:13.000000000 +0000
@@ -1 +1,2 @@
 debian-hacks/docs-Use-local-inventory-for-Python3.patch
+CVE-2024-40647-dont-send-full-env-to-subprocess.patch