Version in base suite: 2025.01.13+ds-1

Base version: python-parsl_2025.01.13+ds-1
Target version: python-parsl_2025.01.13+ds-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/python-parsl/python-parsl_2025.01.13+ds-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/python-parsl/python-parsl_2025.01.13+ds-1+deb13u1.dsc

 changelog                    |    7 ++++
 patches/CVE-2026-21892.patch |   70 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 78 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpt0uzb0p4/python-parsl_2025.01.13+ds-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpt0uzb0p4/python-parsl_2025.01.13+ds-1+deb13u1.dsc: no acceptable signature found
diff: /srv/release.debian.org/tmp/lBFJUckID2/python-parsl-2025.01.13+ds/parsl/tests/sites/test_mpi/mpi_hello: No such file or directory
diff: /srv/release.debian.org/tmp/qTACs8MpRd/python-parsl-2025.01.13+ds/parsl/tests/sites/test_mpi/mpi_hello: No such file or directory
diff -Nru python-parsl-2025.01.13+ds/debian/changelog python-parsl-2025.01.13+ds/debian/changelog
--- python-parsl-2025.01.13+ds/debian/changelog	2025-01-14 21:00:49.000000000 +0000
+++ python-parsl-2025.01.13+ds/debian/changelog	2026-01-09 19:02:48.000000000 +0000
@@ -1,3 +1,10 @@
+python-parsl (2025.01.13+ds-1+deb13u1) trixie-security; urgency=medium
+
+  * CVE-2026-21892.patch: new: fix sql injection vulnerability.
+    This change addresses the CVE-2026-21892. (Closes: #1125085)
+
+ -- Étienne Mollier <emollier@debian.org>  Fri, 09 Jan 2026 20:02:48 +0100
+
 python-parsl (2025.01.13+ds-1) unstable; urgency=medium
 
   * New upstream version 2025.01.13+ds
diff -Nru python-parsl-2025.01.13+ds/debian/patches/CVE-2026-21892.patch python-parsl-2025.01.13+ds/debian/patches/CVE-2026-21892.patch
--- python-parsl-2025.01.13+ds/debian/patches/CVE-2026-21892.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-parsl-2025.01.13+ds/debian/patches/CVE-2026-21892.patch	2026-01-09 19:00:41.000000000 +0000
@@ -0,0 +1,70 @@
+Applied-Upstream: 013a928461e70f38a33258bd525a351ed828e974
+Author: Ben Clifford <benc@hawaga.org.uk>
+Last-Update: 2026-01-05
+Description: Switch two visualization views to safer SQL parameter style (#4049)
+ Prior to this PR, these two SQL statements were formed by direct string
+ substitution, which allowed arbitrary text injection into the SQL
+ string.
+ .
+ I think in the default configuration this isn't a security
+ vulnerability, because whatever is injected at these points is limited
+ in what it can do: the database is already public because thats what
+ parsl-visualize does, and sqlite will not allow other commands to be
+ executed alongside the query.
+ .
+ This was reported by @viralvaghela in
+ https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58
+ (unpublished at time of commit)
+ .
+ # Changed Behaviour
+ .
+ In the happy path, nothing. In error paths, malformed (malicious or not)
+ workflow identifiers will not leak into SQL.
+ .
+ # Fixes
+ .
+ https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58
+ .
+ ## Type of change
+ .
+ - Bug fix
+Reviewed-By: Étienne Mollier <emollier@debian.org>
+
+diff --git a/parsl/monitoring/visualization/views.py b/parsl/monitoring/visualization/views.py
+index 8e341191..02e7b04a 100644
+--- a/parsl/monitoring/visualization/views.py
++++ b/parsl/monitoring/visualization/views.py
+@@ -1,4 +1,5 @@
+ import pandas as pd
++import sqlalchemy
+ from flask import current_app as app
+ from flask import render_template
+ 
+@@ -143,9 +144,9 @@ def workflow_dag_details(workflow_id, path):
+                                        FROM status
+                                        WHERE status.task_id = task.task_id and status.run_id = task.run_id
+                                       )
+-               WHERE task.run_id='%s'""" % (workflow_id)
++               WHERE task.run_id=:run_id"""
+ 
+-    df_tasks = pd.read_sql_query(query, db.engine)
++    df_tasks = pd.read_sql_query(sqlalchemy.text(query), db.engine, params={"run_id": workflow_id})
+ 
+     group_by_apps = (path == "group_by_apps")
+     return render_template('dag.html',
+@@ -166,10 +167,11 @@ def workflow_resources(workflow_id):
+                                message="Workflow %s does not have any resource usage records." % workflow_id)
+ 
+     df_task = queries.tasks_for_workflow(workflow_id, db.engine)
+-    df_task_tries = pd.read_sql_query("""SELECT task.task_id, task_func_name,
+-                                      task_try_time_launched, task_try_time_running, task_try_time_returned from task, try
+-                                      WHERE task.task_id = try.task_id AND task.run_id='%s' and try.run_id='%s'"""
+-                                      % (workflow_id, workflow_id), db.engine)
++
++    query = """SELECT task.task_id, task_func_name,
++               task_try_time_launched, task_try_time_running, task_try_time_returned from task, try
++               WHERE task.task_id = try.task_id AND task.run_id=:run_id and try.run_id=task.run_id"""
++    df_task_tries = pd.read_sql_query(query, db.engine, params={"run_id": workflow_id})
+     df_node = queries.nodes_for_workflow(workflow_id, db.engine)
+ 
+     return render_template('resource_usage.html', workflow_details=workflow_details,
diff -Nru python-parsl-2025.01.13+ds/debian/patches/series python-parsl-2025.01.13+ds/debian/patches/series
--- python-parsl-2025.01.13+ds/debian/patches/series	2025-01-14 21:00:49.000000000 +0000
+++ python-parsl-2025.01.13+ds/debian/patches/series	2026-01-09 18:59:14.000000000 +0000
@@ -2,3 +2,4 @@
 privacy-breaches.patch
 offline-documentation.patch
 sphinx-autodoc-preserve-argdefaults.patch
+CVE-2026-21892.patch