Source: python-oauthlib Version: 3.2.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for python-oauthlib. CVE-2022-36087[0]: | OAuthLib is an implementation of the OAuth request-signing logic for | Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker | providing malicious redirect uri can cause denial of service. An | attacker can also leverage usage of `uri_validate` functions depending | where it is used. OAuthLib applications using OAuth2.0 provider | support or use directly `uri_validate` are affected by this issue. | Version 3.2.1 contains a patch. There are no known workarounds. Note, that while it is claimed to be fixed in 3.2.1, the two commits in [1] and [2] are not included in 3.2.1. There is a simple test case to show the issue as well in the commit expanding the unittests. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-36087 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36087 [1] https://github.com/oauthlib/oauthlib/security/advisories/GHSA-3pgj-pg6c-r5p7 [2] https://github.com/oauthlib/oauthlib/commit/e514826eea15f2b62bbc13da407b71552ef5ff4c [3] https://github.com/oauthlib/oauthlib/commit/5d85c61998692643dd9d17e05d2646e06ce391e8 Regards, Salvatore
