Hello Salvatore,
many thanks for the report!
On 13/09/2022 22:14, Salvatore Bonaccorso wrote:
Source: python-oauthlib
Version: 3.2.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for python-oauthlib.
CVE-2022-36087[0]:
| OAuthLib is an implementation of the OAuth request-signing logic for
| Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker
| providing malicious redirect uri can cause denial of service. An
| attacker can also leverage usage of `uri_validate` functions depending
| where it is used. OAuthLib applications using OAuth2.0 provider
| support or use directly `uri_validate` are affected by this issue.
| Version 3.2.1 contains a patch. There are no known workarounds.
Note, that while it is claimed to be fixed in 3.2.1, the two commits
in [1] and [2] are not included in 3.2.1. There is a simple test case
to show the issue as well in the commit expanding the unittests.
I'm preparing a new upload for python-oauthlib and I will include also
the two commits you mentioned. Thanks!
Regards,
--
Daniele Tricoli
https://mornie.org
