Hi Daniele, On Wed, Sep 14, 2022 at 10:37:08AM +0200, Daniele Tricoli wrote: > Hello Salvatore, > many thanks for the report! > > On 13/09/2022 22:14, Salvatore Bonaccorso wrote: > > Source: python-oauthlib > > Version: 3.2.0-1 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > > > Hi, > > > > The following vulnerability was published for python-oauthlib. > > > > CVE-2022-36087[0]: > > | OAuthLib is an implementation of the OAuth request-signing logic for > > | Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker > > | providing malicious redirect uri can cause denial of service. An > > | attacker can also leverage usage of `uri_validate` functions depending > > | where it is used. OAuthLib applications using OAuth2.0 provider > > | support or use directly `uri_validate` are affected by this issue. > > | Version 3.2.1 contains a patch. There are no known workarounds. > > > > Note, that while it is claimed to be fixed in 3.2.1, the two commits > > in [1] and [2] are not included in 3.2.1. There is a simple test case > > to show the issue as well in the commit expanding the unittests. > > I'm preparing a new upload for python-oauthlib and I will include also the > two commits you mentioned. Thanks!
Thanks to you for the quick action! Regards, Salvatore
