Your message dated Sun, 12 Jan 2025 18:05:49 +0000
with message-id <e1tx2ln-009zhv...@fasolo.debian.org>
and subject line Bug#1078879: fixed in python-webob 1:1.8.9-1
has caused the Debian Bug report #1078879,
regarding python-webob: CVE-2024-42353
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1078879: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078879
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-webob
Version: 1:1.8.7-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for python-webob.
CVE-2024-42353[0]:
| WebOb provides objects for HTTP requests and responses. When WebOb
| normalizes the HTTP Location header to include the request hostname,
| it does so by parsing the URL that the user is to be redirected to
| with Python's urlparse, and joining it to the base URL. `urlparse`
| however treats a `//` at the start of a string as a URI without a
| scheme, and then treats the next part as the hostname. `urljoin`
| will then use that hostname from the second part as the hostname
| replacing the original one from the request. This vulnerability is
| patched in WebOb version 1.8.8.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-42353
https://www.cve.org/CVERecord?id=CVE-2024-42353
[1] https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
[2]
https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-webob
Source-Version: 1:1.8.9-1
Done: Colin Watson <cjwat...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-webob, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1078...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwat...@debian.org> (supplier of updated python-webob package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 12 Jan 2025 17:39:16 +0000
Source: python-webob
Architecture: source
Version: 1:1.8.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Colin Watson <cjwat...@debian.org>
Closes: 1078879
Changes:
python-webob (1:1.8.9-1) unstable; urgency=medium
.
* Team upload.
* Adjust debian/watch for recent PyPI URL changes.
* New upstream release:
- CVE-2024-42353: The use of WebOb's Response object to redirect a
request to a new location could lead to an open redirect if the
Location header is not a full URI (closes: #1078879).
* Fix file names in patched intersphinx_mapping.
* Use dh-sequence-python3 and dh-sequence-sphinxdoc.
Checksums-Sha1:
c912c5a116ba1dd7e1830643c7b4fa260c40bbe1 2343 python-webob_1.8.9-1.dsc
1819d0b83a66e23dc82265c85f9ee9ad44add40a 279775 python-webob_1.8.9.orig.tar.gz
71df846ac6ab3bda4a000c83aecd6b97ecdd0290 6128
python-webob_1.8.9-1.debian.tar.xz
Checksums-Sha256:
3867fccb006ca0fed1396f4131e6f00469f674a1833937b7e017f795ee6d8de1 2343
python-webob_1.8.9-1.dsc
ad6078e2edb6766d1334ec3dee072ac6a7f95b1e32ce10def8ff7f0f02d56589 279775
python-webob_1.8.9.orig.tar.gz
b471dd401741ab202efe49eb5a97f1c60a30318e8c5b6b419c7549b7f2607779 6128
python-webob_1.8.9-1.debian.tar.xz
Files:
5227863f02b71677d888599388be2748 2343 python optional python-webob_1.8.9-1.dsc
4167b16880e0d4c22aadee8ec3cc6c26 279775 python optional
python-webob_1.8.9.orig.tar.gz
3ea05864b65b92b54fd9a9dd265e060a 6128 python optional
python-webob_1.8.9-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmeD/5AACgkQOTWH2X2G
UAtjGw//TXl7S5EbiD0q+/Eqk+swHu+V8mm/W4klQ5Uhj+GHptGsIah7VQAUWGa+
Li+Ipw5oDRtWt4aLjIGL91RwF4l3ubtvCh38b2jyZdFhbRc0vASLO8rooJt+gOD/
WhBk6YusrHFpq6ptUl+TkFnQKa7xlkLVUMVOoOmH8U9OAjUtWOhCjmqbhUVa3w9E
vMN2rpEsBcdROUa8Vj2I9u7mdqeE9N+H191V7yg7L31VvkKe2xPqDapEcKJAyQ3h
EDA6P7PvyXs0jrHvvPYCrpIo69wFe5f2KqXo0J34lhgsuVQzAjXmrIdetenlPbO9
51RJ0QVKgdxCGKQgvz51jh/3Y8G3PFUyZb9Da14VTxnuk9arzbAO8rBjexUbY/Kl
8BpcxqunIBzuugjz9PJ1IoGFOPCr+hW3vf3ECExTB8lLCJe7BpK7ogZf/jFfF9N8
APIFWeeubvHslVpxK22FaOlOReyNjpYQgI5IRBw259yR0cih2pz6eWy/Oy1C7Oeb
gns9duibFemp9a4AQWmaa/VouO2ySzKtQvNj3peuv1kCFykvmhF/ly7CaV/w9w1c
Xf5bZQbIrgHRzHN1Fwu1WQghgHay6oKOtLeqnd+WdXYcA/3um4xtwY/MX8Btt07U
JfILpEUtebxYGGdXDOfQaVtHRm6xhN2CUN8+QNfGcAexHTLI2W0=
=pbw1
-----END PGP SIGNATURE-----
pgp93bmrzrzxf.pgp
Description: PGP signature
--- End Message ---
