Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 678480 (CVE-2019-7164) - <dev-python/sqlalchemy-1.3.3: SQL Injection when the order_by parameter can be controlled (CVE-2019-7164)
Summary: <dev-python/sqlalchemy-1.3.3: SQL Injection when the order_by parameter can b...
Status: RESOLVED FIXED
Alias: CVE-2019-7164
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 670896
Blocks:
  Show dependency tree
 
Reported: 2019-02-21 09:04 UTC by Agostino Sarubbo
Modified: 2020-04-16 07:04 UTC (History)
3 users (show)

See Also:
Package list:
dev-python/sqlalchemy-1.3.3
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2019-02-21 09:04:35 UTC
From ${URL} :

A vulnerability was found in SQLAlchemy 1.2.17. An SQL Injection when the order_by parameter can be controlled.

Upstream issue:

https://github.com/sqlalchemy/sqlalchemy/issues/4481

Upstream patch:

https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Larry the Git Cow gentoo-dev 2019-04-29 12:18:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74d676f319dab3f9e24d291d20906ca90b83196a

commit 74d676f319dab3f9e24d291d20906ca90b83196a
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2019-04-29 12:12:54 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2019-04-29 12:13:49 +0000

    dev-python/sqlalchemy: bump to 1.3.3
    
    Bug: https://bugs.gentoo.org/678480
    Signed-off-by: Virgil Dupras <vdupras@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.11

 dev-python/sqlalchemy/Manifest                |  1 +
 dev-python/sqlalchemy/sqlalchemy-1.3.3.ebuild | 63 +++++++++++++++++++++++++++
 2 files changed, 64 insertions(+)
Comment 2 Virgil Dupras (RETIRED) gentoo-dev 2019-04-29 12:21:58 UTC
Issue 4481 was addressed in upstream's 1.3 release.

Arches, please stabilize. Thanks!
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-29 20:17:14 UTC
ppc stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-29 20:18:21 UTC
ppc64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-05-01 07:51:21 UTC
amd64 stable
Comment 6 Rolf Eike Beer archtester 2019-05-02 21:50:01 UTC
sparc stable
Comment 7 Larry the Git Cow gentoo-dev 2019-05-06 18:04:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=06272e72a051f00d166ee600a04603b86a39ec9e

commit 06272e72a051f00d166ee600a04603b86a39ec9e
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-05-06 18:03:49 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-05-06 18:04:08 +0000

    dev-python/sqlalchemy-1.3.3-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/678480
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-python/sqlalchemy/sqlalchemy-1.3.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 8 Markus Meier gentoo-dev 2019-05-09 04:44:54 UTC
arm stable
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2019-05-10 03:13:54 UTC
arm64 stable
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2019-05-13 00:42:53 UTC
x86 stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2019-05-26 07:08:01 UTC
hppa stable
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-05-26 09:47:08 UTC
s390 stable
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2020-01-20 23:24:33 UTC
ia64 stable
Comment 14 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-03-29 09:18:09 UTC
Cleanup done.
Comment 15 NATTkA bot gentoo-dev 2020-04-06 15:16:15 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2020-04-16 07:04:24 UTC
GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].