761840 – (CVE-2020-35678) <dev-python/autobahn-20.12.3: Redirect header injection (CVE-2020-35678)

Bug 761840 (CVE-2020-35678) - <dev-python/autobahn-20.12.3: Redirect header injection (CVE-2020-35678)

Summary: <dev-python/autobahn-20.12.3: Redirect header injection (CVE-2020-35678)

Status:	IN_PROGRESS

Alias:	CVE-2020-35678

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/crossbario/autobah...
Whiteboard:	B4 [glsa?]
Keywords:

Depends on:	754414 765901
Blocks:
	Show dependency tree

Reported:	2020-12-27 00:48 UTC by Sam James
Modified:	2022-06-02 22:05 UTC (History)
CC List:	3 users (show)

See Also:	747718
Package list:	dev-python/autobahn-20.12.3
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-12-27 00:48:23 UTC

Description:
"Autobahn before 20.12.3 allows redirect header injection."

Comment 1 Sam James archtester

2020-12-27 00:49:09 UTC

Please bump to 20.12.3, thanks!

Comment 2 Michał Górny archtester

2020-12-27 08:44:49 UTC

IIRC the bump is non-trivial and requires changes to the test phase.

Comment 3 Sam James archtester

2021-01-10 16:40:44 UTC

(In reply to Michał Górny from comment #2)
> IIRC the bump is non-trivial and requires changes to the test phase.

Unfortunate. Ping dolsen.

Comment 4 Larry the Git Cow gentoo-dev

2021-01-17 18:51:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2581b9ad72da062585285a9977f942954995219c

commit 2581b9ad72da062585285a9977f942954995219c
Author:     Brian Dolbec <dolsen@gentoo.org>
AuthorDate: 2021-01-17 18:44:32 +0000
Commit:     Brian Dolbec <dolsen@gentoo.org>
CommitDate: 2021-01-17 18:45:31 +0000

    dev-python/autobahn: Version bump to 20.12.3, adds python-3.9
    
    (CVE-2020-35678)
    Bug: https://bugs.gentoo.org/761840
    Closes: https://bugs.gentoo.org/761439
    Package-Manager: Portage-3.0.10, Repoman-3.0.2
    Signed-off-by: Brian Dolbec <dolsen@gentoo.org>

 dev-python/autobahn/Manifest                |   1 +
 dev-python/autobahn/autobahn-20.12.3.ebuild | 105 ++++++++++++++++++++++++++++
 2 files changed, 106 insertions(+)

Comment 5 John Helmert III archtester

2021-01-18 03:02:28 UTC

Please proceed with stabilization when ready.

Comment 6 NATTkA bot gentoo-dev

2021-01-18 03:04:58 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-python/autobahn-20.12.3
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (4 total)
>     >=dev-python/snappy-0.5[-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_7(-),python_targets_python3_8(-),python_targets_python3_9(-)]
>     >=dev-python/txaio-20.4.1[-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_7(-),python_targets_python3_8(-),python_targets_python3_9(-)]
>   rdepend amd64 stable profile default/linux/amd64/17.1 (23 total)
>     >=dev-python/snappy-0.5[-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_7(-),python_targets_python3_8(-),python_targets_python3_9(-)]
>     >=dev-python/txaio-20.4.1[-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_7(-),python_targets_python3_8(-),python_targets_python3_9(-)]
>   rdepend arm stable profile default/linux/arm/17.0 (12 total)
>     >=dev-python/cbor2-5.1.0[-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_7(-),python_targets_python3_8(-),python_targets_python3_9(-)]
>     >=dev-python/snappy-0.5[-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_7(-),python_targets_python3_8(-),python_targets_python3_9(-)]
>     >=dev-python/txaio-20.4.1[-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_7(-),python_targets_python3_8(-),python_targets_python3_9(-)]
>   rdepend arm dev profile default/linux/arm/17.0/armv4 (35 total)
>     >=dev-python/cbor2-5.1.0[-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_7(-),python_targets_python3_8(-),python_targets_python3_9(-)]
>     >=dev-python/snappy-0.5[-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_7(-),python_targets_python3_8(-),python_targets_python3_9(-)]
>     >=dev-python/txaio-20.4.1[-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_7(-),python_targets_python3_8(-),python_targets_python3_9(-)]

Comment 7 NATTkA bot gentoo-dev

2021-01-18 11:49:15 UTC Comment hidden (obsolete)

Unable to check for sanity:

> dependent bug #765901 is missing keywords

Comment 8 NATTkA bot gentoo-dev

2021-01-18 11:52:58 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 9 Agostino Sarubbo gentoo-dev

2021-01-21 07:42:06 UTC

amd64 stable

Comment 10 Agostino Sarubbo gentoo-dev

2021-03-28 10:02:49 UTC

x86 stable

Comment 11 NATTkA bot gentoo-dev

2021-04-01 19:09:43 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-python/autobahn-20.12.3
>   rdepend arm stable profile default/linux/arm/17.0 (1 total)
>     >=dev-python/cbor2-5.1.0[-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_7(-),python_targets_python3_8(-),python_targets_python3_9(-)]
>   rdepend arm dev profile default/linux/arm/17.0/armv4 (35 total)
>     >=dev-python/cbor2-5.1.0[-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_7(-),python_targets_python3_8(-),python_targets_python3_9(-)]

Comment 12 NATTkA bot gentoo-dev

2021-04-01 20:11:56 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-python/autobahn-20.12.3
>   rdepend arm stable profile default/linux/arm/17.0 (1 total)
>     >=dev-python/cbor2-5.1.0[-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_7(-),python_targets_python3_8(-),python_targets_python3_9(-)]
>   rdepend arm dev profile default/linux/arm/17.0/armv4 (35 total)
>     >=dev-python/cbor2-5.1.0[-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_7(-),python_targets_python3_8(-),python_targets_python3_9(-)]

Comment 13 NATTkA bot gentoo-dev

2021-04-01 22:05:33 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 14 Sam James archtester

2021-05-16 12:39:52 UTC

arm done

Comment 15 Sam James archtester

2021-05-16 12:41:34 UTC

arm64 done

all arches done

Comment 16 NATTkA bot gentoo-dev

2021-05-16 15:12:25 UTC

Unable to check for sanity:

> no match for package: dev-python/autobahn-20.12.3