772932 – (CVE-2021-21330, GHSA-v6wp-4m6f-gcjg) <dev-python/aiohttp-3.7.4: Open redirect vulnerability in `aiohttp` (CVE-2021-21330)

Bug 772932 (CVE-2021-21330, GHSA-v6wp-4m6f-gcjg) - <dev-python/aiohttp-3.7.4: Open redirect vulnerability in `aiohttp` (CVE-2021-21330)

Summary: <dev-python/aiohttp-3.7.4: Open redirect vulnerability in `aiohttp` (CVE-2021...

Status:	RESOLVED FIXED

Alias:	CVE-2021-21330, GHSA-v6wp-4m6f-gcjg

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://github.com/aio-libs/aiohttp/s...
Whiteboard:	B4 [glsa+]
Keywords:

Depends on:
Blocks:

Reported:	2021-02-25 19:40 UTC by Michał Górny
Modified:	2022-08-10 22:34 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2021-02-25 19:40:59 UTC

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg


```
Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.

It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware.
```

Comment 1 NATTkA bot gentoo-dev

2021-02-25 19:44:51 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-python/aiohttp-3.7.4

Comment 2 NATTkA bot gentoo-dev

2021-02-25 19:48:52 UTC Comment hidden (obsolete)

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 3 John Helmert III archtester

2021-02-26 00:49:45 UTC

Thank you!

Comment 4 Sam James archtester

2021-02-27 10:07:06 UTC

x86 done

Comment 5 Sam James archtester

2021-02-27 10:07:57 UTC

ppc64 done

Comment 6 Sam James archtester

2021-02-27 10:09:05 UTC

ppc done

Comment 7 Sam James archtester

2021-02-27 12:31:49 UTC

arm64 done

Comment 8 Rolf Eike Beer archtester

2021-02-27 16:43:43 UTC

hppa/sparc stable

Comment 9 Sam James archtester

2021-02-28 21:34:29 UTC

arm done

Comment 10 Sam James archtester

2021-02-28 21:35:11 UTC

amd64 done

all arches done

Comment 11 Larry the Git Cow gentoo-dev

2021-02-28 21:41:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7123d5d2aee72acfa4b2e90fc66331b9948eddc5

commit 7123d5d2aee72acfa4b2e90fc66331b9948eddc5
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-02-28 21:40:29 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-02-28 21:40:32 +0000

    dev-python/aiohttp: Remove old
    
    Bug: https://bugs.gentoo.org/772932
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/aiohttp/Manifest                |   4 -
 dev-python/aiohttp/aiohttp-3.6.2-r1.ebuild | 156 -----------------------------
 dev-python/aiohttp/aiohttp-3.7.1-r1.ebuild |  90 -----------------
 dev-python/aiohttp/aiohttp-3.7.2-r1.ebuild |  91 -----------------
 dev-python/aiohttp/aiohttp-3.7.3.ebuild    |  91 -----------------
 5 files changed, 432 deletions(-)

Comment 12 John Helmert III archtester

2021-02-28 23:22:58 UTC

Thank you!

Comment 13 NATTkA bot gentoo-dev

2021-07-29 17:23:51 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 14 NATTkA bot gentoo-dev

2021-07-29 17:32:16 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 15 NATTkA bot gentoo-dev

2021-07-29 17:40:09 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 16 NATTkA bot gentoo-dev

2021-07-29 17:48:19 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 17 NATTkA bot gentoo-dev

2021-07-29 18:04:16 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 18 NATTkA bot gentoo-dev

2021-07-29 18:12:34 UTC

Package list is empty or all packages have requested keywords.

Comment 19 John Helmert III archtester

2022-08-10 15:35:28 UTC

GLSA request filed.

Comment 20 Larry the Git Cow gentoo-dev

2022-08-10 22:33:43 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=39083bb85acf1f7a1d43ba6502dcfae335e3bf80

commit 39083bb85acf1f7a1d43ba6502dcfae335e3bf80
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 22:31:38 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 22:33:21 +0000

    [ GLSA 202208-19 ] aiohttp: Open redirect vulnerability
    
    Bug: https://bugs.gentoo.org/772932
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-19.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

Comment 21 John Helmert III archtester

2022-08-10 22:34:33 UTC

GLSA released, all done!