CVE-2021-3654 A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL. https://opendev.org/openstack/nova/commit/04d48527b62a35d912f93bc75613a6cca606df66 RedHat issued this as an Openstack Nova vulnerability, but this actually seems to be a CVE to indicate that Nova worked around a known, different Python bug. From the commit, "Our console proxies (novnc, serial, spice) run in a websockify server whose request handler inherits from the python standard SimpleHTTPRequestHandler. There is a known issue [1] in the SimpleHTTPRequestHandler which allows open redirects by way of URLs in the following format: http://vncproxy.my.domain.com//example.com/%2F.. which if visited, will redirect a user to example.com." The Python issue at URL was closed as a duplicate of https://bugs.python.org/issue43223, which has a reference to a stalled PR: https://github.com/python/cpython/pull/24848.
(In reply to John Helmert III from comment #0) > [...] > The Python issue at URL was closed as a duplicate of > https://bugs.python.org/issue43223, which has a reference to a stalled > PR: https://github.com/python/cpython/pull/24848. ... which was closed in favor of https://github.com/python/cpython/pull/93879, merged in mainline as: https://github.com/python/cpython/commit/4abab6b603dd38bec1168e9a37c40a48ec89508e Which seems to have only been backported into 3.11.0 and 3.10.6.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36063b2db18e7ab9604a7d876d74494a7883f2b0 commit 36063b2db18e7ab9604a7d876d74494a7883f2b0 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-08-10 05:57:54 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-08-10 06:02:31 +0000 dev-lang/python: Backport secfixes to 3.8.13_p5 Bug: https://bugs.gentoo.org/834533 Bug: https://bugs.gentoo.org/838250 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.8.13_p5.ebuild | 349 ++++++++++++++++++++++++++++++++ 2 files changed, 350 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ac85939cdee26b89aeb9e500d97d3c798a1f57f commit 2ac85939cdee26b89aeb9e500d97d3c798a1f57f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-08-10 05:51:47 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-08-10 06:02:31 +0000 dev-lang/python: Backport secfixes to 3.9.13_p2 Bug: https://bugs.gentoo.org/834533 Bug: https://bugs.gentoo.org/838250 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.9.13_p2.ebuild | 403 ++++++++++++++++++++++++++++++++ 2 files changed, 404 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53de9a0c1a9392749b46e9b326516023b3dcbcdc commit 53de9a0c1a9392749b46e9b326516023b3dcbcdc Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-08-10 09:28:47 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-08-10 09:28:47 +0000 dev-python/pypy3: Backport secfixes to 7.3.9_p5 Bug: https://bugs.gentoo.org/834533 Bug: https://bugs.gentoo.org/838250 Bug: https://bugs.gentoo.org/864747 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/pypy3/Manifest | 1 + dev-python/pypy3/pypy3-7.3.9_p5.ebuild | 210 +++++++++++++++++++++++++++++++++ 2 files changed, 211 insertions(+)
Python 2.7 is probably affected too but the code changed a lot, so verifying would take more time than I can spend.
This seems to have gotten another CVE. CVE-2021-28861 (https://bugs.python.org/issue43223): https://github.com/python/cpython/pull/93879 https://github.com/python/cpython/pull/24848 Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure.
cleanup done.
Thank you!
GLSA requested
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=721dfacf17914fe5f7bfa3d0b401379d6318f7b1 commit 721dfacf17914fe5f7bfa3d0b401379d6318f7b1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-03 09:12:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 09:31:45 +0000 [ GLSA 202305-02 ] Python, PyPy3: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/787260 Bug: https://bugs.gentoo.org/793833 Bug: https://bugs.gentoo.org/811165 Bug: https://bugs.gentoo.org/834533 Bug: https://bugs.gentoo.org/835443 Bug: https://bugs.gentoo.org/838250 Bug: https://bugs.gentoo.org/864747 Bug: https://bugs.gentoo.org/876815 Bug: https://bugs.gentoo.org/877851 Bug: https://bugs.gentoo.org/878385 Bug: https://bugs.gentoo.org/880629 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202305-02.xml | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+)
