CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. Of course seems a little strange to say that remote attackers can DoS via the CLI, but these people seem to be doing their best to inflate impact anyway.
FWICS -40899 is future, whereas -40898 is wheel. Which one should the bug be about? xP
Hmm, our wheel (and all other packages from that list) is fixed, so I guess future.
Description An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34253f1de1ae27affcf1f7fc05440506638b9650 commit 34253f1de1ae27affcf1f7fc05440506638b9650 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-12-24 06:33:55 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-12-24 06:40:08 +0000 dev-python/future: Patch ReDoS copied from stdlib Bug: https://bugs.gentoo.org/888109 Signed-off-by: Michał Górny <mgorny@gentoo.org> .../files/future-0.18.2-cve-2022-40899.patch | 52 ++++++++++++++++++++++ ...re-0.18.2-r2.ebuild => future-0.18.2-r3.ebuild} | 11 ++++- 2 files changed, 61 insertions(+), 2 deletions(-)
