Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 718810 (CVE-2019-13611)

Summary: <dev-python/python-engineio-3.12.1: Cross-site websocket hijacking (CVE-2019-13611)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: python, zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-22 00:54:09 UTC 
CVE-2019-13611 (https://nvd.nist.gov/vuln/detail/CVE-2019-13611):
  An issue was discovered in python-engineio through 3.8.2. There is a
  Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers
  to make WebSocket connections to a server by using a victim's credentials,
  because the Origin header is not restricted.
Comment 1 Larry the Git Cow gentoo-dev 2020-04-22 01:20:21 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1a36eef3377052cb6c30ef16dfd4465425e292b

commit f1a36eef3377052cb6c30ef16dfd4465425e292b
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-04-22 01:18:47 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-04-22 01:19:27 +0000

    dev-python/python-engineio: drop vulnerable version 2.2.0
    
    Bug: https://bugs.gentoo.org/718810
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 dev-python/python-engineio/Manifest                |  1 -
 .../python-engineio/python-engineio-2.2.0.ebuild   | 27 ----------------------
 2 files changed, 28 deletions(-)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-08 04:08:41 UTC 
Thanks!