Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 772932 (CVE-2021-21330, GHSA-v6wp-4m6f-gcjg)

Summary: <dev-python/aiohttp-3.7.4: Open redirect vulnerability in `aiohttp` (CVE-2021-21330)
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: python, zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-02-25 19:40:59 UTC 
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg


```
Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.

It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware.
```
Comment 1 NATTkA bot gentoo-dev 2021-02-25 19:44:51 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-02-25 19:48:52 UTC Comment hidden (obsolete)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-26 00:49:45 UTC 
Thank you!
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-27 10:07:06 UTC 
x86 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-27 10:07:57 UTC 
ppc64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-27 10:09:05 UTC 
ppc done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-27 12:31:49 UTC 
arm64 done
Comment 8 Rolf Eike Beer archtester 2021-02-27 16:43:43 UTC 
hppa/sparc stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-28 21:34:29 UTC 
arm done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-28 21:35:11 UTC 
amd64 done

all arches done
Comment 11 Larry the Git Cow gentoo-dev 2021-02-28 21:41:08 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7123d5d2aee72acfa4b2e90fc66331b9948eddc5

commit 7123d5d2aee72acfa4b2e90fc66331b9948eddc5
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-02-28 21:40:29 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-02-28 21:40:32 +0000

    dev-python/aiohttp: Remove old
    
    Bug: https://bugs.gentoo.org/772932
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/aiohttp/Manifest                |   4 -
 dev-python/aiohttp/aiohttp-3.6.2-r1.ebuild | 156 -----------------------------
 dev-python/aiohttp/aiohttp-3.7.1-r1.ebuild |  90 -----------------
 dev-python/aiohttp/aiohttp-3.7.2-r1.ebuild |  91 -----------------
 dev-python/aiohttp/aiohttp-3.7.3.ebuild    |  91 -----------------
 5 files changed, 432 deletions(-)
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-28 23:22:58 UTC 
Thank you!
Comment 13 NATTkA bot gentoo-dev 2021-07-29 17:23:51 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-07-29 17:32:16 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 17:40:09 UTC Comment hidden (obsolete)
Comment 16 NATTkA bot gentoo-dev 2021-07-29 17:48:19 UTC Comment hidden (obsolete)
Comment 17 NATTkA bot gentoo-dev 2021-07-29 18:04:16 UTC Comment hidden (obsolete)
Comment 18 NATTkA bot gentoo-dev 2021-07-29 18:12:34 UTC 
Package list is empty or all packages have requested keywords.
Comment 19 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 15:35:28 UTC 
GLSA request filed.
Comment 20 Larry the Git Cow gentoo-dev 2022-08-10 22:33:43 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=39083bb85acf1f7a1d43ba6502dcfae335e3bf80

commit 39083bb85acf1f7a1d43ba6502dcfae335e3bf80
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 22:31:38 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 22:33:21 +0000

    [ GLSA 202208-19 ] aiohttp: Open redirect vulnerability
    
    Bug: https://bugs.gentoo.org/772932
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-19.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
Comment 21 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 22:34:33 UTC 
GLSA released, all done!