| Summary: | <dev-python/future-0.18.2-r3: ReDoS | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | IN_PROGRESS --- | ||
| Severity: | minor | CC: | mgorny, python |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/ | ||
| See Also: | https://github.com/PythonCharmers/python-future/pull/610 | ||
| Whiteboard: | B3 [glsa?] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
John Helmert III
2022-12-23 22:04:24 UTC
FWICS -40899 is future, whereas -40898 is wheel. Which one should the bug be about? xP Hmm, our wheel (and all other packages from that list) is fixed, so I guess future. Description An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34253f1de1ae27affcf1f7fc05440506638b9650 commit 34253f1de1ae27affcf1f7fc05440506638b9650 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-12-24 06:33:55 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-12-24 06:40:08 +0000 dev-python/future: Patch ReDoS copied from stdlib Bug: https://bugs.gentoo.org/888109 Signed-off-by: Michał Górny <mgorny@gentoo.org> .../files/future-0.18.2-cve-2022-40899.patch | 52 ++++++++++++++++++++++ ...re-0.18.2-r2.ebuild => future-0.18.2-r3.ebuild} | 11 ++++- 2 files changed, 61 insertions(+), 2 deletions(-) |