From ${URL} : === Summary === Occasionally objects would be transmitted as a repr() of an object instead of a JSON serialization. In order to restore this representation to python code while parsing the JSON, Djblets would use the eval() routine to execute them, leading to a risk of executing arbitrary code in the Review Board process. === Affected Deployments === All Djblets deployments (and therefore all existing Review Board deployments) are vulnerable to this flaw. === Scope === A remote attacker might be able to construct a JSON request containing malicious python code that could be executed within the mod_wsgi process on the server. It is unknown to what extent it could cause damage, but denial-of-service at the minimum. === Resolution === Djblets will now use the literal_eval() routine instead of the eval() routine when run on platforms with Python 2.6 or later. The literal_eval() routine will sanitize the results such that only assignments of literal variables is permitted, as opposed to arbitrary python code execution. Special note: If Djblets is installed on a platform running Python 2.5 or earlier, this code will fall back to the earlier, less-secure eval() routine. Djblets upstream strongly recommends migrating such deployments to a more recent version of Python. It is noted that the primary consumer of this library - Review Board - is not believed to be vulnerable to this issue, as there are other safeguards in place. However, it is possible that other unknown consumers of this library are at risk. === Acknowledgements === Christian Hammond, lead upstream developer of Review Board is credited with discovering and correcting this vulnerability. === Embargo Information === Upstream has coordinated with packagers of various distributions and cloud application vendors to lift the embargo on Thursday, October 8, 2013. This BZ should become public at that time. From Upstream changelog: version 0.7.19 final (10-October-2013): * Security updates: * JSONField now corrects incorrectly stored contents in a safer way, to remove the risk of any exploits in a JSON payload. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Maintainer timeout. Bumped. Please verify that the bump didn't break anything, then cleanup.
(In reply to Chris Reffett from comment #1) > Maintainer timeout. Bumped. Please verify that the bump didn't break > anything, then cleanup. *Djblets-0.7.28 (13 Apr 2014) 13 Apr 2014; Ian Delaney <idella4@gentoo.org> +Djblets-0.7.28.ebuild, -Djblets-0.6.22.ebuild, -Djblets-0.7.14.ebuild, -Djblets-0.7.15.ebuild, -Djblets-0.7.25.ebuild: bumped and cleaned
Vulnerable versions are no longer in the tree.
