CVE-2021-23336: The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. Doesn't appear to be released.
I'll backport it in ~1 hour.
Oh my, this is a backwards-incompatible change. I wonder if it'll break something.
I've filled the package list for future reference but let's not run the stablereq yet. The current behavior was present practically since forever, and the change is not backwards-compatible. Let's give it at least a few more days to see if it doesn't break stuff.
Unable to check for sanity: > invalid package spec: ==
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f2a53a94f3b6b6395ef4541051a02d80c61442d0 commit f2a53a94f3b6b6395ef4541051a02d80c61442d0 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-02-15 23:48:16 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-02-16 00:12:55 +0000 dev-lang/python: Backport CVE-2021-23336 fix to 2.7 Bug: https://bugs.gentoo.org/770853 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-2.7.18_p7.ebuild | 358 ++++++++++++++++++++++++++++++++ 2 files changed, 359 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b22068f64c351ccf7d6140b362559a78593f29b commit 6b22068f64c351ccf7d6140b362559a78593f29b Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-02-15 23:47:23 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-02-16 00:12:54 +0000 dev-lang/python: Backport CVE-2021-23336 fix to 3.6 Bug: https://bugs.gentoo.org/770853 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.6.12_p3.ebuild | 341 ++++++++++++++++++++++++++++++++ 2 files changed, 342 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=266ba3cecffea1dfde91ac09ba3ce44a95b6fdf5 commit 266ba3cecffea1dfde91ac09ba3ce44a95b6fdf5 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-02-15 23:46:10 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-02-16 00:12:53 +0000 dev-lang/python: Backport CVE-2021-23336 fix to 3.7 Bug: https://bugs.gentoo.org/770853 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.7.9_p3.ebuild | 333 +++++++++++++++++++++++++++++++++ 2 files changed, 334 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5a326329d0121f8a618e73feb3fe1dfb31f9e1f commit b5a326329d0121f8a618e73feb3fe1dfb31f9e1f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-02-15 23:44:52 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-02-16 00:12:52 +0000 dev-lang/python: Backport CVE-2021-23336 fix to 3.8 Bug: https://bugs.gentoo.org/770853 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.8.7_p2.ebuild | 337 +++++++++++++++++++++++++++++++++ 2 files changed, 338 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1144374a1b5cf6f7fe32d536d8ef454d1e96b7e8 commit 1144374a1b5cf6f7fe32d536d8ef454d1e96b7e8 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-02-15 23:43:45 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-02-16 00:12:51 +0000 dev-lang/python: Backport CVE-2021-23336 fix to 3.9 Bug: https://bugs.gentoo.org/770853 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.9.1_p2.ebuild | 346 +++++++++++++++++++++++++++++++++ 2 files changed, 347 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b67b5c6ab21333995d79ae8b7ffad18163639768 commit b67b5c6ab21333995d79ae8b7ffad18163639768 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-02-15 23:38:46 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-02-16 00:12:50 +0000 dev-lang/python: Backport CVE-2021-23336 fix to 3.10 Bug: https://bugs.gentoo.org/770853 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.10.0_alpha5_p1.ebuild | 349 +++++++++++++++++++++++++ 2 files changed, 350 insertions(+)
Thank you!
ping.
Ok, let's stabilize the new set.
All sanity-check issues have been resolved
ppc64 done
amd64 stable
x86 stable
ppc done
hppa stable
sparc stable
arm64 done
arm done
s390 done all arches done
Please cleanup.
It's already cleaned up, isn't it?
(In reply to Michał Górny from comment #20) > It's already cleaned up, isn't it? Yep, sorry!
New GLSA request filed.
This issue was resolved and addressed in GLSA 202104-04 at https://security.gentoo.org/glsa/202104-04 by GLSA coordinator Thomas Deutschmann (whissi).
