Debian Bug report logs -
#1005041
python-treq: CVE-2022-23607
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Orestis Ioannou <orestis@oioannou.com>:
Bug#1005041; Package src:python-treq.
(Sat, 05 Feb 2022 20:39:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Orestis Ioannou <orestis@oioannou.com>.
(Sat, 05 Feb 2022 20:39:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-treq
Version: 18.6.0-0.2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 18.6.0-0.1
Hi,
The following vulnerability was published for python-treq.
CVE-2022-23607[0]:
| treq is an HTTP library inspired by requests but written on top of
| Twisted's Agents. Treq's request methods (`treq.get`, `treq.post`,
| etc.) and `treq.client.HTTPClient` constructor accept cookies as a
| dictionary. Such cookies are not bound to a single domain, and are
| therefore sent to *every* domain ("supercookies"). This can
| potentially cause sensitive information to leak upon an HTTP redirect
| to a different domain., e.g. should `https://example.com` redirect to
| `http://cloudstorageprovider.com` the latter will receive the cookie
| `session`. Treq 2021.1.0 and later bind cookies given to request
| methods (`treq.request`, `treq.get`, `HTTPClient.request`,
| `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users
| are advised to upgrade. For users unable to upgrade Instead of passing
| a dictionary as the *cookies* argument, pass a
| `http.cookiejar.CookieJar` instance with properly domain- and scheme-
| scoped cookies in it.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-23607
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23607
[1] https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc
[2] https://github.com/twisted/treq/commit/1da6022cc880bbcff59321abe02bf8498b89efb2
Regards,
Salvatore
Marked as found in versions python-treq/18.6.0-0.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 05 Feb 2022 20:39:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Feb 6 12:09:13 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon