Debian Bug report logs -
#1065111
python-scrapy: CVE-2024-1892
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 29 Feb 2024 21:18:02 UTC
Severity: important
Tags: security, upstream
Found in version python-scrapy/2.11.0-2
Fixed in version python-scrapy/2.11.1-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#1065111; Package src:python-scrapy.
(Thu, 29 Feb 2024 21:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>.
(Thu, 29 Feb 2024 21:18:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-scrapy
Version: 2.11.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for python-scrapy.
CVE-2024-1892[0]:
| Parts of the Scrapy API were found to be vulnerable to a ReDoS
| attack. Handling a malicious response could cause extreme CPU and
| memory usage during the parsing of its content, due to the use of
| vulnerable regular expressions for that parsing.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-1892
https://www.cve.org/CVERecord?id=CVE-2024-1892
[1] https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b/
[2] https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 29 Feb 2024 23:12:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 29 Feb 2024 23:12:08 GMT) (full text, mbox, link).
Message #10 received at 1065111-done@bugs.debian.org (full text, mbox, reply):
Source: python-scrapy
Source-Version: 2.11.1-1
On Thu, Feb 29, 2024 at 09:07:34PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Fri, 01 Mar 2024 00:23:13 +0500
> Source: python-scrapy
> Architecture: source
> Version: 2.11.1-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Python Team <team+python@tracker.debian.org>
> Changed-By: Andrey Rakhmatullin <wrar@debian.org>
> Changes:
> python-scrapy (2.11.1-1) unstable; urgency=medium
> .
> [ Andrey Rakhmatullin ]
> .
> * New upstream version.
> * Add B-D: python3-pexpect.
> .
> [ Alexandre Detiste ]
> .
> * Remove an extraneous build dependency on python3-mock.
> Checksums-Sha1:
> 33fdcc14fc17c584c7f7c68227e140df25867f83 3047 python-scrapy_2.11.1-1.dsc
> 70514b2f929d22e1c24eee178264ab37f2e72215 1379229 python-scrapy_2.11.1.orig.tar.gz
> 9b8d498ed469aac37b6661b9c9ac347feb520d45 9844 python-scrapy_2.11.1-1.debian.tar.xz
> e8ed5379993391613f5b55c3878b114a07fbda48 10795 python-scrapy_2.11.1-1_amd64.buildinfo
> Checksums-Sha256:
> ba3a7e2cb699233a25b4c4702e719d29fb331f9af480585d9b48170ca1ce50ca 3047 python-scrapy_2.11.1-1.dsc
> 168a31b2c6c306a89d86af64c8abd1d37a211d2c07ac3e76341f7519445fe8d1 1379229 python-scrapy_2.11.1.orig.tar.gz
> 8b474f9041afd5d0951389a7764d2a540f91dd9b8725c37dadffb4ab50d5a2ac 9844 python-scrapy_2.11.1-1.debian.tar.xz
> b5f549f433449fa49d8ef4ee09ac0b8e72b79ab82f6932934aaf54db53480307 10795 python-scrapy_2.11.1-1_amd64.buildinfo
> Files:
> faea7da376f8a08fb9ef115d21a3ee47 3047 python optional python-scrapy_2.11.1-1.dsc
> 1eb8df89b9b40fc239ff83210c03fc74 1379229 python optional python-scrapy_2.11.1.orig.tar.gz
> a5a278d04f2e76f7c65da68f966888e7 9844 python optional python-scrapy_2.11.1-1.debian.tar.xz
> d15fa704fc8d4b664211584c2ef3c324 10795 python optional python-scrapy_2.11.1-1_amd64.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEolIP6gqGcKZh4YxVM2L3AxpJkuEFAmXg4hYACgkQM2L3AxpJ
> kuEulw/6AkAiHY5oYr7y5G/7x1vRLJrFUhoazG3x+GLr/RVD2R+p/pwh4FH9y0aI
> dqF30xXFB//fOPzyIezBf/L/vuJUV87yEFAoefngcUUSe8hCW7JjflcvRmSkmUTq
> aScLAVaNHcLtScPfjJVw7ODg+Wq6CDnj2JM8He2dfCPUEB1Xi+JQbTbSnlwNMRdL
> mUOK90fTynA60oYgEYpcd/FkbhPD3Ngqkcr/EfGBw61i//jbGz4ba8R/Nfbl4aR8
> 7exdOJQfn6dgjCvyNfmzMXq4MbfZtKQQlGYRP/idq4W1VG1DGXNRW71mbPTjyJ7a
> 6qzSp+ZSZwPeXEmNBIgCw4hXmrh6/THB/mMcnJUy0BEWMvIcjp/zb3NSjZgwE7IO
> I9dHyZLCfgqs7mtYrQBN9O2aeNRtOujGfAUnQyakvKunTnsLwf7XfYTP+WO5uJym
> Ur6fHwceKNTYjo7o0hKIIyjT8yobL1Ht257+cp0Oz55qrgPWa8iorq5fmbKjWSs0
> M+0mErsAyJLndai0zPncuuXxeR6QCJ83+65aNCaVa/GhFkF5Ql/ZTG0u3tIkd2pp
> T24e2WiibxWEmX+lEuVNekH49YwAuA92jkEOpHMU6WMrFMG4bLZpaoTM6ilVVaF/
> nwulenwnreZzASs2GfG4Vvg91t/s0W5BCG1k6L4kqExFh4Ev8Cg=
> =NqKa
> -----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Mar 1 18:17:58 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon