Debian Bug report logs -
#1019710
python-oauthlib: CVE-2022-36087: DoS when attacker provide malicious IPV6 URI
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>
:
Bug#1019710
; Package src:python-oauthlib
.
(Tue, 13 Sep 2022 20:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>
.
(Tue, 13 Sep 2022 20:18:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-oauthlib
Version: 3.2.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for python-oauthlib.
CVE-2022-36087[0]:
| OAuthLib is an implementation of the OAuth request-signing logic for
| Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker
| providing malicious redirect uri can cause denial of service. An
| attacker can also leverage usage of `uri_validate` functions depending
| where it is used. OAuthLib applications using OAuth4.0 provider
| support or use directly `uri_validate` are affected by this issue.
| Version 3.2.1 contains a patch. There are no known workarounds.
Note, that while it is claimed to be fixed in 3.2.1, the two commits
in [1] and [2] are not included in 3.2.1. There is a simple test case
to show the issue as well in the commit expanding the unittests.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-36087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36087
[1] https://github.com/oauthlib/oauthlib/security/advisories/GHSA-3pgj-pg6c-r5p7
[2] https://github.com/oauthlib/oauthlib/commit/e514826eea15f2b62bbc13da407b71552ef5ff4c
[3] https://github.com/oauthlib/oauthlib/commit/5d85c61998692643dd9d17e05d2646e06ce391e8
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Team <team+python@tracker.debian.org>
:
Bug#1019710
; Package src:python-oauthlib
.
(Wed, 14 Sep 2022 08:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniele Tricoli <eriol@mornie.org>
:
Extra info received and forwarded to list. Copy sent to Debian Python Team <team+python@tracker.debian.org>
.
(Wed, 14 Sep 2022 08:45:03 GMT) (full text, mbox, link).
Message #10 received at 1019710@bugs.debian.org (full text, mbox, reply):
Hello Salvatore,
many thanks for the report!
On 13/09/2022 22:14, Salvatore Bonaccorso wrote:
> Source: python-oauthlib
> Version: 3.2.0-1
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>
> Hi,
>
> The following vulnerability was published for python-oauthlib.
>
> CVE-2022-36087[0]:
> | OAuthLib is an implementation of the OAuth request-signing logic for
> | Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker
> | providing malicious redirect uri can cause denial of service. An
> | attacker can also leverage usage of `uri_validate` functions depending
> | where it is used. OAuthLib applications using OAuth4.0 provider
> | support or use directly `uri_validate` are affected by this issue.
> | Version 3.2.1 contains a patch. There are no known workarounds.
>
> Note, that while it is claimed to be fixed in 3.2.1, the two commits
> in [1] and [2] are not included in 3.2.1. There is a simple test case
> to show the issue as well in the commit expanding the unittests.
I'm preparing a new upload for python-oauthlib and I will include also
the two commits you mentioned. Thanks!
Regards,
--
Daniele Tricoli
https://mornie.org
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Sep 14 13:20:36 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.