]> git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/commit
projects / thirdparty / openembedded / openembedded-core-contrib.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2246b0d) | patch
python3: fix CVE-2021-23336 timo/dunfell/python3-CVE-2021-23336
authorLee Chee Yang <chee.yang.lee@intel.com>
Tue, 2 Mar 2021 16:12:22 +0000 (00:12 +0800)
committerTim Orling <timothy.t.orling@intel.com>
Tue, 15 Jun 2021 16:15:13 +0000 (09:15 -0700)
commit53455fdfac7136c43bc1187f4c74d4e4228a98a8
treed04445b6fab34a933f9c70fa3e3eb9b01eb79fe0tree
parent2246b0d7a71c69eb2e89c55991d1387069895466commit | diff
python3: fix CVE-2021-23336

From: Lee Chee Yang <chee.yang.lee@intel.com>

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
"""
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before
3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable
to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by
using a vector called parameter cloaking. When the attacker can separate query
parameters using a semicolon (;), they can cause a difference in the
interpretation of the request between the proxy (running with default
configuration) and the server. This can result in malicious requests being
cached as completely safe ones, as the proxy would usually not see the
semicolon as a separator, and therefore would not include it in a cache key of
an unkeyed parameter.
"""

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-23336
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336

Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
meta/recipes-devtools/python/python3/CVE-2021-23336.patch [new file with mode: 0644] blob
meta/recipes-devtools/python/python3_3.8.2.bb diff | blob | blame | history
Mirror of git://git.openembedded.org/openembedded-core-contrib