Advisories » MGASA-2024-0308

Updated python3-webob package fix security vulnerability

Publication date: 17 Sep 2024
Modification date: 17 Sep 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-42353

Description

When WebOb normalizes the HTTP Location header to include the request
hostname, it does so by parsing the URL that the user is to be
redirected to with Python's urlparse, and joining it to the base URL.
`urlparse` however treats a `//` at the start of a string as a URI
without a scheme, and then treats the next part as the hostname.
`urljoin` will then use that hostname from the second part as the
hostname replacing the original one from the request.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=33532
• https://lists.suse.com/pipermail/sle-security-updates/2024-August/019276.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42353

SRPMS

9/core

• python-webob-1.8.8-1.mga9