Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-WebOb for openSUSE:Factory checked in at 2026-06-16 18:29:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-WebOb (Old) and /work/SRC/openSUSE:Factory/.python-WebOb.new.1981 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-WebOb" Tue Jun 16 18:29:22 2026 rev:43 rq:1359753 version:1.8.10 Changes: -------- --- /work/SRC/openSUSE:Factory/python-WebOb/python-WebOb.changes 2026-02-18 17:06:41.176861432 +0100 +++ /work/SRC/openSUSE:Factory/.python-WebOb.new.1981/python-WebOb.changes 2026-06-16 18:29:27.389665299 +0200 @@ -1,0 +2,10 @@ +Tue Jun 16 08:39:48 UTC 2026 - Nico Krapp <[email protected]> + +- Update to 1.8.10 (fices CVE-2026-44889, bsc#1268324) + * The fix for CVE-2024-42353 was incomplete: a Location value containing + ASCII tab, carriage return, or line feed characters between consecutive + slashes could still be interpreted as a protocol-relative URL by + ``urllib.parse.urljoin`` on Python 3.10+, allowing an open redirect. + See https://github.com/Pylons/webob/security/advisories/GHSA-fh3h-vg37-cc95 + +------------------------------------------------------------------- Old: ---- webob-1.8.9.tar.gz New: ---- webob-1.8.10.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-WebOb.spec ++++++ --- /var/tmp/diff_new_pack.smiZag/_old 2026-06-16 18:29:28.045692927 +0200 +++ /var/tmp/diff_new_pack.smiZag/_new 2026-06-16 18:29:28.045692927 +0200 @@ -18,7 +18,7 @@ %{?sle15_python_module_pythons} Name: python-WebOb -Version: 1.8.9 +Version: 1.8.10 Release: 0 Summary: WSGI request and response object License: MIT ++++++ webob-1.8.9.tar.gz -> webob-1.8.10.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webob-1.8.9/.gitignore new/webob-1.8.10/.gitignore --- old/webob-1.8.9/.gitignore 2018-04-05 04:06:35.000000000 +0200 +++ new/webob-1.8.10/.gitignore 1970-01-01 01:00:00.000000000 +0100 @@ -1,20 +0,0 @@ -*$py.class -*.egg -*.pyc -*.pyo -*.swp -*~ -.*.swp -.tox/ -__pycache__/ -_build/ -build/ -dist/ -env*/ -.coverage -.coverage.* -.cache/ -WebOb.egg-info/ -pytest*.xml -coverage*.xml -.pytest_cache/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webob-1.8.9/.readthedocs.yaml new/webob-1.8.10/.readthedocs.yaml --- old/webob-1.8.9/.readthedocs.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/webob-1.8.10/.readthedocs.yaml 2026-05-06 08:13:12.000000000 +0200 @@ -0,0 +1,14 @@ +# https://docs.readthedocs.io/en/stable/config-file/v2.html +version: 2 +build: + os: ubuntu-22.04 + tools: + python: '3.12' +sphinx: + configuration: docs/conf.py +python: + install: + - method: pip + path: . + extra_requirements: + - docs diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webob-1.8.9/CHANGES.txt new/webob-1.8.10/CHANGES.txt --- old/webob-1.8.9/CHANGES.txt 2024-10-24 05:10:29.000000000 +0200 +++ new/webob-1.8.10/CHANGES.txt 2026-06-02 21:54:18.000000000 +0200 @@ -1,3 +1,18 @@ +1.8.10 (2026-06-02) +------------------- + +Security Fix +~~~~~~~~~~~~ + +- The fix for CVE-2024-42353 was incomplete: a Location value containing + ASCII tab, carriage return, or line feed characters between consecutive + slashes could still be interpreted as a protocol-relative URL by + ``urllib.parse.urljoin`` on Python 3.10+, allowing an open redirect. + + See https://github.com/Pylons/webob/security/advisories/GHSA-fh3h-vg37-cc95 + + Thanks to Caleb Brown of Google for the report. + 1.8.9 (2024-11-23) ------------------ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webob-1.8.9/PKG-INFO new/webob-1.8.10/PKG-INFO --- old/webob-1.8.9/PKG-INFO 2024-10-24 05:17:49.027817500 +0200 +++ new/webob-1.8.10/PKG-INFO 2026-06-02 21:55:46.617048000 +0200 @@ -1,6 +1,6 @@ -Metadata-Version: 2.1 +Metadata-Version: 2.4 Name: WebOb -Version: 1.8.9 +Version: 1.8.10 Summary: WSGI request and response object Home-page: http://webob.org/ Author: Ian Bicking @@ -32,6 +32,20 @@ Provides-Extra: docs Requires-Dist: Sphinx>=1.7.5; extra == "docs" Requires-Dist: pylons-sphinx-themes; extra == "docs" +Requires-Dist: setuptools; extra == "docs" +Dynamic: author +Dynamic: author-email +Dynamic: classifier +Dynamic: description +Dynamic: home-page +Dynamic: keywords +Dynamic: license +Dynamic: license-file +Dynamic: maintainer +Dynamic: provides-extra +Dynamic: requires-dist +Dynamic: requires-python +Dynamic: summary WebOb ===== @@ -70,6 +84,21 @@ WebOb was authored by Ian Bicking and is currently maintained by the `Pylons Project <https://pylonsproject.org/>`_ and a team of contributors. +1.8.10 (2026-06-02) +------------------- + +Security Fix +~~~~~~~~~~~~ + +- The fix for CVE-2024-42353 was incomplete: a Location value containing + ASCII tab, carriage return, or line feed characters between consecutive + slashes could still be interpreted as a protocol-relative URL by + ``urllib.parse.urljoin`` on Python 3.10+, allowing an open redirect. + + See https://github.com/Pylons/webob/security/advisories/GHSA-fh3h-vg37-cc95 + + Thanks to Caleb Brown of Google for the report. + 1.8.9 (2024-11-23) ------------------ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webob-1.8.9/setup.py new/webob-1.8.10/setup.py --- old/webob-1.8.9/setup.py 2024-10-24 05:17:01.000000000 +0200 +++ new/webob-1.8.10/setup.py 2026-06-02 21:54:39.000000000 +0200 @@ -21,11 +21,12 @@ docs_extras = [ 'Sphinx >= 1.7.5', 'pylons-sphinx-themes', + 'setuptools' ] setup( name='WebOb', - version='1.8.9', + version='1.8.10', description="WSGI request and response object", long_description=README + '\n\n' + CHANGES, classifiers=[ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webob-1.8.9/src/WebOb.egg-info/PKG-INFO new/webob-1.8.10/src/WebOb.egg-info/PKG-INFO --- old/webob-1.8.9/src/WebOb.egg-info/PKG-INFO 2024-10-24 05:17:48.000000000 +0200 +++ new/webob-1.8.10/src/WebOb.egg-info/PKG-INFO 2026-06-02 21:55:46.000000000 +0200 @@ -1,6 +1,6 @@ -Metadata-Version: 2.1 +Metadata-Version: 2.4 Name: WebOb -Version: 1.8.9 +Version: 1.8.10 Summary: WSGI request and response object Home-page: http://webob.org/ Author: Ian Bicking @@ -32,6 +32,20 @@ Provides-Extra: docs Requires-Dist: Sphinx>=1.7.5; extra == "docs" Requires-Dist: pylons-sphinx-themes; extra == "docs" +Requires-Dist: setuptools; extra == "docs" +Dynamic: author +Dynamic: author-email +Dynamic: classifier +Dynamic: description +Dynamic: home-page +Dynamic: keywords +Dynamic: license +Dynamic: license-file +Dynamic: maintainer +Dynamic: provides-extra +Dynamic: requires-dist +Dynamic: requires-python +Dynamic: summary WebOb ===== @@ -70,6 +84,21 @@ WebOb was authored by Ian Bicking and is currently maintained by the `Pylons Project <https://pylonsproject.org/>`_ and a team of contributors. +1.8.10 (2026-06-02) +------------------- + +Security Fix +~~~~~~~~~~~~ + +- The fix for CVE-2024-42353 was incomplete: a Location value containing + ASCII tab, carriage return, or line feed characters between consecutive + slashes could still be interpreted as a protocol-relative URL by + ``urllib.parse.urljoin`` on Python 3.10+, allowing an open redirect. + + See https://github.com/Pylons/webob/security/advisories/GHSA-fh3h-vg37-cc95 + + Thanks to Caleb Brown of Google for the report. + 1.8.9 (2024-11-23) ------------------ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webob-1.8.9/src/WebOb.egg-info/SOURCES.txt new/webob-1.8.10/src/WebOb.egg-info/SOURCES.txt --- old/webob-1.8.9/src/WebOb.egg-info/SOURCES.txt 2024-10-24 05:17:49.000000000 +0200 +++ new/webob-1.8.10/src/WebOb.egg-info/SOURCES.txt 2026-06-02 21:55:46.000000000 +0200 @@ -1,5 +1,5 @@ .coveragerc -.gitignore +.readthedocs.yaml CHANGES.txt HISTORY.txt MANIFEST.in diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webob-1.8.9/src/WebOb.egg-info/requires.txt new/webob-1.8.10/src/WebOb.egg-info/requires.txt --- old/webob-1.8.9/src/WebOb.egg-info/requires.txt 2024-10-24 05:17:48.000000000 +0200 +++ new/webob-1.8.10/src/WebOb.egg-info/requires.txt 2026-06-02 21:55:46.000000000 +0200 @@ -5,6 +5,7 @@ [docs] Sphinx>=1.7.5 pylons-sphinx-themes +setuptools [testing] pytest>=3.1.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webob-1.8.9/src/webob/response.py new/webob-1.8.10/src/webob/response.py --- old/webob-1.8.9/src/webob/response.py 2024-08-14 07:06:46.000000000 +0200 +++ new/webob-1.8.10/src/webob/response.py 2026-05-06 08:46:29.000000000 +0200 @@ -1281,12 +1281,17 @@ @staticmethod def _make_location_absolute(environ, value): + # urllib.parse.urlsplit() (called internally by urljoin) strips + # ASCII tab, CR, and LF from the URL on Python 3.10+. Strip them + # ourselves first so they cannot be used to bypass the SCHEME_RE + # or protocol-relative ("//") checks below. See CVE-2024-42353, + # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3, + # and the follow-up advisory GHSA-fh3h-vg37-cc95. + value = value.replace("\t", "").replace("\r", "").replace("\n", "") + if SCHEME_RE.search(value): return value - # This is to fix an open redirect issue due to the way that - # urlparse.urljoin works. See CVE-2024-42353 and - # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3 if value.startswith("//"): value = "/%2f{}".format(value[2:]) new_location = urlparse.urljoin(_request_uri(environ), value) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webob-1.8.9/tests/test_client_functional.py new/webob-1.8.10/tests/test_client_functional.py --- old/webob-1.8.9/tests/test_client_functional.py 2024-08-14 07:06:43.000000000 +0200 +++ new/webob-1.8.10/tests/test_client_functional.py 2026-05-06 08:52:50.000000000 +0200 @@ -69,7 +69,6 @@ resp = Response('test') resp.headers.add('Set-Cookie', 'a=b') resp.headers.add('Set-Cookie', 'c=d') - resp.headerlist.append(('X-Crazy', 'value\r\n continuation')) return resp @@ -79,7 +78,6 @@ req = Request.blank(server.url + '/?test') resp = req.send(client_app) assert resp.headers.getall('Set-Cookie') == ['a=b', 'c=d'] - assert resp.headers['X-Crazy'] == 'value, continuation', repr(resp.headers['X-Crazy']) @wsgify diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webob-1.8.9/tests/test_response.py new/webob-1.8.10/tests/test_response.py --- old/webob-1.8.9/tests/test_response.py 2024-08-14 07:06:46.000000000 +0200 +++ new/webob-1.8.10/tests/test_response.py 2026-05-06 08:46:29.000000000 +0200 @@ -1042,6 +1042,52 @@ assert req.get_response(res).location == "http://localhost/%2fwww.example.com/test"; [email protected]("payload", [ + "/\t/www.example.com/test", + "\t//www.example.com/test", + "//\twww.example.com/test", + "/\t\t/www.example.com/test", +]) +def test_location_no_open_redirect_tab_bypass(payload): + # Follow-up to CVE-2024-42353. urllib.parse.urlsplit() (used internally + # by urljoin) strips ASCII tab on Python 3.10+, which allowed a + # Location value to bypass the "//" check and be parsed as + # protocol-relative. See GHSA-fh3h-vg37-cc95. (CR and LF are already + # rejected by the location header setter, so only tab is reachable + # via the public API.) + res = Response() + res.status = "301" + res.location = payload + req = Request.blank("/") + assert req.get_response(res).location == ( + "http://localhost/%2fwww.example.com/test"; + ) + + [email protected]("payload", [ + "/\t/www.example.com/test", + "/\n/www.example.com/test", + "/\r/www.example.com/test", + "\t//www.example.com/test", + "\n//www.example.com/test", + "\r//www.example.com/test", + "//\twww.example.com/test", + "//\nwww.example.com/test", + "//\rwww.example.com/test", + "//\tw\nww.example.com/test", +]) +def test__make_location_absolute_strips_url_whitespace(payload): + # Defense in depth for GHSA-fh3h-vg37-cc95: even when called with a + # Location value that bypasses the descriptor's CR/LF check (e.g. via + # direct manipulation of _headerlist), tab/CR/LF must not be usable to + # turn a relative path into a protocol-relative redirect. + result = Response._make_location_absolute( + {"wsgi.url_scheme": "http", "HTTP_HOST": "example.com:80"}, + payload, + ) + assert result == "http://example.com/%2fwww.example.com/test"; + + @pytest.mark.xfail(sys.version_info < (3,0), reason="Python 2.x unicode != str, WSGI requires str. Test " "added due to https://github.com/Pylons/webob/issues/247. " diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/webob-1.8.9/tox.ini new/webob-1.8.10/tox.ini --- old/webob-1.8.9/tox.ini 2024-10-24 05:11:34.000000000 +0200 +++ new/webob-1.8.10/tox.ini 2026-05-06 08:46:29.000000000 +0200 @@ -1,7 +1,7 @@ [tox] requires = virtualenv<20.22.0 envlist = - py27,py34,py35,py36,py37,py313,pypy, + py27,py34,py35,py36,py37,pypy, docs,coverage,pep8 skip_missing_interpreters = True @@ -14,7 +14,6 @@ py35: python3.5 py36: python3.6 py37: python3.7 - py313: python3.13 pypy: pypy py2: python2.7 py3: python3.5
