Your message dated Sun, 29 May 2022 18:32:39 +0000
with message-id <[email protected]>
and subject line Bug#1008234: fixed in python-scrapy 1.5.1-1+deb10u1
has caused the Debian Bug report #1008234,
regarding python-scrapy: CVE-2022-0577: Incorrect Authorization and Exposure of
Sensitive Information to an Unauthorized Actor
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1008234: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008234
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-scrapy
Version: 1.5.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.4.1-2
Control: found -1 2.5.1-2
Hi,
The following vulnerability was published for python-scrapy.
CVE-2022-0577[0]:
| Exposure of Sensitive Information to an Unauthorized Actor in GitHub
| repository scrapy/scrapy prior to 2.6.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-0577
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0577
[1] https://github.com/advisories/GHSA-cjvr-mfj7-j4j8
[2] https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585
[3]
https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-scrapy
Source-Version: 1.5.1-1+deb10u1
Done: Stefano Rivera <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-scrapy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefano Rivera <[email protected]> (supplier of updated python-scrapy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 20 May 2022 16:14:25 -0400
Source: python-scrapy
Architecture: source
Version: 1.5.1-1+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Python Modules Team
<[email protected]>
Changed-By: Stefano Rivera <[email protected]>
Closes: 1008234
Changes:
python-scrapy (1.5.1-1+deb10u1) buster; urgency=medium
.
* Team upload.
* Security fix for CVE-2021-41125: Don't send authentication data with all
requests. Provide a http_auth_domain spider attribute to control which
domains are allowed to receive the configured HTTP authentication
credentials.
* Security fix CVE-2022-0577: Don't expose cookies cross-domain when
redirected. (Closes: #1008234)
Checksums-Sha1:
30626e3721bc6edf919369be9fb4ca6ea54a829e 2326 python-scrapy_1.5.1-1+deb10u1.dsc
f5e8c38025c5c298b0dd9db36f62430777c1c3f9 12584
python-scrapy_1.5.1-1+deb10u1.debian.tar.xz
8da097e7e94c6196ebd6c3110aa0f1968bfbacee 6137
python-scrapy_1.5.1-1+deb10u1_source.buildinfo
Checksums-Sha256:
af620d59780644028b83bcd931297b487fdda30f86537fc0fce53d71f2be9519 2326
python-scrapy_1.5.1-1+deb10u1.dsc
ac5ceb5af45eac0235285d6f11e7c9a27e1b087f6dd9045eacefeca62b5d4115 12584
python-scrapy_1.5.1-1+deb10u1.debian.tar.xz
31b5f24ae48ef4f3fe7fb96c5fa792ba5d71308f80204f8739e442063f6796c7 6137
python-scrapy_1.5.1-1+deb10u1_source.buildinfo
Files:
0e59808a9e05bc03f3f1b0779fc7b5e2 2326 python optional
python-scrapy_1.5.1-1+deb10u1.dsc
409ff762010a37bae1cb7e263f3316c1 12584 python optional
python-scrapy_1.5.1-1+deb10u1.debian.tar.xz
417a329305e2337cde25fc5d9a70da1a 6137 python optional
python-scrapy_1.5.1-1+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iIoEARYKADIWIQTumtb5BSD6EfafSCRHew2wJjpU2AUCYof2yhQcc3RlZmFub3JA
ZGViaWFuLm9yZwAKCRBHew2wJjpU2FRaAQDg3vfjjE6XSFZaI96zTYF46aGyxZfT
WQ0La3jhLR/6lgD9HWUq+3LFNJ2LTDnwje3Jft0sRP9ebQYEwLSCpvmu+Q0=
=30Nz
-----END PGP SIGNATURE-----
--- End Message ---
