Source: python-treq Version: 18.6.0-0.2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 18.6.0-0.1
Hi, The following vulnerability was published for python-treq. CVE-2022-23607[0]: | treq is an HTTP library inspired by requests but written on top of | Twisted's Agents. Treq's request methods (`treq.get`, `treq.post`, | etc.) and `treq.client.HTTPClient` constructor accept cookies as a | dictionary. Such cookies are not bound to a single domain, and are | therefore sent to *every* domain ("supercookies"). This can | potentially cause sensitive information to leak upon an HTTP redirect | to a different domain., e.g. should `https://example.com` redirect to | `http://cloudstorageprovider.com` the latter will receive the cookie | `session`. Treq 2021.1.0 and later bind cookies given to request | methods (`treq.request`, `treq.get`, `HTTPClient.request`, | `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users | are advised to upgrade. For users unable to upgrade Instead of passing | a dictionary as the *cookies* argument, pass a | `http.cookiejar.CookieJar` instance with properly domain- and scheme- | scoped cookies in it. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-23607 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23607 [1] https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc [2] https://github.com/twisted/treq/commit/1da6022cc880bbcff59321abe02bf8498b89efb2 Regards, Salvatore