Source: python-treq
Version: 18.6.0-0.2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 18.6.0-0.1
Hi,
The following vulnerability was published for python-treq.
CVE-2022-23607[0]:
| treq is an HTTP library inspired by requests but written on top of
| Twisted's Agents. Treq's request methods (`treq.get`, `treq.post`,
| etc.) and `treq.client.HTTPClient` constructor accept cookies as a
| dictionary. Such cookies are not bound to a single domain, and are
| therefore sent to *every* domain ("supercookies"). This can
| potentially cause sensitive information to leak upon an HTTP redirect
| to a different domain., e.g. should `https://example.com` redirect to
| `http://cloudstorageprovider.com` the latter will receive the cookie
| `session`. Treq 2021.1.0 and later bind cookies given to request
| methods (`treq.request`, `treq.get`, `HTTPClient.request`,
| `HTTPClient.get`, etc.) to the origin of the *url* parameter. Users
| are advised to upgrade. For users unable to upgrade Instead of passing
| a dictionary as the *cookies* argument, pass a
| `http.cookiejar.CookieJar` instance with properly domain- and scheme-
| scoped cookies in it.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-23607
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23607
[1] https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc
[2]
https://github.com/twisted/treq/commit/1da6022cc880bbcff59321abe02bf8498b89efb2
Regards,
Salvatore
