Mageia 7, 8 Moderate: Web Cache Poisoning in Python Packages
mageia
April 2, 2021
Updated python and python3 security vulnerability: The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a...
Summary
Updated python and python3 security vulnerability:
The package python/cpython is vulnerable to Web Cache Poisoning via
urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called
parameter cloaking. When the attacker can separate query parameters using
a semicolon (;), they can cause a difference in the interpretation of the
request between the proxy (running with default configuration) and the
server. This can result in malicious requests being cached as completely
safe ones, as the proxy would usually not see the semicolon as a separator,
and therefore would not include it in a cache key of an unkeyed parameter
(CVE-2021-23336).
References
- https://bugs.mageia.org/show_bug.cgi?id=28408
- https://blog.python.org/2021/02/python-392-and-388-are-now-available.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/
- https://www.cve.org/CVERecord?id=CVE-2021-23336
Topics Covered
Resolution
SRPMS
- 7/core/python3-3.7.10-1.mga7
- 7/core/python-2.7.18-1.3.mga7
- 8/core/python3-3.8.8-1.mga8
- 8/core/python-2.7.18-7.1.mga8
PREVIOUS
NEXT
Publication date: 02 Apr 2021
URL: https://advisories.mageia.org/MGASA-2021-0165.html
Type: security
CVE: CVE-2021-23336
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!