Ubuntu CVE Tracker

Merge ~elisehdy/ubuntu-cve-tracker:python-scrapy-patches into ubuntu-cve-tracker:master

  1. Git
  2. lp:~elisehdy/ubuntu-cve-tracker
  3. python-scrapy-patches
  4. Merge into master
Proposed by Elise Hlady
Status: Merged
Merged at revision: a6f4badd0139fab8a0b210af6fe7a3bed0696999
Proposed branch: ~elisehdy/ubuntu-cve-tracker:python-scrapy-patches
Merge into: ubuntu-cve-tracker:master
Diff against target: 252 lines (+42/-30)
6 files modified
active/CVE-2021-41125 (+6/-4)
active/CVE-2022-0577 (+7/-5)
active/CVE-2024-1892 (+7/-5)
active/CVE-2024-1968 (+8/-6)
active/CVE-2024-3572 (+7/-5)
active/CVE-2024-3574 (+7/-5)
Reviewer Review Type Date Requested Status
Leonidas S. Barbosa Approve
Review via email: mp+486111@code.launchpad.net

Commit message

Updates to UCT for python-scrapy USN

To post a comment you must log in.
Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

test infra is failing but the commit is Ok as i saw.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/active/CVE-2021-41125 b/active/CVE-2021-41125
2index dc2e499..2765531 100644
3--- a/active/CVE-2021-41125
4+++ b/active/CVE-2021-41125
5@@ -1,3 +1,4 @@
6+PublicDateAtUSN: 2021-10-06 18:15:00 UTC
7 Candidate: CVE-2021-41125
8 PublicDate: 2021-10-06 18:15:00 UTC
9 References:
10@@ -6,6 +7,7 @@ References:
11 https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header
12 http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth
13 https://www.cve.org/CVERecord?id=CVE-2021-41125
14+ https://ubuntu.com/security/notices/USN-7476-1
15 Description:
16 Scrapy is a high-level web crawling and scraping framework for Python. If
17 you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider
18@@ -28,7 +30,7 @@ Mitigation:
19 Bugs:
20 Priority: medium
21 Discovered-by:
22-Assigned-to: elisehdy
23+Assigned-to:
24 CVSS:
25 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [6.5 MEDIUM]
26
27@@ -39,11 +41,11 @@ trusty_python-scrapy: ignored (end of standard support)
28 trusty/esm_python-scrapy: DNE
29 esm-infra-legacy/trusty_python-scrapy: DNE
30 xenial_python-scrapy: ignored (end of standard support)
31-esm-apps/xenial_python-scrapy: needed
32+esm-apps/xenial_python-scrapy: ignored (changes too intrusive)
33 bionic_python-scrapy: ignored (end of standard support, was needed)
34-esm-apps/bionic_python-scrapy: needed
35+esm-apps/bionic_python-scrapy: released (1.5.0-1ubuntu0.1~esm1)
36 focal_python-scrapy: needed
37-esm-apps/focal_python-scrapy: needed
38+esm-apps/focal_python-scrapy: released (1.7.3-1ubuntu0.1~esm1)
39 hirsute_python-scrapy: ignored (end of life)
40 impish_python-scrapy: ignored (end of life)
41 jammy_python-scrapy: not-affected (2.5.1-1)
42diff --git a/active/CVE-2022-0577 b/active/CVE-2022-0577
43index 85b6f50..19f6f6c 100644
44--- a/active/CVE-2022-0577
45+++ b/active/CVE-2022-0577
46@@ -1,9 +1,11 @@
47+PublicDateAtUSN: 2022-03-02 04:15:00 UTC
48 Candidate: CVE-2022-0577
49 PublicDate: 2022-03-02 04:15:00 UTC
50 References:
51 https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585
52 https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a
53 https://www.cve.org/CVERecord?id=CVE-2022-0577
54+ https://ubuntu.com/security/notices/USN-7476-1
55 Description:
56 Exposure of Sensitive Information to an Unauthorized Actor in GitHub
57 repository scrapy/scrapy prior to 2.6.1.
58@@ -13,7 +15,7 @@ Mitigation:
59 Bugs:
60 Priority: low
61 Discovered-by:
62-Assigned-to: elisehdy
63+Assigned-to:
64 CVSS:
65 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [6.5 MEDIUM]
66
67@@ -22,14 +24,14 @@ Patches_python-scrapy:
68 upstream_python-scrapy: released (2.6.0, 1.8.2)
69 trusty_python-scrapy: ignored (end of standard support)
70 xenial_python-scrapy: ignored (end of standard support)
71-esm-apps/xenial_python-scrapy: needed
72+esm-apps/xenial_python-scrapy: ignored (changes too intrusive)
73 bionic_python-scrapy: ignored (end of standard support, was needs-triage)
74-esm-apps/bionic_python-scrapy: needed
75+esm-apps/bionic_python-scrapy: released (1.5.0-1ubuntu0.1~esm1)
76 focal_python-scrapy: needed
77-esm-apps/focal_python-scrapy: needed
78+esm-apps/focal_python-scrapy: released (1.7.3-1ubuntu0.1~esm1)
79 impish_python-scrapy: ignored (end of life)
80 jammy_python-scrapy: needed
81-esm-apps/jammy_python-scrapy: needed
82+esm-apps/jammy_python-scrapy: released (2.5.1-2ubuntu0.1~esm1)
83 kinetic_python-scrapy: ignored (end of life, was needs-triage)
84 lunar_python-scrapy: ignored (end of life, was needs-triage)
85 mantic_python-scrapy: ignored (end of life, was needs-triage)
86diff --git a/active/CVE-2024-1892 b/active/CVE-2024-1892
87index 07ba23c..08f7556 100644
88--- a/active/CVE-2024-1892
89+++ b/active/CVE-2024-1892
90@@ -1,3 +1,4 @@
91+PublicDateAtUSN: 2024-02-28 00:15:00 UTC
92 Candidate: CVE-2024-1892
93 PublicDate: 2024-02-28 00:15:00 UTC
94 References:
95@@ -6,6 +7,7 @@ References:
96 https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b
97 https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5
98 https://www.cve.org/CVERecord?id=CVE-2024-1892
99+ https://ubuntu.com/security/notices/USN-7476-1
100 Description:
101 A Regular Expression Denial of Service (ReDoS) vulnerability exists in the
102 XMLFeedSpider class of the scrapy/scrapy project, specifically in the
103@@ -21,7 +23,7 @@ Mitigation:
104 Bugs:
105 Priority: medium
106 Discovered-by:
107-Assigned-to: elisehdy
108+Assigned-to:
109 CVSS:
110 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H [6.5 MEDIUM]
111
112@@ -29,13 +31,13 @@ Patches_python-scrapy:
113 upstream_python-scrapy: released (2.11.1-1, 1.8.4)
114 trusty_python-scrapy: ignored (end of standard support)
115 xenial_python-scrapy: ignored (end of standard support)
116-esm-apps/xenial_python-scrapy: needed
117+esm-apps/xenial_python-scrapy: ignored (changes too intrusive)
118 bionic_python-scrapy: ignored (end of standard support)
119-esm-apps/bionic_python-scrapy: needed
120+esm-apps/bionic_python-scrapy: released (1.5.0-1ubuntu0.1~esm1)
121 focal_python-scrapy: needed
122-esm-apps/focal_python-scrapy: needed
123+esm-apps/focal_python-scrapy: released (1.7.3-1ubuntu0.1~esm1)
124 jammy_python-scrapy: needed
125-esm-apps/jammy_python-scrapy: needed
126+esm-apps/jammy_python-scrapy: released (2.5.1-2ubuntu0.1~esm1)
127 mantic_python-scrapy: ignored (end of life, was needs-triage)
128 noble_python-scrapy: not-affected (2.11.1-1)
129 esm-apps/noble_python-scrapy: not-affected (2.11.1-1)
130diff --git a/active/CVE-2024-1968 b/active/CVE-2024-1968
131index 7057aae..89e5436 100644
132--- a/active/CVE-2024-1968
133+++ b/active/CVE-2024-1968
134@@ -1,9 +1,11 @@
135+PublicDateAtUSN: 2024-05-20 08:15:00 UTC
136 Candidate: CVE-2024-1968
137 PublicDate: 2024-05-20 08:15:00 UTC
138 References:
139 https://www.cve.org/CVERecord?id=CVE-2024-1968
140 https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a
141 https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8
142+ https://ubuntu.com/security/notices/USN-7476-1
143 Description:
144 In scrapy/scrapy, an issue was identified where the Authorization header is
145 not removed during redirects that only change the scheme (e.g., HTTPS to
146@@ -20,20 +22,20 @@ Mitigation:
147 Bugs:
148 Priority: medium
149 Discovered-by:
150-Assigned-to: elisehdy
151+Assigned-to:
152 CVSS:
153
154 Patches_python-scrapy:
155 upstream_python-scrapy: released (2.11.2)
156-esm-apps/xenial_python-scrapy: needed
157-esm-apps/bionic_python-scrapy: needed
158+esm-apps/xenial_python-scrapy: ignored (changes too intrusive)
159+esm-apps/bionic_python-scrapy: released (1.5.0-1ubuntu0.1~esm1)
160 focal_python-scrapy: needed
161-esm-apps/focal_python-scrapy: needed
162+esm-apps/focal_python-scrapy: released (1.7.3-1ubuntu0.1~esm1)
163 jammy_python-scrapy: needed
164-esm-apps/jammy_python-scrapy: needed
165+esm-apps/jammy_python-scrapy: released (2.5.1-2ubuntu0.1~esm1)
166 mantic_python-scrapy: ignored (end of life, was needs-triage)
167 noble_python-scrapy: needed
168-esm-apps/noble_python-scrapy: needed
169+esm-apps/noble_python-scrapy: released (2.11.1-1ubuntu0.1~esm2)
170 oracular_python-scrapy: not-affected (2.11.2-1)
171 plucky_python-scrapy: not-affected (2.12.0-2)
172 devel_python-scrapy: not-affected (2.12.0-2)
173diff --git a/active/CVE-2024-3572 b/active/CVE-2024-3572
174index d4e9338..48f15be 100644
175--- a/active/CVE-2024-3572
176+++ b/active/CVE-2024-3572
177@@ -1,3 +1,4 @@
178+PublicDateAtUSN: 2024-04-16 00:15:00 UTC
179 Candidate: CVE-2024-3572
180 PublicDate: 2024-04-16 00:15:00 UTC
181 References:
182@@ -6,6 +7,7 @@ References:
183 https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f (2.11.1)
184 https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7
185 https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f
186+ https://ubuntu.com/security/notices/USN-7476-1
187 Description:
188 The scrapy/scrapy project is vulnerable to XML External Entity (XXE)
189 attacks due to the use of lxml.etree.fromstring for parsing untrusted XML
190@@ -19,17 +21,17 @@ Mitigation:
191 Bugs:
192 Priority: medium
193 Discovered-by:
194-Assigned-to: elisehdy
195+Assigned-to:
196 CVSS:
197
198 Patches_python-scrapy:
199 upstream_python-scrapy: released (2.11.1-1, 1.8.4)
200-esm-apps/xenial_python-scrapy: needed
201-esm-apps/bionic_python-scrapy: needed
202+esm-apps/xenial_python-scrapy: ignored (changes too intrusive)
203+esm-apps/bionic_python-scrapy: released (1.5.0-1ubuntu0.1~esm1)
204 focal_python-scrapy: needed
205-esm-apps/focal_python-scrapy: needed
206+esm-apps/focal_python-scrapy: released (1.7.3-1ubuntu0.1~esm1)
207 jammy_python-scrapy: needed
208-esm-apps/jammy_python-scrapy: needed
209+esm-apps/jammy_python-scrapy: released (2.5.1-2ubuntu0.1~esm1)
210 mantic_python-scrapy: ignored (end of life, was needs-triage)
211 noble_python-scrapy: not-affected (2.11.1-1)
212 esm-apps/noble_python-scrapy: not-affected (2.11.1-1)
213diff --git a/active/CVE-2024-3574 b/active/CVE-2024-3574
214index 647da07..19554f9 100644
215--- a/active/CVE-2024-3574
216+++ b/active/CVE-2024-3574
217@@ -1,3 +1,4 @@
218+PublicDateAtUSN: 2024-04-16 00:15:00 UTC
219 Candidate: CVE-2024-3574
220 PublicDate: 2024-04-16 00:15:00 UTC
221 References:
222@@ -6,6 +7,7 @@ References:
223 https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9
224 https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75 (2.11.1)
225 https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75
226+ https://ubuntu.com/security/notices/USN-7476-1
227 Description:
228 In scrapy version 2.10.1, an issue was identified where the Authorization
229 header, containing credentials for server authentication, is leaked to a
230@@ -19,17 +21,17 @@ Mitigation:
231 Bugs:
232 Priority: medium
233 Discovered-by:
234-Assigned-to: elisehdy
235+Assigned-to:
236 CVSS:
237
238 Patches_python-scrapy:
239 upstream_python-scrapy: released (2.11.1-1, 1.8.4)
240-esm-apps/xenial_python-scrapy: needed
241-esm-apps/bionic_python-scrapy: needed
242+esm-apps/xenial_python-scrapy: ignored (changes too intrusive)
243+esm-apps/bionic_python-scrapy: released (1.5.0-1ubuntu0.1~esm1)
244 focal_python-scrapy: needed
245-esm-apps/focal_python-scrapy: needed
246+esm-apps/focal_python-scrapy: released (1.7.3-1ubuntu0.1~esm1)
247 jammy_python-scrapy: needed
248-esm-apps/jammy_python-scrapy: needed
249+esm-apps/jammy_python-scrapy: released (2.5.1-2ubuntu0.1~esm1)
250 mantic_python-scrapy: ignored (end of life, was needs-triage)
251 noble_python-scrapy: not-affected (2.11.1-1)
252 esm-apps/noble_python-scrapy: not-affected (2.11.1-1)

Subscribers

People subscribed via source and target branches