Ubuntu CVE Tracker

Merge ~elisehdy/ubuntu-cve-tracker:python-scrapy-patches into ubuntu-cve-tracker:master

  1. Git
  2. lp:~elisehdy/ubuntu-cve-tracker
  3. python-scrapy-patches
  4. Merge into master
Proposed by Elise Hlady
Status: Merged
Merged at revision: a6f4badd0139fab8a0b210af6fe7a3bed0696999
Proposed branch: ~elisehdy/ubuntu-cve-tracker:python-scrapy-patches
Merge into: ubuntu-cve-tracker:master
Diff against target: 252 lines (+42/-30)
6 files modified
active/CVE-2021-41125 (+6/-4)
active/CVE-2022-0577 (+7/-5)
active/CVE-2024-1892 (+7/-5)
active/CVE-2024-1968 (+8/-6)
active/CVE-2024-3572 (+7/-5)
active/CVE-2024-3574 (+7/-5)
Reviewer Review Type Date Requested Status
Leonidas S. Barbosa Approve
Review via email: mp+486111@code.launchpad.net

Commit message

Updates to UCT for python-scrapy USN

To post a comment you must log in.
Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

test infra is failing but the commit is Ok as i saw.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/active/CVE-2021-41125 b/active/CVE-2021-41125
index dc2e499..2765531 100644
--- a/active/CVE-2021-41125
+++ b/active/CVE-2021-41125
@@ -1,3 +1,4 @@
1PublicDateAtUSN: 2021-10-06 18:15:00 UTC
1Candidate: CVE-2021-411252Candidate: CVE-2021-41125
2PublicDate: 2021-10-06 18:15:00 UTC3PublicDate: 2021-10-06 18:15:00 UTC
3References:4References:
@@ -6,6 +7,7 @@ References:
6 https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header7 https://w3lib.readthedocs.io/en/latest/w3lib.html#w3lib.http.basic_auth_header
7 http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth8 http://doc.scrapy.org/en/latest/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpauth
8 https://www.cve.org/CVERecord?id=CVE-2021-411259 https://www.cve.org/CVERecord?id=CVE-2021-41125
10 https://ubuntu.com/security/notices/USN-7476-1
9Description:11Description:
10 Scrapy is a high-level web crawling and scraping framework for Python. If12 Scrapy is a high-level web crawling and scraping framework for Python. If
11 you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider13 you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider
@@ -28,7 +30,7 @@ Mitigation:
28Bugs:30Bugs:
29Priority: medium31Priority: medium
30Discovered-by:32Discovered-by:
31Assigned-to: elisehdy33Assigned-to:
32CVSS:34CVSS:
33 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [6.5 MEDIUM]35 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [6.5 MEDIUM]
3436
@@ -39,11 +41,11 @@ trusty_python-scrapy: ignored (end of standard support)
39trusty/esm_python-scrapy: DNE41trusty/esm_python-scrapy: DNE
40esm-infra-legacy/trusty_python-scrapy: DNE42esm-infra-legacy/trusty_python-scrapy: DNE
41xenial_python-scrapy: ignored (end of standard support)43xenial_python-scrapy: ignored (end of standard support)
42esm-apps/xenial_python-scrapy: needed44esm-apps/xenial_python-scrapy: ignored (changes too intrusive)
43bionic_python-scrapy: ignored (end of standard support, was needed)45bionic_python-scrapy: ignored (end of standard support, was needed)
44esm-apps/bionic_python-scrapy: needed46esm-apps/bionic_python-scrapy: released (1.5.0-1ubuntu0.1~esm1)
45focal_python-scrapy: needed47focal_python-scrapy: needed
46esm-apps/focal_python-scrapy: needed48esm-apps/focal_python-scrapy: released (1.7.3-1ubuntu0.1~esm1)
47hirsute_python-scrapy: ignored (end of life)49hirsute_python-scrapy: ignored (end of life)
48impish_python-scrapy: ignored (end of life)50impish_python-scrapy: ignored (end of life)
49jammy_python-scrapy: not-affected (2.5.1-1)51jammy_python-scrapy: not-affected (2.5.1-1)
diff --git a/active/CVE-2022-0577 b/active/CVE-2022-0577
index 85b6f50..19f6f6c 100644
--- a/active/CVE-2022-0577
+++ b/active/CVE-2022-0577
@@ -1,9 +1,11 @@
1PublicDateAtUSN: 2022-03-02 04:15:00 UTC
1Candidate: CVE-2022-05772Candidate: CVE-2022-0577
2PublicDate: 2022-03-02 04:15:00 UTC3PublicDate: 2022-03-02 04:15:00 UTC
3References:4References:
4 https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac5855 https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585
5 https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a6 https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a
6 https://www.cve.org/CVERecord?id=CVE-2022-05777 https://www.cve.org/CVERecord?id=CVE-2022-0577
8 https://ubuntu.com/security/notices/USN-7476-1
7Description:9Description:
8 Exposure of Sensitive Information to an Unauthorized Actor in GitHub10 Exposure of Sensitive Information to an Unauthorized Actor in GitHub
9 repository scrapy/scrapy prior to 2.6.1.11 repository scrapy/scrapy prior to 2.6.1.
@@ -13,7 +15,7 @@ Mitigation:
13Bugs:15Bugs:
14Priority: low16Priority: low
15Discovered-by:17Discovered-by:
16Assigned-to: elisehdy18Assigned-to:
17CVSS:19CVSS:
18 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [6.5 MEDIUM]20 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [6.5 MEDIUM]
1921
@@ -22,14 +24,14 @@ Patches_python-scrapy:
22upstream_python-scrapy: released (2.6.0, 1.8.2)24upstream_python-scrapy: released (2.6.0, 1.8.2)
23trusty_python-scrapy: ignored (end of standard support)25trusty_python-scrapy: ignored (end of standard support)
24xenial_python-scrapy: ignored (end of standard support)26xenial_python-scrapy: ignored (end of standard support)
25esm-apps/xenial_python-scrapy: needed27esm-apps/xenial_python-scrapy: ignored (changes too intrusive)
26bionic_python-scrapy: ignored (end of standard support, was needs-triage)28bionic_python-scrapy: ignored (end of standard support, was needs-triage)
27esm-apps/bionic_python-scrapy: needed29esm-apps/bionic_python-scrapy: released (1.5.0-1ubuntu0.1~esm1)
28focal_python-scrapy: needed30focal_python-scrapy: needed
29esm-apps/focal_python-scrapy: needed31esm-apps/focal_python-scrapy: released (1.7.3-1ubuntu0.1~esm1)
30impish_python-scrapy: ignored (end of life)32impish_python-scrapy: ignored (end of life)
31jammy_python-scrapy: needed33jammy_python-scrapy: needed
32esm-apps/jammy_python-scrapy: needed34esm-apps/jammy_python-scrapy: released (2.5.1-2ubuntu0.1~esm1)
33kinetic_python-scrapy: ignored (end of life, was needs-triage)35kinetic_python-scrapy: ignored (end of life, was needs-triage)
34lunar_python-scrapy: ignored (end of life, was needs-triage)36lunar_python-scrapy: ignored (end of life, was needs-triage)
35mantic_python-scrapy: ignored (end of life, was needs-triage)37mantic_python-scrapy: ignored (end of life, was needs-triage)
diff --git a/active/CVE-2024-1892 b/active/CVE-2024-1892
index 07ba23c..08f7556 100644
--- a/active/CVE-2024-1892
+++ b/active/CVE-2024-1892
@@ -1,3 +1,4 @@
1PublicDateAtUSN: 2024-02-28 00:15:00 UTC
1Candidate: CVE-2024-18922Candidate: CVE-2024-1892
2PublicDate: 2024-02-28 00:15:00 UTC3PublicDate: 2024-02-28 00:15:00 UTC
3References:4References:
@@ -6,6 +7,7 @@ References:
6 https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b7 https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b
7 https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c58 https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5
8 https://www.cve.org/CVERecord?id=CVE-2024-18929 https://www.cve.org/CVERecord?id=CVE-2024-1892
10 https://ubuntu.com/security/notices/USN-7476-1
9Description:11Description:
10 A Regular Expression Denial of Service (ReDoS) vulnerability exists in the12 A Regular Expression Denial of Service (ReDoS) vulnerability exists in the
11 XMLFeedSpider class of the scrapy/scrapy project, specifically in the13 XMLFeedSpider class of the scrapy/scrapy project, specifically in the
@@ -21,7 +23,7 @@ Mitigation:
21Bugs:23Bugs:
22Priority: medium24Priority: medium
23Discovered-by:25Discovered-by:
24Assigned-to: elisehdy26Assigned-to:
25CVSS:27CVSS:
26 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H [6.5 MEDIUM]28 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H [6.5 MEDIUM]
2729
@@ -29,13 +31,13 @@ Patches_python-scrapy:
29upstream_python-scrapy: released (2.11.1-1, 1.8.4)31upstream_python-scrapy: released (2.11.1-1, 1.8.4)
30trusty_python-scrapy: ignored (end of standard support)32trusty_python-scrapy: ignored (end of standard support)
31xenial_python-scrapy: ignored (end of standard support)33xenial_python-scrapy: ignored (end of standard support)
32esm-apps/xenial_python-scrapy: needed34esm-apps/xenial_python-scrapy: ignored (changes too intrusive)
33bionic_python-scrapy: ignored (end of standard support)35bionic_python-scrapy: ignored (end of standard support)
34esm-apps/bionic_python-scrapy: needed36esm-apps/bionic_python-scrapy: released (1.5.0-1ubuntu0.1~esm1)
35focal_python-scrapy: needed37focal_python-scrapy: needed
36esm-apps/focal_python-scrapy: needed38esm-apps/focal_python-scrapy: released (1.7.3-1ubuntu0.1~esm1)
37jammy_python-scrapy: needed39jammy_python-scrapy: needed
38esm-apps/jammy_python-scrapy: needed40esm-apps/jammy_python-scrapy: released (2.5.1-2ubuntu0.1~esm1)
39mantic_python-scrapy: ignored (end of life, was needs-triage)41mantic_python-scrapy: ignored (end of life, was needs-triage)
40noble_python-scrapy: not-affected (2.11.1-1)42noble_python-scrapy: not-affected (2.11.1-1)
41esm-apps/noble_python-scrapy: not-affected (2.11.1-1)43esm-apps/noble_python-scrapy: not-affected (2.11.1-1)
diff --git a/active/CVE-2024-1968 b/active/CVE-2024-1968
index 7057aae..89e5436 100644
--- a/active/CVE-2024-1968
+++ b/active/CVE-2024-1968
@@ -1,9 +1,11 @@
1PublicDateAtUSN: 2024-05-20 08:15:00 UTC
1Candidate: CVE-2024-19682Candidate: CVE-2024-1968
2PublicDate: 2024-05-20 08:15:00 UTC3PublicDate: 2024-05-20 08:15:00 UTC
3References:4References:
4 https://www.cve.org/CVERecord?id=CVE-2024-19685 https://www.cve.org/CVERecord?id=CVE-2024-1968
5 https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a6 https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a
6 https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd87 https://github.com/scrapy/scrapy/commit/1d0502f25bbe55a22899af915623fda1aaeb9dd8
8 https://ubuntu.com/security/notices/USN-7476-1
7Description:9Description:
8 In scrapy/scrapy, an issue was identified where the Authorization header is10 In scrapy/scrapy, an issue was identified where the Authorization header is
9 not removed during redirects that only change the scheme (e.g., HTTPS to11 not removed during redirects that only change the scheme (e.g., HTTPS to
@@ -20,20 +22,20 @@ Mitigation:
20Bugs:22Bugs:
21Priority: medium23Priority: medium
22Discovered-by:24Discovered-by:
23Assigned-to: elisehdy25Assigned-to:
24CVSS:26CVSS:
2527
26Patches_python-scrapy:28Patches_python-scrapy:
27upstream_python-scrapy: released (2.11.2)29upstream_python-scrapy: released (2.11.2)
28esm-apps/xenial_python-scrapy: needed30esm-apps/xenial_python-scrapy: ignored (changes too intrusive)
29esm-apps/bionic_python-scrapy: needed31esm-apps/bionic_python-scrapy: released (1.5.0-1ubuntu0.1~esm1)
30focal_python-scrapy: needed32focal_python-scrapy: needed
31esm-apps/focal_python-scrapy: needed33esm-apps/focal_python-scrapy: released (1.7.3-1ubuntu0.1~esm1)
32jammy_python-scrapy: needed34jammy_python-scrapy: needed
33esm-apps/jammy_python-scrapy: needed35esm-apps/jammy_python-scrapy: released (2.5.1-2ubuntu0.1~esm1)
34mantic_python-scrapy: ignored (end of life, was needs-triage)36mantic_python-scrapy: ignored (end of life, was needs-triage)
35noble_python-scrapy: needed37noble_python-scrapy: needed
36esm-apps/noble_python-scrapy: needed38esm-apps/noble_python-scrapy: released (2.11.1-1ubuntu0.1~esm2)
37oracular_python-scrapy: not-affected (2.11.2-1)39oracular_python-scrapy: not-affected (2.11.2-1)
38plucky_python-scrapy: not-affected (2.12.0-2)40plucky_python-scrapy: not-affected (2.12.0-2)
39devel_python-scrapy: not-affected (2.12.0-2)41devel_python-scrapy: not-affected (2.12.0-2)
diff --git a/active/CVE-2024-3572 b/active/CVE-2024-3572
index d4e9338..48f15be 100644
--- a/active/CVE-2024-3572
+++ b/active/CVE-2024-3572
@@ -1,3 +1,4 @@
1PublicDateAtUSN: 2024-04-16 00:15:00 UTC
1Candidate: CVE-2024-35722Candidate: CVE-2024-3572
2PublicDate: 2024-04-16 00:15:00 UTC3PublicDate: 2024-04-16 00:15:00 UTC
3References:4References:
@@ -6,6 +7,7 @@ References:
6 https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f (2.11.1)7 https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f (2.11.1)
7 https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm78 https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7
8 https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f9 https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f
10 https://ubuntu.com/security/notices/USN-7476-1
9Description:11Description:
10 The scrapy/scrapy project is vulnerable to XML External Entity (XXE)12 The scrapy/scrapy project is vulnerable to XML External Entity (XXE)
11 attacks due to the use of lxml.etree.fromstring for parsing untrusted XML13 attacks due to the use of lxml.etree.fromstring for parsing untrusted XML
@@ -19,17 +21,17 @@ Mitigation:
19Bugs:21Bugs:
20Priority: medium22Priority: medium
21Discovered-by:23Discovered-by:
22Assigned-to: elisehdy24Assigned-to:
23CVSS:25CVSS:
2426
25Patches_python-scrapy:27Patches_python-scrapy:
26upstream_python-scrapy: released (2.11.1-1, 1.8.4)28upstream_python-scrapy: released (2.11.1-1, 1.8.4)
27esm-apps/xenial_python-scrapy: needed29esm-apps/xenial_python-scrapy: ignored (changes too intrusive)
28esm-apps/bionic_python-scrapy: needed30esm-apps/bionic_python-scrapy: released (1.5.0-1ubuntu0.1~esm1)
29focal_python-scrapy: needed31focal_python-scrapy: needed
30esm-apps/focal_python-scrapy: needed32esm-apps/focal_python-scrapy: released (1.7.3-1ubuntu0.1~esm1)
31jammy_python-scrapy: needed33jammy_python-scrapy: needed
32esm-apps/jammy_python-scrapy: needed34esm-apps/jammy_python-scrapy: released (2.5.1-2ubuntu0.1~esm1)
33mantic_python-scrapy: ignored (end of life, was needs-triage)35mantic_python-scrapy: ignored (end of life, was needs-triage)
34noble_python-scrapy: not-affected (2.11.1-1)36noble_python-scrapy: not-affected (2.11.1-1)
35esm-apps/noble_python-scrapy: not-affected (2.11.1-1)37esm-apps/noble_python-scrapy: not-affected (2.11.1-1)
diff --git a/active/CVE-2024-3574 b/active/CVE-2024-3574
index 647da07..19554f9 100644
--- a/active/CVE-2024-3574
+++ b/active/CVE-2024-3574
@@ -1,3 +1,4 @@
1PublicDateAtUSN: 2024-04-16 00:15:00 UTC
1Candidate: CVE-2024-35742Candidate: CVE-2024-3574
2PublicDate: 2024-04-16 00:15:00 UTC3PublicDate: 2024-04-16 00:15:00 UTC
3References:4References:
@@ -6,6 +7,7 @@ References:
6 https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a97 https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9
7 https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75 (2.11.1)8 https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75 (2.11.1)
8 https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b759 https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75
10 https://ubuntu.com/security/notices/USN-7476-1
9Description:11Description:
10 In scrapy version 2.10.1, an issue was identified where the Authorization12 In scrapy version 2.10.1, an issue was identified where the Authorization
11 header, containing credentials for server authentication, is leaked to a13 header, containing credentials for server authentication, is leaked to a
@@ -19,17 +21,17 @@ Mitigation:
19Bugs:21Bugs:
20Priority: medium22Priority: medium
21Discovered-by:23Discovered-by:
22Assigned-to: elisehdy24Assigned-to:
23CVSS:25CVSS:
2426
25Patches_python-scrapy:27Patches_python-scrapy:
26upstream_python-scrapy: released (2.11.1-1, 1.8.4)28upstream_python-scrapy: released (2.11.1-1, 1.8.4)
27esm-apps/xenial_python-scrapy: needed29esm-apps/xenial_python-scrapy: ignored (changes too intrusive)
28esm-apps/bionic_python-scrapy: needed30esm-apps/bionic_python-scrapy: released (1.5.0-1ubuntu0.1~esm1)
29focal_python-scrapy: needed31focal_python-scrapy: needed
30esm-apps/focal_python-scrapy: needed32esm-apps/focal_python-scrapy: released (1.7.3-1ubuntu0.1~esm1)
31jammy_python-scrapy: needed33jammy_python-scrapy: needed
32esm-apps/jammy_python-scrapy: needed34esm-apps/jammy_python-scrapy: released (2.5.1-2ubuntu0.1~esm1)
33mantic_python-scrapy: ignored (end of life, was needs-triage)35mantic_python-scrapy: ignored (end of life, was needs-triage)
34noble_python-scrapy: not-affected (2.11.1-1)36noble_python-scrapy: not-affected (2.11.1-1)
35esm-apps/noble_python-scrapy: not-affected (2.11.1-1)37esm-apps/noble_python-scrapy: not-affected (2.11.1-1)

Subscribers

People subscribed via source and target branches