Debian has issued an advisory on February 27: https://www.debian.org/security/2021/dsa-4864 The issue is fixed upstream in 3.7.4: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 3.7.4
Version: Cauldron => 8CC: (none) => mageiaWhiteboard: MGA8TOO => (none)
Fixed version pushed in mga8 src: - python-aiohttp-3.7.4-1.mga8
Status comment: Fixed upstream in 3.7.4 => (none)Assignee: pterjan => qa-bugs
Advisory: ======================== Updated python-aiohttp package fixes security vulnerability: Beast Glatisant and Jelmer Vernooij reported that python-aiohttp is prone to an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website (CVE-2021-21330). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21330 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg https://www.debian.org/security/2021/dsa-4864 ======================== Updated packages in core/updates_testing: ======================== python3-aiohttp-3.7.4-1.mga8 from python-aiohttp-3.7.4-1.mga8.src.rpm
mga8, x64 CVE-2021-21330 No obvious reproducers available. Test scripts at https://pypi.org/project/aiohttp/ Copied code from that site: async_http_client.py and async_http_server.py (attached). Ran these before update in separate terminals. $ python aio_http_server.py ======== Running on http://0.0.0.0:8080 ======== (Press CTRL+C to quit) $ python aio_http_client.py Status: 200 Content-type: text/html; charset=utf-8 Body: <!doctype html> ... $ There are other demos at https://github.com/aio-libs/aiohttp-demos/tree/master/demos Updated the package and ran the simple server/client test. Identical behaviour. Giving this an OK for 64-bits. $ rpm -q python3-aiohttp python3-aiohttp-3.7.4-1.mga8
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Created attachment 12524 [details] Simple server script
Created attachment 12525 [details] Simple server script
Created attachment 12526 [details] Simple client script Source: https://pypi.org/project/aiohttp/
Attachment 12524 is obsolete: 0 => 1
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => ouaurelienCVE: (none) => CVE-2021-21330
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0161.html
Status: NEW => RESOLVEDResolution: (none) => FIXED