-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEEB/gxf7d8Cd2OKhqJtvJJDhLM3JMFAmgaafQFAwAAAAAACgkQtvJJDhLM3JNG
/xAApCEBXE1VQBbCxYNR0CoHRNOlkikP0yABxo53vHBMIM9I5yzjgehhI0aTFGnvJy5M0WCrYrZn
7OJh40LmyLJZFTmCv7Vh6E93Rhqv3hDvDsXTEl3mvn8b+vv0S4bipn0f3E/fS3DmaAjG9r3BNw4z
lpxXsjK0NUVvaBsUCJGIGStySKRMMvn0QHTT8BjdXPxxpEPIyw3fT2BTH4gRNKu++x7bNpcn/T1P
49qxqNT5Fr3ydvFAUrYgXf+jmLy3SpLSooGairuJw1cBdJLBxzWo4tiQDgxigeneLZu2odXecVHK
KQesmb9orFyizvrCyaCsZmyyDUxCD4iPMuQnBBQbsaYheaYQQzrqKI9oQC8Yudpmocv9HDyoxXds
0prFq0GiG3p790NjMRhx6J8iW+c3++8/EIeKqjfP4uUK6ToqyR+C9qX/9XFGPknVi6Mr7gzd1Pq+
O2brHkIOlJA8WFYfkG7q/8r4xGPsSYwOMDirhPaPgM6/Bg1XpAcHWH51hCKCM9dpSWh9bYMWNsCh
wy29Synq1ywN++no2+bsnZ2r3+uqQk2zqrGKFA2bpoLXuK9jRGpNRcJmnSf7p0glzTi0PS82lYXP
77R5BNHSTJY9FQCiTaccoC2UmG/qgcmp1xqBd4/pswCizaR81QSn/T5znPXfXbwwi5Hy7Qr5c0hj
4iM=
=eu3G
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7476-1
May 05, 2025
python-scrapy vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in python-scrapy.
Software Description:
- python-scrapy: Python web scraping and crawling framework
Details:
It was discovered that Scrapy improperly exposed HTTP authentication
credentials to request targets, including during redirects. An attacker
could use this issue to gain unauthorized access to user accounts. This
issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-41125)
It was discovered that Scrapy did not remove the cookie header during
cross-domain redirects. An attacker could possibly use this issue to gain
unauthorized access to user accounts. This issue only affected Ubuntu 18.04
LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-0577)
It was discovered that Scrapy inefficiently parsed XML content. An
attacker could use this issue to cause a denial of service by sending a
crafted XML response. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2024-1892)
It was discovered that Scrapy did not properly check response size during
decompression. An attacker could send a crafted response that would
exhaust memory and cause a denial of service. This issue only affected
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2024-3572)
It was discovered that Scrapy did not remove the authorization header
during cross-domain redirects. An attacker could possibly use this issue
to gain unauthorized access to user accounts. This issue only affected
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2024-3574)
It was discovered that Scrapy did not remove the authorization header
during redirects that change scheme but remain in the same domain. This
issue could possibly be used by an attacker to expose sensitive
information or to gain unauthorized access to user accounts.
(CVE-2024-1968)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3-scrapy 2.11.1-1ubuntu0.1~esm2
Available with Ubuntu Pro
Ubuntu 22.04 LTS
python3-scrapy 2.5.1-2ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
python3-scrapy 1.7.3-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
python-scrapy 1.5.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
python3-scrapy 1.5.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7476-1
CVE-2021-41125, CVE-2022-0577, CVE-2024-1892, CVE-2024-1968,
CVE-2024-3572, CVE-2024-3574
No comments:
Post a Comment