Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/python-web2py: security bump to version 2.26.1
@ 2023-11-01 18:15 Fabrice Fontaine
  2023-11-01 21:05 ` Thomas Petazzoni via buildroot
  2023-11-08  9:26 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2023-11-01 18:15 UTC (permalink / raw)
  To: buildroot
  Cc: Angelo Compagnucci, Fabrice Fontaine, James Hilliard, Asaf Kahlon

Fix CVE-2023-45158: An OS command injection vulnerability exists in
web2py 2.24.1 and earlier. When the product is configured to use
notifySendHandler for logging (not the default configuration), a crafted
web request may execute an arbitrary OS command on the web server using
the product.

https://jvn.jp/en/jp/JVN80476432
https://github.com/web2py/web2py/compare/v2.24.1...v2.26.1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/python-web2py/python-web2py.hash | 2 +-
 package/python-web2py/python-web2py.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/python-web2py/python-web2py.hash b/package/python-web2py/python-web2py.hash
index 03c71db8a5..1b4d8f5632 100644
--- a/package/python-web2py/python-web2py.hash
+++ b/package/python-web2py/python-web2py.hash
@@ -1,3 +1,3 @@
 # sha256 locally computed
-sha256  db42d52097d43fa797c29f9ce1493d7356f192dd0c2590ec56f36022252c284b  python-web2py-2.24.1.tar.gz
+sha256  d5d79f6260ec9f53f90447ad59313a8fac0571fce0018aa5f6fcf95d28c04382  python-web2py-2.26.1.tar.gz
 sha256  2aae96826184a492bc799add49aed7b29036e7aba2d2294fb65053bd30fe55fe  LICENSE
diff --git a/package/python-web2py/python-web2py.mk b/package/python-web2py/python-web2py.mk
index 91c041f6f2..fe7774fc2b 100644
--- a/package/python-web2py/python-web2py.mk
+++ b/package/python-web2py/python-web2py.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-PYTHON_WEB2PY_VERSION = 2.24.1
+PYTHON_WEB2PY_VERSION = 2.26.1
 PYTHON_WEB2PY_SITE = $(call github,web2py,web2py,v$(PYTHON_WEB2PY_VERSION))
 PYTHON_WEB2PY_LICENSE = LGPL-3.0
 PYTHON_WEB2PY_LICENSE_FILES = LICENSE
-- 
2.42.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/python-web2py: security bump to version 2.26.1
  2023-11-01 18:15 [Buildroot] [PATCH 1/1] package/python-web2py: security bump to version 2.26.1 Fabrice Fontaine
@ 2023-11-01 21:05 ` Thomas Petazzoni via buildroot
  2023-11-08  9:26 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni via buildroot @ 2023-11-01 21:05 UTC (permalink / raw)
  To: Fabrice Fontaine
  Cc: Angelo Compagnucci, James Hilliard, Asaf Kahlon, buildroot

On Wed,  1 Nov 2023 19:15:46 +0100
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> Fix CVE-2023-45158: An OS command injection vulnerability exists in
> web2py 2.24.1 and earlier. When the product is configured to use
> notifySendHandler for logging (not the default configuration), a crafted
> web request may execute an arbitrary OS command on the web server using
> the product.
> 
> https://jvn.jp/en/jp/JVN80476432
> https://github.com/web2py/web2py/compare/v2.24.1...v2.26.1
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  package/python-web2py/python-web2py.hash | 2 +-
>  package/python-web2py/python-web2py.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/python-web2py: security bump to version 2.26.1
  2023-11-01 18:15 [Buildroot] [PATCH 1/1] package/python-web2py: security bump to version 2.26.1 Fabrice Fontaine
  2023-11-01 21:05 ` Thomas Petazzoni via buildroot
@ 2023-11-08  9:26 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-11-08  9:26 UTC (permalink / raw)
  To: Fabrice Fontaine
  Cc: Angelo Compagnucci, James Hilliard, Asaf Kahlon, buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fix CVE-2023-45158: An OS command injection vulnerability exists in
 > web2py 2.24.1 and earlier. When the product is configured to use
 > notifySendHandler for logging (not the default configuration), a crafted
 > web request may execute an arbitrary OS command on the web server using
 > the product.

 > https://jvn.jp/en/jp/JVN80476432
 > https://github.com/web2py/web2py/compare/v2.24.1...v2.26.1

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2023.02.x and 2023.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-11-08  9:26 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-01 18:15 [Buildroot] [PATCH 1/1] package/python-web2py: security bump to version 2.26.1 Fabrice Fontaine
2023-11-01 21:05 ` Thomas Petazzoni via buildroot
2023-11-08  9:26 ` Peter Korsgaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox