[CKAN-Security] HTTP Response Splitting - Vulnerable module: WebOb

David Read david.read at hackneyworkshop.com
Mon Nov 19 18:12:13 UTC 2018 

This one was last flagged in December:
https://gitlab.com/ckan/ckan-security/issues/28#note_60982687

I guess we can acknowledge we've been aware of this issue and efforts are
underway to solve it. But unless there is someone willing to fund the work
to upgrade pylons (Tyler's PR), our priority is on getting rid of Pylons
completely in coming months.

I would say that since it is long unmaintained, Pylons probably has more
issues that just this one, so upgrading Pylons to fix this one issue is not
good use of our limited efforts.

David

On Mon, 19 Nov 2018 at 13:18, Adrià Mercader <adria.mercader at okfn.org>
wrote:

> Hi Lukáš,
>
> Thanks a lot for your report. We'll study it and get back to you as soon
> as possible.
>
> Best regards,
>
> Adrià
>
> On Mon, 19 Nov 2018 at 14:16, Lukáš Cígler <lukas.cigler at iseco.cz> wrote:
>
>> Hello CKAN team,
>>
>> Testing with https://snyk.io utility I was able to find “HTTP Response
>> Splitting“ vulnerability in your application.
>> Vulnerable module: WebOb  - Affecting webob package, versions [,1.6.0a0)
>> https://snyk.io/test/github/ckan/ckan
>>
>> https://snyk.io/vuln/SNYK-PYTHON-WEBOB-40490
>>
>> Best Regards,
>>
>>
>>
>> *Lukáš Cígler*
>>
>> Senior Security Consultant
>>
>>
>>
>> *+420 776 142 266* <+420%20776%20142%20266>  /  lukas.cigler at iseco.cz
>>   /  www.iseco.cz
>>
>> Bartůňkova 2‌349/3a, 1‌49 00, Praha 4
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>
>> Repo: https://github.com/ckan/ckan-security
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
>
> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>
> Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20181119/c6370e06/attachment-0001.html>

More information about the Security mailing list