oauth2_proxy: Backport security fix (CVE-2017-1000070) #86108
Merged
+9
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Lgtm |
|
Perhaps mention the CVE in the patch filename?
https://www.cvedetails.com/cve/CVE-2017-1000070/
…On Mon, Apr 27, 2020, 10:17 Nikola Knežević ***@***.***> wrote:
This PR is the result of the discussion in #79840
<#79840>
@flokli <https://github.com/flokli> @arianvp <https://github.com/arianvp>
please take a look
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#86108 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEZNI6VK3LFWF25OKBFWLDROU5QVANCNFSM4MRWKI6A>
.
|
|
Is it possible to use |
knl
force-pushed
the
security-fix-oauth2_proxy
branch
from
df66b71 to
cf08beb
Compare
knl
changed the title
knl
force-pushed
the
security-fix-oauth2_proxy
branch
from
cf08beb to
b6c591c
Compare
TIL. Thanks, done. |
|
Could you remove the GitHub handles from the commit message? Otherwise I'll get s notification from every fork of nixpkgs on GitHub for the coming weeks due to Githubs completely broken notification policy |
Mic92
added
the
1.severity: security
Since 20.03 still uses old oauth2_proxy (3.2.0), which is not compatible with the newest one (5.1.0), this change backports an important security fix to 3.2.0: oauth2-proxy/oauth2-proxy@a316f8a The vulnerability is an open redirect, where a bad actor can redirect a session to another domain using `/\` in redirect URIs.
knl
force-pushed
the
security-fix-oauth2_proxy
branch
from
b6c591c to
92ab877
Compare
|
Result of |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
Since 20.03 still uses old oauth2_proxy (3.2.0), which is not compatible
with the newest one (5.1.0), this change backports an important security
fix to 3.2.0:
oauth2-proxy/oauth2-proxy@a316f8a
The vulnerability is an open redirect, where a bad actor can redirect a
session to another domain using
/\in redirect URIs.The patch has been obtained by running:
on https://github.com/pusher/oauth2_proxy repository clone.
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)