From patchwork Tue Apr 25 13:44:23 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Korsgaard <peter@korsgaard.com>
X-Patchwork-Id: 754836
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3wC4Fh5Y1Vz9rxl
	for <incoming@patchwork.ozlabs.org>;
	Tue, 25 Apr 2017 23:44:40 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="JqtTKVC9"; dkim-atps=neutral
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id E7A22930F5;
	Tue, 25 Apr 2017 13:44:37 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id wUT4tZqSmYft; Tue, 25 Apr 2017 13:44:36 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by hemlock.osuosl.org (Postfix) with ESMTP id DDF148A440;
	Tue, 25 Apr 2017 13:44:35 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
	by ash.osuosl.org (Postfix) with ESMTP id 7A22F1C00E9
	for <buildroot@lists.busybox.net>;
	Tue, 25 Apr 2017 13:44:34 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by fraxinus.osuosl.org (Postfix) with ESMTP id 745DB88C6E
	for <buildroot@lists.busybox.net>;
	Tue, 25 Apr 2017 13:44:34 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id vXfHTyiJW2NS for <buildroot@lists.busybox.net>;
	Tue, 25 Apr 2017 13:44:33 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wr0-f194.google.com (mail-wr0-f194.google.com
	[209.85.128.194])
	by fraxinus.osuosl.org (Postfix) with ESMTPS id 0BFDA88C6A
	for <buildroot@buildroot.org>; Tue, 25 Apr 2017 13:44:33 +0000 (UTC)
Received: by mail-wr0-f194.google.com with SMTP id v42so16832968wrc.3
	for <buildroot@buildroot.org>; Tue, 25 Apr 2017 06:44:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id;
	bh=Khbgyk6FOF7VZ1KCKMzTYa4/iqT9WcivdZK4Jwf7wrQ=;
	b=JqtTKVC9EU2qRZ9GyFElIOXZQKX4Cl2GAqWAnE0/xyAS646kMrwsW/mMlGZ4t1Pu4F
	rE7krz3oLtfgQfWGYhIYRUw/DFxQcifhb64NDT9f8MO345ZW8LQku7jRgIppbZ4Zj5m/
	vpVTv5TFm6zxfTLIHdkeFlyXY/Rqavl3m+I5srmXhojddJrYUg4OvcC/5lHavS4FTfel
	ESOfoqIkCGW6mvzwHOgWTD6dXg3Tacbx2pu52CnRW4cM3OeewMWDG/fV+v+GTuko3Bjb
	WRS1TckaECx2ipMXhyyNEr9cQbXH2Nah7463Kf50c6T/0gzGeeJcVtak0vmfuYWEBmFJ
	i0CA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id;
	bh=Khbgyk6FOF7VZ1KCKMzTYa4/iqT9WcivdZK4Jwf7wrQ=;
	b=syGQg3VMvsnzvHXN2TzKq+05Ma5NpOCy7Z7Dq4R4bBb8g6XaCVUHOymM425qhqjcyc
	3/3c/X5/Glji7TTgUWWE8Rkb2hBzTXp/Tve15/9zI/sujl2+EsICyARXZ5zLm0ftviaf
	/RN2Mftdk2fBTUXKBFKhxDWXOHwD7qpv3KD5EphNjtY6Us9xgMwUjW8r9entand8PKiu
	3VLCYQCdLpMGY2mzb0ez9tTGnKv0nl95fH5+CKfM0a5lhqT9ZRjRsclcUR/+04plBW1l
	IbGRPlKXHZGa5DEKCpPFoYf7WFhioIon65NDhmnA9LD9DHeqMZLFkaz69qAjVdkT9CsS
	GWLA==
X-Gm-Message-State: AN3rC/7Dp9YEQOTb8ZVKiFrASlo1IIfprAKfJ3aYJlz0b4I1MpL6elKO
	IL4l55co9uuD3kj9Xh8=
X-Received: by 10.223.139.215 with SMTP id
	w23mr10102696wra.169.1493127871260;
	Tue, 25 Apr 2017 06:44:31 -0700 (PDT)
Received: from dell.be.48ers.dk ([91.183.172.93])
	by smtp.gmail.com with ESMTPSA id
	q130sm3421641wmd.29.2017.04.25.06.44.30
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Tue, 25 Apr 2017 06:44:30 -0700 (PDT)
Received: from peko by dell.be.48ers.dk with local (Exim 4.88)
	(envelope-from <peko@dell.be.48ers.dk>)
	id 1d30lW-0000s9-Lv; Tue, 25 Apr 2017 15:44:26 +0200
From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Date: Tue, 25 Apr 2017 15:44:23 +0200
Message-Id: <20170425134423.3313-1-peter@korsgaard.com>
X-Mailer: git-send-email 2.11.0
Subject: [Buildroot] [PATCH] python-web2py: security bump to version 2.14.6
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

CVE-2016-4806 - Web2py versions 2.14.5 and below was affected by Local File
Inclusion vulnerability, which allows a malicious intended user to
read/access web server sensitive files.

CVE-2016-4807 - Web2py versions 2.14.5 and below was affected by Reflected
XSS vulnerability, which allows an attacker to perform an XSS attack on
logged in user (admin).

CVE-2016-4808 - Web2py versions 2.14.5 and below was affected by CSRF (Cross
Site Request Forgery) vulnerability, which allows an attacker to trick a
logged in user to perform some unwanted actions i.e An attacker can trick an
victim to disable the installed application just by sending a URL to victim.

CVE-2016-10321 - web2py before 2.14.6 does not properly check if a host is
denied before verifying passwords, allowing a remote attacker to perform
brute-force attacks.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/python-web2py/python-web2py.hash | 2 +-
 package/python-web2py/python-web2py.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/python-web2py/python-web2py.hash b/package/python-web2py/python-web2py.hash
index 3de8dbf4d..9c1de904c 100644
--- a/package/python-web2py/python-web2py.hash
+++ b/package/python-web2py/python-web2py.hash
@@ -1,2 +1,2 @@
 # sha256 locally computed
-sha256 7e22a5624d8d2909e165110f0bec6b43ee36ff6834d689f4027e06dece662031   python-web2py-R-2.12.3.tar.gz
+sha256 6079aeaa352ec51e0da5e6abc71fa74cdb3a781e06a311b5826618624362a7b2   python-web2py-R-2.14.6.tar.gz
diff --git a/package/python-web2py/python-web2py.mk b/package/python-web2py/python-web2py.mk
index 7fe9f82f8..9aadb3027 100644
--- a/package/python-web2py/python-web2py.mk
+++ b/package/python-web2py/python-web2py.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-PYTHON_WEB2PY_VERSION = R-2.12.3
+PYTHON_WEB2PY_VERSION = R-2.14.6
 PYTHON_WEB2PY_SITE = $(call github,web2py,web2py,$(PYTHON_WEB2PY_VERSION))
 PYTHON_WEB2PY_LICENSE = LGPL-3.0
 PYTHON_WEB2PY_LICENSE_FILES = LICENSE