CVE-2014-4671

Advisory

pyramid before 1.6a2 isn't sanitising JSONP callbacks correctly, see CVE-2014-4671.
https://github.com/Pylons/pyramid/commit/67efda77a878450c217b90370e1a47e2d35d772a

Affected package

Affected versions

Fixed versions

Vulnerability changelog

==================

Bug Fixes
---------

- Ensure that ``pyramid.httpexceptions.exception_response`` returns the
appropriate "concrete" class for ``400`` and ``500`` status codes.
See https://github.com/Pylons/pyramid/issues/1832

- Fix an infinite recursion bug introduced in 1.6a1 when
``pyramid.view.render_view_to_response`` was called directly or indirectly.
See https://github.com/Pylons/pyramid/issues/1643

- Further fix the JSONP renderer by prefixing the returned content with
a comment. This should mitigate attacks from Flash (See CVE-2014-4671).
See https://github.com/Pylons/pyramid/pull/1649

- Allow periods and brackets (``[]``) in the JSONP callback. The original
fix was overly-restrictive and broke Angular.
See https://github.com/Pylons/pyramid/pull/1649

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4671
• http://helpx.adobe.com/security/products/flash-player/apsb14-17.html
• http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
• http://secunia.com/advisories/59774
• http://security.gentoo.org/glsa/glsa-201407-02.xml
• http://www.securitytracker.com/id/1030533
• http://www.securityfocus.com/bid/68457
• http://secunia.com/advisories/59837
• http://rhn.redhat.com/errata/RHSA-2014-0860.html