Closed jonmasters closed 10 months ago
StykMartin
commented
10 months ago Hello @jonmasters,
I'm aware of this issue - I completely agree that the bugfix is broken because it completely breaks the previous behavior.
Anyway, I have fixed it in c6e4ef5af4ff17f54bcd189149e13eec7d50b84e. We are about to release a new version of Beaker with this fix. We just finalizing a new release process.
-- For future Martin - backport CVE-2023-24329, rhbz#2173917
jonmasters
commented
10 months ago Thanks! It took me a few hours to find it as I’m not a beaker developer so I had to learn as I went. But the good news is hey I learned a lot about hacking on the code. Hope you’re all doing great!
Computer Architect
On Tue, Jan 2, 2024 at 04:18 Martin Styk @.***> wrote:
Hello @jonmasters https://github.com/jonmasters,
I'm aware of this issue - I completely agree that the bugfix is broken because it completely breaks the previous behavior.
Anyway, I have fixed it in c6e4ef5 https://github.com/beaker-project/beaker/commit/c6e4ef5af4ff17f54bcd189149e13eec7d50b84e. We are about to release a new version of Beaker with this fix. We just finalizing a new release process.
— Reply to this email directly, view it on GitHub https://github.com/beaker-project/beaker/issues/200#issuecomment-1873774063, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAATOZJPWXCFD62XNMIHPQ3YMPGHFAVCNFSM6AAAAABBJVRZVSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZTG43TIMBWGM . You are receiving this because you were mentioned.Message ID: @.***>
There's a bug in the current beaker release when running on latest fully updated RHEL7. A security bugfix added to RHEL7 (which I think is actually broken because it changes behavior of existing code) adds a check for bad bytes in urlparse, causing it to now attempt to deference the url object as a string (though it might be None). The result is that distro imports are broken. The fix is to change distrotrees:add_distro_urls to use urlparse='' instead.