python-webob - Debian Package Tracker

general

source: python-webob (main)
version: 1:1.8.9-2
maintainer: Debian Python Team (DMD)
uploaders: Thomas Goirand [DMD] – Soren Hansen [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:1.8.6-1.1
oldstable: 1:1.8.6-3
stable: 1:1.8.9-1
testing: 1:1.8.9-1
unstable: 1:1.8.9-2

versioned links

1:1.8.6-1.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:1.8.6-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:1.8.9-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:1.8.9-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python-webob-doc
python3-webob

action needed

A new upstream version is available: 1.8.10 high

A new upstream version 1.8.10 is available, you should consider packaging it.

Created: 2026-06-24 Last update: 2026-06-24 22:30

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2026-44889: WebOb provides objects for HTTP requests and responses. Prior to 1.8.10, the normalization of the HTTP Location header during a redirect is vulnerable to an open redirect: WebOb joins the redirect target to the request URI using Python's urljoin, and since Python 3.10 the underlying urlsplit strips ASCII tab, carriage return, and newline characters before parsing, so a redirect target containing such characters can be reinterpreted as a protocol-relative URL whose authority is an attacker-controlled host. This bypasses the CVE-2024-42353 fix that escaped a leading double slash, allowing an attacker who influences the redirect location to send users to an arbitrary external site instead of the intended one. This vulnerability is fixed in 1.8.10.

Created: 2026-06-23 Last update: 2026-06-24 17:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-44889: WebOb provides objects for HTTP requests and responses. Prior to 1.8.10, the normalization of the HTTP Location header during a redirect is vulnerable to an open redirect: WebOb joins the redirect target to the request URI using Python's urljoin, and since Python 3.10 the underlying urlsplit strips ASCII tab, carriage return, and newline characters before parsing, so a redirect target containing such characters can be reinterpreted as a protocol-relative URL whose authority is an attacker-controlled host. This bypasses the CVE-2024-42353 fix that escaped a leading double slash, allowing an attacker who influences the redirect location to send users to an arbitrary external site instead of the intended one. This vulnerability is fixed in 1.8.10.

Created: 2026-06-23 Last update: 2026-06-24 17:30

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-44889: WebOb provides objects for HTTP requests and responses. Prior to 1.8.10, the normalization of the HTTP Location header during a redirect is vulnerable to an open redirect: WebOb joins the redirect target to the request URI using Python's urljoin, and since Python 3.10 the underlying urlsplit strips ASCII tab, carriage return, and newline characters before parsing, so a redirect target containing such characters can be reinterpreted as a protocol-relative URL whose authority is an attacker-controlled host. This bypasses the CVE-2024-42353 fix that escaped a leading double slash, allowing an attacker who influences the redirect location to send users to an arbitrary external site instead of the intended one. This vulnerability is fixed in 1.8.10.

Created: 2026-06-23 Last update: 2026-06-24 17:30

2 security issues in bullseye high

There are 2 open security issues in bullseye.

1 important issue:

CVE-2026-44889: WebOb provides objects for HTTP requests and responses. Prior to 1.8.10, the normalization of the HTTP Location header during a redirect is vulnerable to an open redirect: WebOb joins the redirect target to the request URI using Python's urljoin, and since Python 3.10 the underlying urlsplit strips ASCII tab, carriage return, and newline characters before parsing, so a redirect target containing such characters can be reinterpreted as a protocol-relative URL whose authority is an attacker-controlled host. This bypasses the CVE-2024-42353 fix that escaped a leading double slash, allowing an attacker who influences the redirect location to send users to an arbitrary external site instead of the intended one. This vulnerability is fixed in 1.8.10.

1 issue postponed or untriaged:

CVE-2024-42353: (postponed; to be fixed through a stable update) WebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. `urlparse` however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from the request. This vulnerability is patched in WebOb version 1.8.8.

Created: 2026-06-23 Last update: 2026-06-24 17:30

2 security issues in bookworm high

There are 2 open security issues in bookworm.

1 important issue:

CVE-2026-44889: WebOb provides objects for HTTP requests and responses. Prior to 1.8.10, the normalization of the HTTP Location header during a redirect is vulnerable to an open redirect: WebOb joins the redirect target to the request URI using Python's urljoin, and since Python 3.10 the underlying urlsplit strips ASCII tab, carriage return, and newline characters before parsing, so a redirect target containing such characters can be reinterpreted as a protocol-relative URL whose authority is an attacker-controlled host. This bypasses the CVE-2024-42353 fix that escaped a leading double slash, allowing an attacker who influences the redirect location to send users to an arbitrary external site instead of the intended one. This vulnerability is fixed in 1.8.10.

1 issue left for the package maintainer to handle:

CVE-2024-42353: (needs triaging) WebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. `urlparse` however treats a `//` at the start of a string as a URI without a scheme, and then treats the next part as the hostname. `urljoin` will then use that hostname from the second part as the hostname replacing the original one from the request. This vulnerability is patched in WebOb version 1.8.8.

You can find information about how to handle this issue in the security team's documentation.

Created: 2024-08-17 Last update: 2026-06-24 17:30

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2026-02-11 Last update: 2026-06-25 00:32

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2026-06-24 Last update: 2026-06-24 23:18

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit d130d1c14a01b28c615d7b434a092a3f81c2202b
Author: Alexandre Detiste <alexandre.detiste@gmail.com>
Date:   Wed Jun 24 13:00:01 2026 +0200

    rewrite d/watch in v5 format

Created: 2025-01-19 Last update: 2026-06-24 15:33

Multiarch hinter reports 1 issue(s) low

There are issues with the multiarch metadata for this package.

python-webob-doc could be marked Multi-Arch: foreign

Created: 2026-06-24 Last update: 2026-06-25 00:33

debian/patches: 3 patches to forward upstream low

Among the 3 debian patches available in version 1:1.8.9-2 of the package, we noticed the following issues:

3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-06-24 20:02

testing migrations

excuses:
- Migration status for python-webob (1:1.8.9-1 to 1:1.8.9-2): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for aodh/22.0.0-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for barbican/1:22.0.0-3: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for blazar/17.0.0-2: amd64: Pass, arm64: Pass, i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for cinder/2:28.0.0-1: amd64: Pass, arm64: Pass, i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: Test triggered, ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻, s390x: Test triggered
- ∙ ∙ Autopkgtest for designate/1:22.0.0-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for glance/2:32.0.0-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for gnocchi/4.7.0-5: amd64: Pass, arm64: Pass, i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for heat/1:26.0.0-2: amd64: Pass, arm64: Pass, i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for ironic/1:35.0.1-7: amd64: Pass, arm64: Pass, i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for keystone/2:29.0.1-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for magnum/22.0.0-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for manila/1:22.0.0-2: amd64: Pass, arm64: Pass, i386: Failed (not a regression) ♻ (reference ♻), loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for masakari/21.0.0-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for networking-sfc/22.0.0-1: amd64: Pass, arm64: Pass, i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: Test triggered, ppc64el: Pass, riscv64: No tests, superficial or marked flaky ♻, s390x: Test triggered
- ∙ ∙ Autopkgtest for neutron-dynamic-routing/2:28.0.0-3: amd64: Pass, arm64: Pass, i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: Test triggered, ppc64el: Pass, riscv64: No tests, superficial or marked flaky ♻, s390x: Test triggered
- ∙ ∙ Autopkgtest for nova/2:33.0.1-2: amd64: Pass, arm64: Pass, i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: Test triggered, ppc64el: Regression ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻, s390x: Test triggered
- ∙ ∙ Autopkgtest for octavia/18.0.0-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for openstack-trove/1:25.0.0-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for placement/15.0.0-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-ironic-lib/7.0.0-3: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-keystonemiddleware/12.0.0-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-microversion-parse/2.0.0-2: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: Test triggered, ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-neutron-lib/3.24.0-3: amd64: Pass, arm64: Pass, i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-os-ken/4.1.1-3: amd64: Pass, arm64: Pass, i386: Failed (not a regression) ♻ (reference ♻), loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-oslo.messaging/17.3.0-4: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-oslo.middleware/8.0.0-3: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-oslo.service/4.5.1-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-osprofiler/4.3.0-4: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-pecan/1.5.1-6: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-pyramid/2.0.2+dfsg-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-repoze.who/3.1.0-1: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: Test triggered, ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-wikkid/0.5-2: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: Test triggered, ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻, s390x: Test triggered
- ∙ ∙ Autopkgtest for routes/2.5.1-7: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for webtest/3.0.7-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for wsgiproxy2/0.5.1-3: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), loong64: Test triggered, ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻, s390x: Test triggered
- ∙ ∙ Autopkgtest for zaqar/22.0.0-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Too young, only 1 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Updating python-webob will fix bugs in testing: #1123459
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/p/python-webob.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- Not considered

news

[rss feed]

[2026-06-24] Accepted python-webob 1:1.8.9-2 (source) into unstable (Alexandre Detiste)
[2025-01-21] python-webob 1:1.8.9-1 MIGRATED to testing (Debian testing watch)
[2025-01-12] Accepted python-webob 1:1.8.9-1 (source) into unstable (Colin Watson)
[2024-11-20] python-webob 1:1.8.7-3 MIGRATED to testing (Debian testing watch)
[2024-11-15] Accepted python-webob 1:1.8.7-3 (source) into unstable (Thomas Goirand)
[2024-11-15] Accepted python-webob 1:1.8.7-2 (source) into unstable (Thomas Goirand)
[2024-03-06] python-webob 1:1.8.7-1 MIGRATED to testing (Debian testing watch)
[2024-03-01] Accepted python-webob 1:1.8.7-1 (source) into unstable (Alexandre Detiste)
[2022-10-22] python-webob 1:1.8.6-3 MIGRATED to testing (Debian testing watch)
[2022-10-17] Accepted python-webob 1:1.8.6-3 (source) into unstable (Jelmer Vernooĳ) (signed by: Jelmer Vernooij)
[2022-06-15] python-webob 1:1.8.6-2 MIGRATED to testing (Debian testing watch)
[2022-06-10] Accepted python-webob 1:1.8.6-2 (source) into unstable (Sandro Tosi)
[2020-11-19] python-webob 1:1.8.6-1.1 MIGRATED to testing (Debian testing watch)
[2020-11-14] Accepted python-webob 1:1.8.6-1.1 (source) into unstable (Matthias Klose)
[2020-03-28] python-webob 1:1.8.6-1 MIGRATED to testing (Debian testing watch)
[2020-03-22] Accepted python-webob 1:1.8.6-1 (source) into unstable (Piotr Ożarowski)
[2020-01-25] python-webob 1:1.8.5-2 MIGRATED to testing (Debian testing watch)
[2020-01-19] Accepted python-webob 1:1.8.5-2 (source) into unstable (Sandro Tosi)
[2019-01-11] python-webob 1:1.8.5-1 MIGRATED to testing (Debian testing watch)
[2019-01-05] Accepted python-webob 1:1.8.5-1 (source all) into unstable (Piotr Ożarowski) (signed by: Piotr Ozarowski)
[2019-01-02] python-webob 1:1.8.4-1 MIGRATED to testing (Debian testing watch)
[2018-12-28] Accepted python-webob 1:1.8.4-1 (source all) into unstable (TANIGUCHI Takaki)
[2018-09-10] python-webob 1:1.8.2-2 MIGRATED to testing (Debian testing watch)
[2018-09-05] Accepted python-webob 1:1.8.2-2 (source all) into unstable (Thomas Goirand)
[2018-08-23] Accepted python-webob 1:1.8.2-1 (source all) into experimental (Thomas Goirand)
[2017-11-07] python-webob 1:1.7.3-2 MIGRATED to testing (Debian testing watch)
[2017-11-01] Accepted python-webob 1:1.7.3-2 (source all) into unstable (Thomas Goirand)
[2017-09-17] Accepted python-webob 1:1.7.3-1 (source all) into experimental (Thomas Goirand)
[2017-01-30] python-webob 1:1.6.2-2 MIGRATED to testing (Debian testing watch)
[2017-01-19] Accepted python-webob 1:1.6.2-2 (source) into unstable (Ondřej Nový)

bugs [bug history graph]

all: 1
RC: 1
I&N: 0
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:1.8.9-1