Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                    Security update for python-httplib2
                                28 May 2021


        AusCERT Security Bulletin Summary

Product:           python-httplib2
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
                   Reduced Security               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-21240 CVE-2020-11078 

Reference:         ESB-2021.1825

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for python-httplib2


Announcement ID:   SUSE-SU-2021:1779-1
Rating:            moderate
References:        #1171998 #1182053
Cross-References:  CVE-2020-11078 CVE-2021-21240
Affected Products:
                   SUSE OpenStack Cloud Crowbar 9
                   SUSE OpenStack Cloud 9

An update that fixes two vulnerabilities is now available.


This update for python-httplib2 contains the following fixes:
Security fixes included in this update:

  o CVE-2021-21240: Fixed a regular expression denial of service via malicious
    header (bsc#1182053).
  o CVE-2020-11078: Fixed an issue where an attacker could change request
    headers and body (bsc#1171998).

Non security fixes included in this update:

  o Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)

  o update to 0.19.0: * auth: parse headers using pyparsing instead of regexp *
    auth: WSSE token needs to be string not bytes

  o update to 0.18.1: (bsc#1171998, CVE-2020-11078) * explicit build-backend
    workaround for pip build isolation bug * IMPORTANT security vulnerability
    CWE-93 CRLF injection Force %xx quote of space, CR, LF characters in uri. *
    Ship test suite in source dist

  o update to 0.17.3: * bugfixes

  o Update to 0.17.1 * python3: no_proxy was not checked with https * feature:
    Http().redirect_codes set, works after follow(_all)_redirects check This
    allows one line workaround for old gcloud library that uses 308 response
    without redirect semantics. * IMPORTANT cache invalidation change, fix 307
    keep method, add 308 Redirects * proxy: username/password as str compatible
    with pysocks * python2: regression in connect() error handling * add
    support for password protected certificate files * feature: Http.close() to
    clean persistent connections and sensitive data

  o Update to 0.14.0: * Python3: PROXY_TYPE_SOCKS5 with str user/pass raised

  o version update to 0.13.1 0.13.1 * Python3: Use no_proxy https://github.com/
    httplib2/httplib2/pull/140 0.13.0 * Allow setting TLS max/min versions
    https://github.com/httplib2/httplib2/pull/138 0.12.3 * No changes to
    library. Distribute py3 wheels. 0.12.1 * Catch socket timeouts and clear
    dead connection https://github.com/httplib2/httplib2/issues/18 https://
    github.com/httplib2/httplib2/pull/111 * Officially support Python 3.7
    (package metadata) https://github.com/httplib2/httplib2/issues/123 0.12.0 *
    Drop support for Python 3.3 * ca_certs from environment HTTPLIB2_CA_CERTS
    or certifi https://github.com/httplib2/httplib2/pull/117 * PROXY_TYPE_HTTP
    with non-empty user/pass raised TypeError: bytes required https://
    github.com/httplib2/httplib2/pull/115 * Revert http:443->https workaround
    https://github.com/httplib2/httplib2/issues/112 * eliminate connection pool
    read race https://github.com/httplib2/httplib2/pull/110 * cache: stronger
    safename https://github.com/httplib2/httplib2/pull/101 0.11.3 * No changes,
    just reupload of 0.11.2 after fixing automatic release conditions in
    Travis. 0.11.2 * proxy: py3 NameError basestring https://github.com/
    httplib2/httplib2/pull/100 0.11.1 * Fix HTTP(S)ConnectionWithTimeout
    AttributeError proxy_info https://github.com/httplib2/httplib2/pull/97
    0.11.0 * Add DigiCert Global Root G2 serial
    033af1e6a711a9a0bb2864b11d09fae5 https://github.com/httplib2/httplib2/pull/
    91 * python3 proxy support https://github.com/httplib2/httplib2/pull/90 *
    If no_proxy environment value ends with comma then proxy is not used https:
    //github.com/httplib2/httplib2/issues/11 * fix UnicodeDecodeError using
    socks5 proxy https://github.com/httplib2/httplib2/pull/64 * Respect
    NO_PROXY env var in proxy_info_from_url https://github.com/httplib2/
    httplib2/pull/58 * NO_PROXY=bar was matching foobar (suffix without dot
    delimiter) New behavior matches curl/wget:
    - no_proxy=foo.bar will only skip proxy for exact hostname match - no_proxy
    =.wild.card will skip proxy for any.subdomains.wild.card

https://github.com/httplib2/httplib2/issues/94 * Bugfix for Content-Encoding:
deflate https://stackoverflow.com/a/22311297
deleted patches - httplib2 started to use certifi and this is already bent to
use system certificate bundle.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE OpenStack Cloud Crowbar 9:
    zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1779=1
  o SUSE OpenStack Cloud 9:
    zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1779=1

Package List:

  o SUSE OpenStack Cloud Crowbar 9 (noarch):
  o SUSE OpenStack Cloud 9 (noarch):


  o https://www.suse.com/security/cve/CVE-2020-11078.html
  o https://www.suse.com/security/cve/CVE-2021-21240.html
  o https://bugzilla.suse.com/1171998
  o https://bugzilla.suse.com/1182053

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967