Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1858
Security update for python-httplib2
1 June 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python-httplib2
Publisher: SUSE
Operating System: SUSE
Impact/Access: Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-21240 CVE-2020-11078
Reference: ESB-2021.1832
ESB-2021.1825
Original Bulletin:
https://www.suse.com/support/update/announcement/2021/suse-su-20211808-1
https://www.suse.com/support/update/announcement/2021/suse-su-20211807-1
https://www.suse.com/support/update/announcement/2021/suse-su-20211806-1
Comment: This bulletin contains three (3) SUSE security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for python-httplib2
______________________________________________________________________________
Announcement ID: SUSE-SU-2021:1806-1
Rating: moderate
References: #1171998 #1182053
Cross-References: CVE-2020-11078 CVE-2021-21240
Affected Products:
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise Module for Basesystem 15-SP2
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for python-httplib2 fixes the following issues:
o Update to version 0.19.0 (bsc#1182053).
o CVE-2021-21240: Fixed regular expression denial of service via malicious
header (bsc#1182053).
o CVE-2020-11078: Fixed unescaped part of uri where an attacker could change
request headers and body (bsc#1182053).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3:
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-1806=
1
o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2:
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-1806=
1
o SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1806=1
o SUSE Linux Enterprise Module for Basesystem 15-SP2:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1806=1
Package List:
o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (noarch):
python2-httplib2-0.19.0-3.3.1
o SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (noarch):
python2-httplib2-0.19.0-3.3.1
o SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch):
python3-httplib2-0.19.0-3.3.1
o SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch):
python3-httplib2-0.19.0-3.3.1
References:
o https://www.suse.com/security/cve/CVE-2020-11078.html
o https://www.suse.com/security/cve/CVE-2021-21240.html
o https://bugzilla.suse.com/1171998
o https://bugzilla.suse.com/1182053
______________________________________________________________________________
Announcement ID: SUSE-SU-2021:1807-1
Rating: moderate
References: #1171998 #1182053
Cross-References: CVE-2020-11078 CVE-2021-21240
Affected Products:
SUSE OpenStack Cloud 7
SUSE Linux Enterprise Module for Public Cloud 12
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for python-httplib2 contains the following fixes:
Security fixes included in this update:
o CVE-2021-21240: Fixed a regular expression denial of service via malicious
header (bsc#1182053).
o CVE-2020-11078: Fixed an issue where an attacker could change request
headers and body (bsc#1171998).
Non-security fixes included in this update:
o Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)
o update to 0.19.0: * auth: parse headers using pyparsing instead of regexp *
auth: WSSE token needs to be string not bytes
o update to 0.18.1: (bsc#1171998, CVE-2020-11078) * explicit build-backend
workaround for pip build isolation bug * IMPORTANT security vulnerability
CWE-93 CRLF injection Force %xx quote of space, CR, LF characters in uri. *
Ship test suite in source dist
o update to 0.17.3: * bugfixes
o Update to 0.17.1 * python3: no_proxy was not checked with https * feature:
Http().redirect_codes set, works after follow(_all)_redirects check This
allows one line workaround for old gcloud library that uses 308 response
without redirect semantics. * IMPORTANT cache invalidation change, fix 307
keep method, add 308 Redirects * proxy: username/password as str compatible
with pysocks * python2: regression in connect() error handling * add
support for password protected certificate files * feature: Http.close() to
clean persistent connections and sensitive data
o Update to 0.14.0: * Python3: PROXY_TYPE_SOCKS5 with str user/pass raised
TypeError
o version update to 0.13.1 0.13.1 * Python3: Use no_proxy https://github.com/
httplib2/httplib2/pull/140 0.13.0 * Allow setting TLS max/min versions
https://github.com/httplib2/httplib2/pull/138 0.12.3 * No changes to
library. Distribute py3 wheels. 0.12.1 * Catch socket timeouts and clear
dead connection https://github.com/httplib2/httplib2/issues/18 https://
github.com/httplib2/httplib2/pull/111 * Officially support Python 3.7
(package metadata) https://github.com/httplib2/httplib2/issues/123 0.12.0 *
Drop support for Python 3.3 * ca_certs from environment HTTPLIB2_CA_CERTS
or certifi https://github.com/httplib2/httplib2/pull/117 * PROXY_TYPE_HTTP
with non-empty user/pass raised TypeError: bytes required https://
github.com/httplib2/httplib2/pull/115 * Revert http:443->https workaround
https://github.com/httplib2/httplib2/issues/112 * eliminate connection pool
read race https://github.com/httplib2/httplib2/pull/110 * cache: stronger
safename https://github.com/httplib2/httplib2/pull/101 0.11.3 * No changes,
just reupload of 0.11.2 after fixing automatic release conditions in
Travis. 0.11.2 * proxy: py3 NameError basestring https://github.com/
httplib2/httplib2/pull/100 0.11.1 * Fix HTTP(S)ConnectionWithTimeout
AttributeError proxy_info https://github.com/httplib2/httplib2/pull/97
0.11.0 * Add DigiCert Global Root G2 serial
033af1e6a711a9a0bb2864b11d09fae5 https://github.com/httplib2/httplib2/pull/
91 * python3 proxy support https://github.com/httplib2/httplib2/pull/90 *
If no_proxy environment value ends with comma then proxy is not used https:
//github.com/httplib2/httplib2/issues/11 * fix UnicodeDecodeError using
socks5 proxy https://github.com/httplib2/httplib2/pull/64 * Respect
NO_PROXY env var in proxy_info_from_url https://github.com/httplib2/
httplib2/pull/58 * NO_PROXY=bar was matching foobar (suffix without dot
delimiter) New behavior matches curl/wget:
- no_proxy=foo.bar will only skip proxy for exact hostname match - no_proxy
=.wild.card will skip proxy for any.subdomains.wild.card
https://github.com/httplib2/httplib2/issues/94 * Bugfix for Content-Encoding:
deflate https://stackoverflow.com/a/22311297
deleted patches httplib2 started to use certifi and this is already bent to use
system certificate bundle.
o handle the case when validation is disabled correctly. The 'check_hostname'
context attribute has to be set first, othewise a "ValueError: Cannot set
verify_mode to CERT_NONE when check_hostname is enabled." exception is
raised.
o handle the case with ssl_version being None correctly
o Use ssl.create_default_context in the python2 case so that the system wide
certificates are loaded as trusted again.
o Source url must be https.
o Spec file cleanups
o Update to 0.10.3 * Fix certificate validation on Python<=2.7.8 without
ssl.CertificateError
o Update to 0.10.2 * Just a reupload of 0.10.1, which was broken for Python3
because wheel distribution doesn't play well with our 2/3 split code base.
o Update to 0.10.1 * Remove VeriSign Class 3 CA from trusted certs * Add
IdenTrust DST Root CA X3 * Support for specifying the SSL protocol version
(Python v2) * On App Engine use urlfetch's default deadline if None is
passed. * Fix TypeError on AppEngine "__init__() got an unexpected keyword
argument 'ssl_version'" * Send SNI data for SSL connections on Python
2.7.9+ * Verify the server hostname if certificate validation is enabled *
Add proxy_headers argument to ProxyInfo constructor * Make
disable_ssl_certificate_validation work with Python 3.5. * Fix socket error
handling
o Remove httplib2-bnc-818100.patch, merged upstream.
o Project moved from code.google.com to GitHub, fix the url accordingly
o attempt to build multi-python
o update and cleanup of httplib2-use-system-certs.patch, so that the
passthrough is clean for python2 and so that it does the right thing in
python3
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE OpenStack Cloud 7:
zypper in -t patch SUSE-OpenStack-Cloud-7-2021-1807=1
o SUSE Linux Enterprise Module for Public Cloud 12:
zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2021-1807=1
Package List:
o SUSE OpenStack Cloud 7 (noarch):
python-httplib2-0.19.0-7.7.1
o SUSE Linux Enterprise Module for Public Cloud 12 (noarch):
python-httplib2-0.19.0-7.7.1
References:
o https://www.suse.com/security/cve/CVE-2020-11078.html
o https://www.suse.com/security/cve/CVE-2021-21240.html
o https://bugzilla.suse.com/1171998
o https://bugzilla.suse.com/1182053
______________________________________________________________________________
Announcement ID: SUSE-SU-2021:1808-1
Rating: moderate
References: #1171998 #1182053
Cross-References: CVE-2020-11078 CVE-2021-21240
Affected Products:
SUSE OpenStack Cloud Crowbar 8
SUSE OpenStack Cloud 8
HPE Helion Openstack 8
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for python-httplib2 contains the following fixes:
Security fixes included in this update:
o CVE-2021-21240: Fixed a regular expression denial of service via malicious
header (bsc#1182053).
o CVE-2020-11078: Fixed an issue where an attacker could change request
headers and body (bsc#1171998).
Non security fixes included in this update:
o Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)
o update to 0.19.0: * auth: parse headers using pyparsing instead of regexp *
auth: WSSE token needs to be string not bytes
o update to 0.18.1: (bsc#1171998, CVE-2020-11078) * explicit build-backend
workaround for pip build isolation bug * IMPORTANT security vulnerability
CWE-93 CRLF injection Force %xx quote of space, CR, LF characters in uri. *
Ship test suite in source dist
o update to 0.17.3: * bugfixes
o Update to 0.17.1 * python3: no_proxy was not checked with https * feature:
Http().redirect_codes set, works after follow(_all)_redirects check This
allows one line workaround for old gcloud library that uses 308 response
without redirect semantics. * IMPORTANT cache invalidation change, fix 307
keep method, add 308 Redirects * proxy: username/password as str compatible
with pysocks * python2: regression in connect() error handling * add
support for password protected certificate files * feature: Http.close() to
clean persistent connections and sensitive data
o Update to 0.14.0: * Python3: PROXY_TYPE_SOCKS5 with str user/pass raised
TypeError
o version update to 0.13.1 0.13.1 * Python3: Use no_proxy https://github.com/
httplib2/httplib2/pull/140 0.13.0 * Allow setting TLS max/min versions
https://github.com/httplib2/httplib2/pull/138 0.12.3 * No changes to
library. Distribute py3 wheels. 0.12.1 * Catch socket timeouts and clear
dead connection https://github.com/httplib2/httplib2/issues/18 https://
github.com/httplib2/httplib2/pull/111 * Officially support Python 3.7
(package metadata) https://github.com/httplib2/httplib2/issues/123 0.12.0 *
Drop support for Python 3.3 * ca_certs from environment HTTPLIB2_CA_CERTS
or certifi https://github.com/httplib2/httplib2/pull/117 * PROXY_TYPE_HTTP
with non-empty user/pass raised TypeError: bytes required https://
github.com/httplib2/httplib2/pull/115 * Revert http:443->https workaround
https://github.com/httplib2/httplib2/issues/112 * eliminate connection pool
read race https://github.com/httplib2/httplib2/pull/110 * cache: stronger
safename https://github.com/httplib2/httplib2/pull/101 0.11.3 * No changes,
just reupload of 0.11.2 after fixing automatic release conditions in
Travis. 0.11.2 * proxy: py3 NameError basestring https://github.com/
httplib2/httplib2/pull/100 0.11.1 * Fix HTTP(S)ConnectionWithTimeout
AttributeError proxy_info https://github.com/httplib2/httplib2/pull/97
0.11.0 * Add DigiCert Global Root G2 serial
033af1e6a711a9a0bb2864b11d09fae5 https://github.com/httplib2/httplib2/pull/
91 * python3 proxy support https://github.com/httplib2/httplib2/pull/90 *
If no_proxy environment value ends with comma then proxy is not used https:
//github.com/httplib2/httplib2/issues/11 * fix UnicodeDecodeError using
socks5 proxy https://github.com/httplib2/httplib2/pull/64 * Respect
NO_PROXY env var in proxy_info_from_url https://github.com/httplib2/
httplib2/pull/58 * NO_PROXY=bar was matching foobar (suffix without dot
delimiter) New behavior matches curl/wget:
- no_proxy=foo.bar will only skip proxy for exact hostname match - no_proxy
=.wild.card will skip proxy for any.subdomains.wild.card
https://github.com/httplib2/httplib2/issues/94 * Bugfix for Content-Encoding:
deflate https://stackoverflow.com/a/22311297
deleted patches - httplib2 started to use certifi and this is already bent to
use system certificate bundle
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE OpenStack Cloud Crowbar 8:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1808=1
o SUSE OpenStack Cloud 8:
zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1808=1
o HPE Helion Openstack 8:
zypper in -t patch HPE-Helion-OpenStack-8-2021-1808=1
Package List:
o SUSE OpenStack Cloud Crowbar 8 (noarch):
python-httplib2-0.19.0-7.3.1
o SUSE OpenStack Cloud 8 (noarch):
python-httplib2-0.19.0-7.3.1
o HPE Helion Openstack 8 (noarch):
python-httplib2-0.19.0-7.3.1
References:
o https://www.suse.com/security/cve/CVE-2020-11078.html
o https://www.suse.com/security/cve/CVE-2021-21240.html
o https://bugzilla.suse.com/1171998
o https://bugzilla.suse.com/1182053
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYLXFVeNLKJtyKPYoAQg6ig//Q7kGirjuiKywvLtB7rhNTgw67H96Xl0t
YNqVpfMMPKg5104Q78rJqNRS4vWuKSZhaAz5aNDiqk+ELFwwYvm6hktCwbBWDYyF
PoO5FUSXuNivvb6tpyv4BsjSZUwmkrCP7iozythSA01vLJIbeIpUJ5NJpzjOuEVh
jZHzmqRKbkVSP/3y21qZMJHObyXBCBb6ErS+DqNEq0NvVWBMlFFnk4Y9bqLukUFL
f2lxuY0XqpngE/DUZfKhMS85czMidthNH0IUZhg5/izvHcjzKnqDiHAAr7jPy52S
mGLe8pDR/YrMy4KUbGXgq02ju5wSIQtGHTlavi+8wShNWLNq/Lc5bldBtelR+Mij
kzxpz63IkKovJcF6/nP2wiwbBxa8OmFLakH8NAwSpHccvhJAatm+7bhblMeVNFjh
4+oC/YrZpwb/MdN66QCHd0OAD6LP9bY2eZ1mOUQ7MyhBRYVWP8a+U5tN3ejZ1unG
+6qM8Gjh1fhhJIYDlGaSFyccJ0TGEyGvj+FxuOFjU7HF2uAK5bvhjVyiPpNkuf8d
1Ftt7l6bNWpznoGF70M2bOcnTuP9x54yKpbT5OnnM2gDYPwnGT6ibghJfLBFUZdE
f4USBfaGd6BsLU9kT9cSpVO3F209tp9VgMXM3dSQ/tGpJlRslDVBsBSWP4VJTL2f
GUyBkwrA2qg=
=i4/p
-----END PGP SIGNATURE-----