| Summary: | httpie new security issue CVE-2019-10751 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | httpie-1.0.2-3.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-11-26 21:55:02 CET
David Walser
2019-11-26 21:55:14 CET
Whiteboard:
(none) =>
MGA7TOO httpie-1.0.3-1.mga8 uploaded for Cauldron by David. Whiteboard:
MGA7TOO =>
(none) Updated package uploaded by David for Mageia 7. Advisory: ======================== Updated httpie packages fix security vulnerability: HTTPie is vulnerable to Open Redirect that allows an attacker to write an arbitrary file with supplied filename and content to the current directory, by redirecting a request from HTTP to a crafted URL pointing to a server in his or her control (CVE-2019-10751). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10751 https://lists.opensuse.org/opensuse-updates/2019-09/msg00009.html ======================== Updated packages in core/updates_testing: ======================== httpie-1.0.3-1.mga7 python3-httpie-1.0.3-1.mga7 from httpie-1.0.3-1.mga7.src.rpm CC:
(none) =>
geiger.david68210 Tested ok MGA7 64 The two packages have different executables. They seem odd/reversed and unintuitive. httpie package has python2-http executable and python3-httpie has http executable. Before ------ For httpie.. $ python2-http -v mageia.org GET / HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate Connection: keep-alive Host: mageia.org User-Agent: HTTPie/1.0.2 HTTP/1.1 302 Found Connection: Keep-Alive Content-Length: 207 Content-Type: text/html; charset=iso-8859-1 Date: Wed, 27 Nov 2019 17:41:54 GMT Keep-Alive: timeout=5, max=100 Location: https://www.mageia.org/ Server: Apache/2.4.39 (Mageia) OpenSSL/1.1.0j PHP/7.3.11 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://www.mageia.org/">here</a>.</p> </body></html> For python3-httpie... $ http -v mageia.org GET / HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate Connection: keep-alive Host: mageia.org User-Agent: HTTPie/1.0.2 HTTP/1.1 302 Found Connection: Keep-Alive Content-Length: 207 Content-Type: text/html; charset=iso-8859-1 Date: Wed, 27 Nov 2019 17:45:14 GMT Keep-Alive: timeout=5, max=100 Location: https://www.mageia.org/ Server: Apache/2.4.39 (Mageia) OpenSSL/1.1.0j PHP/7.3.11 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://www.mageia.org/">here</a>.</p> </body></html> After ----- Both now send "User-Agent: HTTPie/1.0.3", not in any way a regression but a change worthy of mention. All other output is identical. Whiteboard:
(none) =>
has_procedure mga7-64-ok
David Walser
2019-11-27 19:08:21 CET
Whiteboard:
has_procedure mga7-64-ok =>
MGA7-64-OK Thank you for the assist, Claire. Good to see you here again. Validating. Advisory in Comment 2. Keywords:
(none) =>
validated_update
Thomas Backlund
2019-11-30 12:16:26 CET
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0351.html Status:
NEW =>
RESOLVED |