| Summary: | python-urllib3 new security issues CVE-2021-28363 and CVE-2021-33503 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, bruno, jani.valimaa, mageia, ouaurelien, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://bugs.mageia.org/show_bug.cgi?id=29010 | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | python-urllib3-1.26.2-1.mga8.src.rpm | CVE: | CVE-2021-28363, CVE-2021-33503 |
| Status comment: | |||
|
Description
David Walser
2021-05-30 04:15:15 CEST
David Walser
2021-05-30 04:15:40 CEST
See Also:
(none) =>
https://bugs.mageia.org/show_bug.cgi?id=29010
David Walser
2021-05-30 04:16:03 CEST
CC:
(none) =>
bruno Assigning. Assignee:
bugsquad =>
python SUSE has issued an advisory on June 18: https://lists.suse.com/pipermail/sle-security-updates/2021-June/009038.html The issue is fixed upstream in 1.26.5: https://github.com/advisories/GHSA-q2q7-5pp4-w6pg Mageia 7 and Mageia 8 are also affected. Summary:
python-urllib3 new security issue CVE-2021-28363 =>
python-urllib3 new security issues CVE-2021-28363 and CVE-2021-33503 Fedora has issued an advisory for CVE-2021-33503 on June 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JWEE334W43EIJUKSMQSEH6ML7VU57K5B/ pip 21.1 updates urllib3 to 1.26.4, but as of pip 21.1.2, urllib3 still hasn't been updated to 1.26.5 to address CVE-2021-33503. The python-urllib3 package itself has been updated to 1.26.5 in Cauldron. The first part of the patch in this commit: https://src.fedoraproject.org/rpms/mingw-python-urllib3/c/370b56fc70416e75e1ad05ec4449ae7624e0e991?branch=f34 can be added to patch pip-21.1.2/src/pip/_vendor/urllib3 but I'm sure it'll be fixed upstream in pip before long. For slightly older pips, Fedora's patch could be used as a starting point: https://src.fedoraproject.org/rpms/python-pip/c/e36c561614df9a20c4ec1b9b9100f271d210ceb9?branch=f34 Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/ Whiteboard:
MGA8TOO, MGA7TOO =>
MGA8TOO Fedora has issued an advisory for this today (July 4): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/ openSUSE has issued an advisory for the second CVE on July 10: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NYARUF6IH56FOIKBV7PTO7AXODL5GKNT/ python-pip in Cauldron has been patched to fix CVE-2021-33503. Source RPM:
python-urllib3-1.26.2-3.mga9.src.rpm =>
python-urllib3-1.26.2-1.mga8.src.rpm Pushed python-urllib3-1.26.5-1.mga8 to core/udpates_testing. SRPM(S): python-urllib3-1.26.5-1.mga8 RPM(S): python3-urllib3-1.26.5-1.mga8 CC:
(none) =>
jani.valimaa Thanks Jani! Some more references: https://github.com/urllib3/urllib3/releases/tag/1.26.3 https://github.com/urllib3/urllib3/releases/tag/1.26.4 https://github.com/urllib3/urllib3/releases/tag/1.26.5 Status comment:
Fixed upstream in 1.26.5 =>
(none) mga8, x64 CVE-2021-33503 https://src.fedoraproject.org/rpms/python-urllib3/pull-request/16 Shows poc test. No poc file though (upstream - where is that?). It appears that the poc is buried in the patch -> https://src.fedoraproject.org/rpms/python-urllib3/pull-request/16#_1 The upstream quote shows over 4 minutes for a GET request before and a split second after the update. We shall have to take their word for it. $ rpm -q python3-urllib3 python3-urllib3-1.26.2-1.mga8 https://github.com/urllib3/urllib3 simple tests: $ python >>> import urllib3 >>> http = urllib3.PoolManager() >>> resp = http.request("GET", "http://httpbin.org/robots.txt") >>> resp.status 200 >>> resp.data b'User-agent: *\nDisallow: /deny\n' >>> exit() Updated the package. $ urpmq --whatrequires python3-urllib3 | sort -u buku meteo-qt python3-botocore python3-conda python3-coveralls python3-dulwich python3-requests python3-requests-unixsocket python3-responses python3-selenium sansimera-qt transifex-client Installed buku, a browser bookmarks manager. $ buku --ai <Answered questions and picked Firefox browser. Bookmarks imported to database.> $ strace -o buku.trace buku a <open all results in browser> s extrasolar 1. The Extrasolar Planets Encyclopaedia [153] > http://exoplanet.eu/ # 2021jul26,menu 2. systemic [378] > http://www.oklo.org/ # 2021jul26,astro,extrasolar,menu 3. systemic - Downloadable Console [379] > http://www.oklo.org/?page_id=86 # 2021jul26,astro,extrasolar,menu 4. HubbleSite - NewsCenter - 'Survivor' Planets: Astronomers Witness First Steps of Planet Growth - and Destruction (04/26/2001) - Introduction [380] > http://hubblesite.org/newscenter/archive/releases/2001/13 # 2021jul26,astro,extrasolar,menu <and so on> 0 4 <That opened https://hubblesite.org/news/news-releases which contained the item required> s mageia updates <returned 164 results> 0 6 <switched to Mageia identity management> ^D to exit. That works as far as it went. $ grep urllib3 buku.trace <lots of entries> openat(AT_FDCWD, "/usr/lib/python3.8/site-packages/urllib3/__pycache__/__init__.cpython-38.pyc", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/python3.8/site-packages/urllib3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 This will do. CC:
(none) =>
tarazed25 Validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs type: security
subject: Updated python-urllib3 package fixes security vulnerabilities
CVE:
- CVE-2021-28363
- CVE-2021-33503
src:
8:
core:
- python-urllib3-1.26.5-1.mga8
description: |
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate
validation in some cases involving HTTPS to HTTPS proxies. The initial
connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config)
doesn't verify the hostname of the certificate. This means certificates for
different servers that still validate properly with the default urllib3
SSLContext will be silently accepted (CVE-2021-28363).
An issue was discovered in urllib3 before 1.26.5. When provided with a URL
containing many @ characters in the authority component, the authority regular
expression exhibits catastrophic backtracking, causing a denial of service if
a URL were passed as a parameter or redirected to via an HTTP redirect
(CVE-2021-33503).
references:
- https://bugs.mageia.org/show_bug.cgi?id=29041
- https://github.com/urllib3/urllib3/releases/tag/1.26.3
- https://github.com/urllib3/urllib3/releases/tag/1.26.4
- https://github.com/urllib3/urllib3/releases/tag/1.26.5
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NYARUF6IH56FOIKBV7PTO7AXODL5GKNT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JWEE334W43EIJUKSMQSEH6ML7VU57K5B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0377.html Status:
NEW =>
RESOLVED |