| Summary: | httpie new security issue CVE-2022-24737 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, mageia, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | httpie-2.6.0-2.mga9.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-03-18 03:49:42 CET
David Walser
2022-03-18 03:49:53 CET
Status comment:
(none) =>
Fixed upstream in 3.1.0 Assigning this globally because different people have dealt with it. Assignee:
bugsquad =>
pkg-bugs New version pushed in mga8/9:
src:
- httpie-3.1.0-1.mga8Version:
Cauldron =>
8 Hmmmm Sorry, the following package cannot be selected: - httpie-3.1.0-1.mga8.noarch (due to unsatisfied python3.8dist(charset-normalizer)[>= 2]) Seems that python3-requests-2.25.1-1.mga8 and it's deps also need an update then... ..and/or python3-pygments-2.7.4-1.1.mga8 There is something really strange. On cauldron httpie pulls completely different dependencies. - httpie-3.1.0-1.mga9.noarch - python3-defusedxml-0.7.1-2.mga9.noarch - python3-multidict-6.0.2-1.mga9.x86_64 -> not installed on MGA8 with httpie-2 - python3-requests+security-2.27.1-1.mga9.noarch -> not installed on MGA8 with httpie-2 - python3-requests-toolbelt-0.9.1-6.mga9.noarch -> not installed on MGA8 with httpie-2
David Walser
2022-03-19 18:08:02 CET
Keywords:
(none) =>
feedback Wow...224 days later and still no progress and broken. Under cauldron: - httpie-3.2.1-1.mga9.noarch.rpm cannot be installed via MCC because of missing deps - it can be installed via terminal as it ask there to chose between two meta/task packages Under Mageia 8: - httpie-3.1.0-1.mga8.noarch cannot be installed via MCC because of missing deps [root@test ~]# LC_ALL=C urpmi httpie A requested package cannot be installed: httpie-3.1.0-1.mga8.noarch (due to unsatisfied python3.8dist(charset-normalizer)[>= 2]) Continue installation anyway? (Y/n) Is there still some life here?
sturmvogel
2022-10-29 13:23:57 CEST
Assignee:
qa-bugs =>
pkg-bugs
David Walser
2022-10-29 23:38:03 CEST
Status comment:
(none) =>
Dependency problem in update candidate New packages in 8/Core/Updates_testing: ========================= python3-charset-normalizer-3.0.1-1.mga8.noarch.rpm From SRPMS: python-charset-normalizer-3.0.1-1.mga8.src.rpm CC:
(none) =>
geiger.david68210
David Walser
2023-06-03 18:58:18 CEST
Status comment:
Dependency problem in update candidate =>
(none) What has to be tested now ? only python3-charset-normalizer-3.0.1-1.mga8.noarch.rpm or that plus some version of httpie??? CC:
(none) =>
herman.viaene httpie, now that it's installable. Tried to install the httpie and the python mentioned above, drawing in another python package. That should be no problem, but .... 1 installation transactions failed There was a problem during the installation: python3.8dist(requests[socks]) >= 2.22 is needed by httpie-3.1.0-1.mga8.noarch Confirmed in a VirtualBox mga8-64 Plasma guest where httpie was not previously installed. Using qarepo, I obtained the two packages from this update, then tried to install httpie: The following 12 packages are going to be installed: - httpie-3.1.0-1.mga8.noarch - python3-cffi-1.14.4-1.mga8.x86_64 - python3-charset-normalizer-3.0.1-1.mga8.noarch - python3-cryptography-3.3.1-1.1.mga8.x86_64 - python3-defusedxml-0.6.0-3.mga8.noarch - python3-multidict-4.7.6-1.mga8.x86_64 - python3-OpenSSL-20.0.0-1.mga8.noarch - python3-ply-3.11-5.mga8.noarch - python3-pycparser-2.20-1.mga8.noarch - python3-pygments-2.7.4-1.1.mga8.noarch - python3-requests+security-2.25.1-1.mga8.noarch - python3-requests-toolbelt-0.9.1-3.mga8.noarch But the install failed with the same message that Herman saw. CC:
(none) =>
andrewsfarm
David Walser
2023-06-06 16:08:54 CEST
Keywords:
(none) =>
feedback Strange because the package python3-requests+socks is in mga8: $ urpmq --provides python3-requests+socks-2.25.1-1.mga8.noarch.rpm python-requests+socks[== 2.25.1-1.mga8] python3-requests+socks[== 2.25.1-1.mga8] python3.8-requests+socks[== 2.25.1-1.mga8] python3.8dist(requests[socks])[== 2.25.1] python3dist(requests[socks])[== 2.25.1] Rpmdrake shows python3-requests+socks as there, but for some reason it isn't selecting it as a dependency of httpie. Choosing it, and its dependency python3-pysocks, allows the httpie installation to complete. Please try with next httpie-3.1.0-1.1.mga8 update! That did it. I restored the Vbox guest, and tried again. This time I got this list: The following 8 packages are going to be installed: - httpie-3.1.0-1.1.mga8.noarch - python3-charset-normalizer-3.0.1-1.mga8.noarch - python3-defusedxml-0.6.0-3.mga8.noarch - python3-multidict-4.7.6-1.mga8.x86_64 - python3-pygments-2.7.4-1.1.mga8.noarch - python3-pysocks-1.7.1-2.mga8.noarch - python3-requests+socks-2.25.1-1.mga8.noarch - python3-requests-toolbelt-0.9.1-3.mga8.noarch I don't know why the difference from comment 13. I only know there were no installation issues this time. Adapting a procedure from https://bugs.mageia.org/show_bug.cgi?id=25764#c3 (Thank you, Claire): $ http -v mageia.org GET / HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate Connection: keep-alive Host: mageia.org User-Agent: HTTPie/3.1.0 HTTP/1.1 302 Found Connection: Keep-Alive Content-Length: 207 Content-Type: text/html; charset=iso-8859-1 Date: Thu, 08 Jun 2023 22:38:35 GMT Keep-Alive: timeout=5, max=100 Location: https://www.mageia.org/ Server: Apache <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://www.mageia.org/">here</a>.</p> </body></html> And the https command: $ https -v mageia.org GET / HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate Connection: keep-alive Host: mageia.org User-Agent: HTTPie/3.1.0 HTTP/1.1 302 Found Connection: Keep-Alive Content-Length: 207 Content-Type: text/html; charset=iso-8859-1 Date: Thu, 08 Jun 2023 22:39:15 GMT Keep-Alive: timeout=5, max=100 Location: https://www.mageia.org/ Server: Apache <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://www.mageia.org/">here</a>.</p> </body></html> Looks good to me. Validating. Keywords:
feedback =>
validated_update Advisory committed to svn as ...
type: security
subject: Updated httpie packages fix security vulnerability
CVE:
- CVE-2022-24737
src:
8:
core:
- httpie-3.1.0-1.1.mga8
- python-charset-normalizer-3.0.1-1.mga8
description: |
Cookie exposure to third parties (CVE-2022-24737)
references:
- https://bugs.mageia.org/show_bug.cgi?id=30188
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R5VYSYKEKVZEVEBIWAADGDXG4Y3EWCQ3/CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0196.html Status:
NEW =>
RESOLVED |