Bug 32032

Summary: python-requests new security issue CVE-2023-32681
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-requests-2.28.2-1.mga9.src.rpm CVE:
Status comment:
Attachments: test1
test2
test1

Description David Walser 2023-06-20 14:02:17 CEST 
Debian-LTS has issued an advisory on June 18:
https://www.debian.org/lts/security/2023/dla-3456

The issue is fixed upstream in 2.31.0:
https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q

Mageia 8 is also affected.
David Walser 2023-06-20 14:02:31 CEST

Status comment: (none) => Fixed upstream in 2.31.0
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2023-06-20 15:00:02 CEST 
Ubuntu has issued an advisory for this on June 12:
https://ubuntu.com/security/notices/USN-6155-1
Comment 2 David GEIGER 2023-06-20 16:37:39 CEST 
Done for both mga8 and cauldron adding patches!

Packages in 8/Core/Updates_testing:
======================

python3-requests-2.25.1-1.1.mga8.noarch.rpm
python3-requests+security-2.25.1-1.1.mga8.noarch.rpm
python3-requests+socks-2.25.1-1.1.mga8.noarch.rpm


From SRPMS:
python-requests-2.25.1-1.1.mga8.src.rpm

Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 2.31.0 => (none)
CC: (none) => geiger.david68210
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 3 Herman Viaene 2023-06-21 15:04:01 CEST 
Sorry, the following package cannot be selected:

- python3-requests+socks-2.25.1-1.1.mga8.noarch (due to unsatisfied python3.8dist(pysocks)[< 1.5.7])
In the mean time I'll attach the test files from bug 15496.

CC: (none) => herman.viaene

David Walser 2023-06-21 15:08:40 CEST

Keywords: (none) => feedback

Comment 4 David GEIGER 2023-06-22 05:50:49 CEST 
Dependency fixed in:

Packages in 8/Core/Updates_testing:
======================

python3-requests-2.25.1-1.2.mga8.noarch.rpm
python3-requests+security-2.25.1-1.2.mga8.noarch.rpm
python3-requests+socks-2.25.1-1.2.mga8.noarch.rpm


From SRPMS:
python-requests-2.25.1-1.2.mga8.src.rpm
David Walser 2023-06-22 06:07:11 CEST

Keywords: feedback => (none)

Comment 5 Herman Viaene 2023-06-22 13:48:24 CEST 
Created attachment 13885 [details]
test1
Comment 6 Herman Viaene 2023-06-22 13:49:06 CEST 
Created attachment 13886 [details]
test2
Comment 7 Herman Viaene 2023-06-22 14:03:03 CEST 
Created attachment 13887 [details]
test1

Attachment 13885 is obsolete: 0 => 1

Comment 8 Herman Viaene 2023-06-22 14:05:50 CEST 
After correctiing the print commands for the test1 file:
$ python pyrequests_test1.py 
[<Response [301]>]
https://github.com/
200
<RequestsCookieJar[<Cookie _octo=GH1.1.1639238983.1687435232 for .github.com/>, <Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=R0p4YNyXHtbr6VpXQVZhobz8ZjU75duEkBijj6gKeS058HP5mYvqkgNjqqlWFFNITpIxFFrYQUlOA5J5YYpIgj0plQ3Z3mTb%2FfIRRalBMjNbhXwmWe%2BnZx2Rn0wSbSFYxQV5YcWQzsiKF38Ss8zGDHV9GiT6K5e4Z11KkpI%2Br81%2Br6UQ41%2B7lr42oHzXnC%2Bg8dKKEcUrYAG%2FQzhnyZOdbFXbZ1u1Nc7DgFhC8t27mO%2BiwPcd69sW386rjW94G1X6cuPN1I72vzYcpisU42Vp1A%3D%3D--ZDyDuTbfHsaH1zjs--t%2BRcaB8abwSK79e6Pl%2BDlA%3D%3D for github.com/>]>
[tester8@mach7 Documents]$ python3 p
py3requests_test2.py  pyrequests_test1.py   

$ python3 py3requests_test2.py 
[<Response [301]>]
https://github.com/
200
<RequestsCookieJar[<Cookie _octo=GH1.1.2019270416.1687435316 for .github.com/>, <Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=dDaqAK0D93igtK4%2BxzvRWPd5wyFOzNlOQUublDfYLiJwy19rqGFSuB9X5U39ntKMmZRf5YmafaHwVNpoLDt6IoDhfUv0xWsu%2BS%2BQcJt5M9fYWLHqjNyjtrfWr%2BPPpCVH2PsVtfKBvf3bPIrlaGlAlmWhiRIjK%2FwXuNxWb4QgTMWlYvDxSCpDgYNZPgVjtUs3YsT1am2EhFJJzzBIaJdjU3d0zPmlnd86bcfijLguiDdrtl%2B1vgv2TqByxrXMKtBFyYEYph2fJSj0mEy1dheNcw%3D%3D--3MIyhRfZNXNYo11M--RZJbZ%2BuKp4IDIsCzzEw2Jw%3D%3D for github.com/>]>

which corresponds nicely with the results in bug 15496, so good to go.

Whiteboard: (none) => MGA8-64-OK

Comment 9 Thomas Andrews 2023-06-22 16:25:25 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-06-27 22:41:02 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 10 Mageia Robot 2023-06-28 07:23:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0210.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED