openSUSE has issued an advisory on September 2: https://lists.opensuse.org/opensuse-updates/2019-09/msg00009.html The issue is fixed upstream in 1.0.3. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
httpie-1.0.3-1.mga8 uploaded for Cauldron by David.
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7Assignee: bugsquad => geiger.david68210
Updated package uploaded by David for Mageia 7. Advisory: ======================== Updated httpie packages fix security vulnerability: HTTPie is vulnerable to Open Redirect that allows an attacker to write an arbitrary file with supplied filename and content to the current directory, by redirecting a request from HTTP to a crafted URL pointing to a server in his or her control (CVE-2019-10751). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10751 https://lists.opensuse.org/opensuse-updates/2019-09/msg00009.html ======================== Updated packages in core/updates_testing: ======================== httpie-1.0.3-1.mga7 python3-httpie-1.0.3-1.mga7 from httpie-1.0.3-1.mga7.src.rpm
CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugs
Tested ok MGA7 64 The two packages have different executables. They seem odd/reversed and unintuitive. httpie package has python2-http executable and python3-httpie has http executable. Before ------ For httpie.. $ python2-http -v mageia.org GET / HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate Connection: keep-alive Host: mageia.org User-Agent: HTTPie/1.0.2 HTTP/1.1 302 Found Connection: Keep-Alive Content-Length: 207 Content-Type: text/html; charset=iso-8859-1 Date: Wed, 27 Nov 2019 17:41:54 GMT Keep-Alive: timeout=5, max=100 Location: https://www.mageia.org/ Server: Apache/2.4.39 (Mageia) OpenSSL/1.1.0j PHP/7.3.11 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://www.mageia.org/">here</a>.</p> </body></html> For python3-httpie... $ http -v mageia.org GET / HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate Connection: keep-alive Host: mageia.org User-Agent: HTTPie/1.0.2 HTTP/1.1 302 Found Connection: Keep-Alive Content-Length: 207 Content-Type: text/html; charset=iso-8859-1 Date: Wed, 27 Nov 2019 17:45:14 GMT Keep-Alive: timeout=5, max=100 Location: https://www.mageia.org/ Server: Apache/2.4.39 (Mageia) OpenSSL/1.1.0j PHP/7.3.11 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://www.mageia.org/">here</a>.</p> </body></html> After ----- Both now send "User-Agent: HTTPie/1.0.3", not in any way a regression but a change worthy of mention. All other output is identical.
Whiteboard: (none) => has_procedure mga7-64-ok
Whiteboard: has_procedure mga7-64-ok => MGA7-64-OKKeywords: (none) => has_procedure
Thank you for the assist, Claire. Good to see you here again. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0351.html
Status: NEW => RESOLVEDResolution: (none) => FIXED