Bug 25764 - httpie new security issue CVE-2019-10751
Summary: httpie new security issue CVE-2019-10751
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2019-11-26 21:55 CET by David Walser
Modified: 2019-11-30 14:08 CET (History)
4 users (show)

See Also:
Source RPM: httpie-1.0.2-3.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-11-26 21:55:02 CET
openSUSE has issued an advisory on September 2:
https://lists.opensuse.org/opensuse-updates/2019-09/msg00009.html

The issue is fixed upstream in 1.0.3.

Mageia 7 is also affected.
David Walser 2019-11-26 21:55:14 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2019-11-26 22:54:28 CET
httpie-1.0.3-1.mga8 uploaded for Cauldron by David.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Assignee: bugsquad => geiger.david68210

Comment 2 David Walser 2019-11-27 03:28:54 CET
Updated package uploaded by David for Mageia 7.

Advisory:
========================

Updated httpie packages fix security vulnerability:

HTTPie is vulnerable to Open Redirect that allows an attacker to write an
arbitrary file with supplied filename and content to the current directory, by
redirecting a request from HTTP to a crafted URL pointing to a server in his or
her control (CVE-2019-10751).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10751
https://lists.opensuse.org/opensuse-updates/2019-09/msg00009.html
========================

Updated packages in core/updates_testing:
========================
httpie-1.0.3-1.mga7
python3-httpie-1.0.3-1.mga7

from httpie-1.0.3-1.mga7.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 3 claire robinson 2019-11-27 18:52:42 CET
Tested ok MGA7 64

The two packages have different executables. They seem odd/reversed and unintuitive. httpie package has python2-http executable and python3-httpie has http executable.

Before
------
For httpie..

$ python2-http -v mageia.org     
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: mageia.org
User-Agent: HTTPie/1.0.2



HTTP/1.1 302 Found
Connection: Keep-Alive
Content-Length: 207
Content-Type: text/html; charset=iso-8859-1
Date: Wed, 27 Nov 2019 17:41:54 GMT
Keep-Alive: timeout=5, max=100
Location: https://www.mageia.org/
Server: Apache/2.4.39 (Mageia) OpenSSL/1.1.0j PHP/7.3.11

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://www.mageia.org/">here</a>.</p>
</body></html>



For python3-httpie...

$ http -v mageia.org
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: mageia.org
User-Agent: HTTPie/1.0.2



HTTP/1.1 302 Found
Connection: Keep-Alive
Content-Length: 207
Content-Type: text/html; charset=iso-8859-1
Date: Wed, 27 Nov 2019 17:45:14 GMT
Keep-Alive: timeout=5, max=100
Location: https://www.mageia.org/
Server: Apache/2.4.39 (Mageia) OpenSSL/1.1.0j PHP/7.3.11

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://www.mageia.org/">here</a>.</p>
</body></html>


After
-----

Both now send "User-Agent: HTTPie/1.0.3", not in any way a regression but a change worthy of mention. All other output is identical.

Whiteboard: (none) => has_procedure mga7-64-ok

David Walser 2019-11-27 19:08:21 CET

Whiteboard: has_procedure mga7-64-ok => MGA7-64-OK
Keywords: (none) => has_procedure

Comment 4 Thomas Andrews 2019-11-29 01:26:10 CET
Thank you for the assist, Claire. Good to see you here again.

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-11-30 12:16:26 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 5 Mageia Robot 2019-11-30 14:08:02 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0351.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.