Debian-LTS has issued an advisory on June 1: https://www.debian.org/lts/security/2020/dla-2232 The issue is fixed upstream in 0.18.0.
Another one for you, DavidG, sorry. Just that the registered maintainer is no longer active, and you have done the recent new versions.
Assignee: bugsquad => geiger.david68210
Fedora has issued an advisory for this on June 16: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/
Done for mga7!
Advisory: ======================== Updated python-httplib2 packages fix security vulnerability: In httplib2, an attacker controlling unescaped part of uri for httplib2.Http.request() could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping (CVE-2020-11078). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11078 https://www.debian.org/lts/security/2020/dla-2232 ======================== Updated packages in core/updates_testing: ======================== python-httplib2-0.18.0-1.mga7 python3-httplib2-0.18.0-1.mga7 from python-httplib2-0.18.0-1.mga7.src.rpm
Assignee: geiger.david68210 => qa-bugsCC: (none) => geiger.david68210
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 10055 for testing. setup the py files (will attach these) and run: $ python get.py {'status': '200', 'content-location': 'https://www.mageia.org/en/', 'x-powered-by': 'PHP/7.3.17', 'transfer-encoding': 'chunked', 'server': 'Apache/2.4.43 (Mageia) OpenSSL/1.1.0l mod_fcgid/2.3.9 PHP/7.3.17 mod_perl/2.0.10 Perl/v5.28.2', 'date': 'Fri, 03 Jul 2020 09:35:05 GMT', 'content-type': 'text/html; charset=UTF-8'} <!DOCTYPE html> <html dir="ltr" lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Home of the Mageia project</title> <meta name="description" content="Mageia is a community-based Linux distribution, for desktop & server."> <meta name="keywords" content="linux, mageia, free software, operating system, computer, laptop, desktop, server, headless, device, mobile, mandriva, mandrake"> and a lot more.... and $ python3 get3.py {'date': 'Fri, 03 Jul 2020 09:41:16 GMT', 'server': 'Apache/2.4.43 (Mageia) OpenSSL/1.1.0l mod_fcgid/2.3.9 PHP/7.3.17 mod_perl/2.0.10 Perl/v5.28.2', 'x-powered-by': 'PHP/7.3.17', 'transfer-encoding': 'chunked', 'content-type': 'text/html; charset=UTF-8', 'status': '200', 'content-location': 'https://www.mageia.org/en/'} and that's it. What is shown looks OK, but I wonder whether this is what was wanted, the old updates do not really show the feedback of thetest commands. Anyway, tried the command script on my own site, and get: $ python getown.py Traceback (most recent call last): File "getown.py", line 3, in <module> resp, content = h.request("https://www.hermanviaene.be/", "GET") File "/usr/lib/python2.7/site-packages/httplib2/__init__.py", line 2199, in request cachekey, File "/usr/lib/python2.7/site-packages/httplib2/__init__.py", line 1852, in _request conn, request_uri, method, body, headers File "/usr/lib/python2.7/site-packages/httplib2/__init__.py", line 1757, in _conn_request conn.connect() File "/usr/lib/python2.7/site-packages/httplib2/__init__.py", line 1406, in connect self.key_password, File "/usr/lib/python2.7/site-packages/httplib2/__init__.py", line 99, in _ssl_wrap_socket return context.wrap_socket(sock, server_hostname=hostname) File "/usr/lib64/python2.7/ssl.py", line 369, in wrap_socket _context=self) File "/usr/lib64/python2.7/ssl.py", line 599, in __init__ self.do_handshake() File "/usr/lib64/python2.7/ssl.py", line 836, in do_handshake match_hostname(self.getpeercert(), self.server_hostname) File "/usr/lib64/python2.7/ssl.py", line 288, in match_hostname % (hostname, ', '.join(map(repr, dnsnames)))) ssl.CertificateError: hostname 'www.hermanviaene.be' doesn't match either of '*.edpnet.net', 'edpnet.net' which is correct, as I never bothered about certficates and get the same with the python3 Tentatively OK'ing
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Created attachment 11729 [details] test command for python2
Created attachment 11730 [details] test command for python3
Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => mageia
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0269.html
Status: NEW => RESOLVEDResolution: (none) => FIXED