Bug 26750 - python-httplib2 new security issue CVE-2020-11078
Summary: python-httplib2 new security issue CVE-2020-11078
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-06-09 19:25 CEST by David Walser
Modified: 2020-07-05 00:48 CEST (History)
5 users (show)

See Also:
Source RPM: python-httplib2-0.12.0-1.mga7.src.rpm
Status comment:

test command for python2 (125 bytes, text/plain)
2020-07-03 11:52 CEST, Herman Viaene
test command for python3 (134 bytes, text/plain)
2020-07-03 11:53 CEST, Herman Viaene

Description David Walser 2020-06-09 19:25:22 CEST
Debian-LTS has issued an advisory on June 1:

The issue is fixed upstream in 0.18.0.
Comment 1 Lewis Smith 2020-06-09 20:49:42 CEST
Another one for you, DavidG, sorry. Just that the registered maintainer is no longer active, and you have done the recent new versions.

Assignee: bugsquad => geiger.david68210

Comment 2 David Walser 2020-06-18 22:51:33 CEST
Fedora has issued an advisory for this on June 16:
Comment 3 David GEIGER 2020-06-19 06:48:38 CEST
Done for mga7!
Comment 4 David Walser 2020-06-19 17:04:31 CEST

Updated python-httplib2 packages fix security vulnerability:

In httplib2, an attacker controlling unescaped part of uri for
httplib2.Http.request() could change request headers and body, send additional
hidden requests to same server. This vulnerability impacts software that uses
httplib2 with uri constructed by string concatenation, as opposed to proper
urllib building with escaping (CVE-2020-11078).


Updated packages in core/updates_testing:

from python-httplib2-0.18.0-1.mga7.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210

Comment 5 Herman Viaene 2020-07-03 11:51:39 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 10055 for testing.
setup the py files (will attach these) and run:
$ python get.py
{'status': '200', 'content-location': 'https://www.mageia.org/en/', 'x-powered-by': 'PHP/7.3.17', 'transfer-encoding': 'chunked', 'server': 'Apache/2.4.43 (Mageia) OpenSSL/1.1.0l mod_fcgid/2.3.9 PHP/7.3.17 mod_perl/2.0.10 Perl/v5.28.2', 'date': 'Fri, 03 Jul 2020 09:35:05 GMT', 'content-type': 'text/html; charset=UTF-8'}
<!DOCTYPE html>
<html dir="ltr" lang="en">
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Home of the Mageia project</title>
    <meta name="description" content="Mageia is a community-based Linux distribution, for desktop & server.">
    <meta name="keywords" content="linux, mageia, free software, operating system, computer, laptop, desktop, server, headless, device, mobile, mandriva, mandrake">
and a lot more....
$ python3 get3.py
{'date': 'Fri, 03 Jul 2020 09:41:16 GMT', 'server': 'Apache/2.4.43 (Mageia) OpenSSL/1.1.0l mod_fcgid/2.3.9 PHP/7.3.17 mod_perl/2.0.10 Perl/v5.28.2', 'x-powered-by': 'PHP/7.3.17', 'transfer-encoding': 'chunked', 'content-type': 'text/html; charset=UTF-8', 'status': '200', 'content-location': 'https://www.mageia.org/en/'}
and that's it.
What is shown looks OK, but I wonder whether this is what was wanted, the old updates do not really show the feedback of thetest commands.
Anyway, tried the command script on my own site, and get:
$ python getown.py
Traceback (most recent call last):
  File "getown.py", line 3, in <module>
    resp, content = h.request("https://www.hermanviaene.be/", "GET")
  File "/usr/lib/python2.7/site-packages/httplib2/__init__.py", line 2199, in request
  File "/usr/lib/python2.7/site-packages/httplib2/__init__.py", line 1852, in _request
    conn, request_uri, method, body, headers
  File "/usr/lib/python2.7/site-packages/httplib2/__init__.py", line 1757, in _conn_request
  File "/usr/lib/python2.7/site-packages/httplib2/__init__.py", line 1406, in connect
  File "/usr/lib/python2.7/site-packages/httplib2/__init__.py", line 99, in _ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=hostname)
  File "/usr/lib64/python2.7/ssl.py", line 369, in wrap_socket
  File "/usr/lib64/python2.7/ssl.py", line 599, in __init__
  File "/usr/lib64/python2.7/ssl.py", line 836, in do_handshake
    match_hostname(self.getpeercert(), self.server_hostname)
  File "/usr/lib64/python2.7/ssl.py", line 288, in match_hostname
    % (hostname, ', '.join(map(repr, dnsnames))))
ssl.CertificateError: hostname 'www.hermanviaene.be' doesn't match either of '*.edpnet.net', 'edpnet.net'

which is correct, as I never bothered about certficates
and get the same with the python3

Tentatively OK'ing

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 6 Herman Viaene 2020-07-03 11:52:38 CEST
Created attachment 11729 [details]
test command for python2
Comment 7 Herman Viaene 2020-07-03 11:53:06 CEST
Created attachment 11730 [details]
test command for python3
Comment 8 Thomas Andrews 2020-07-04 03:39:38 CEST
Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-07-04 23:44:27 CEST

Keywords: (none) => advisory
CC: (none) => mageia

Comment 9 Mageia Robot 2020-07-05 00:48:31 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.