Ubuntu has issued an advisory on October 5: https://ubuntu.com/security/notices/USN-4570-1 The issue is fixed upstream in 1.25.9. python-pip bundles this and may need to be fixed too. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=27301
Hi, thanks for reporting this bug. Assigned to the package maintainer. CC'd recent commiter. (Please set the status to 'assigned' if you are working on it)
Assignee: bugsquad => makowski.mageiaCC: (none) => jani.valimaaKeywords: (none) => Triaged
RedHat has issued an advisory for this on October 20: https://access.redhat.com/errata/RHSA-2020:4299
Cauldron have 1.25.10 so it is not affected
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Source RPM: python-urllib3-1.25.8-1.mga8.src.rpm => python-urllib3-1.24.3-1.1.mga7.src.rpm
Done for mga7!
CC: (none) => geiger.david68210
(In reply to David Walser from comment #0) > python-pip bundles this and may need to be fixed too. What about this? (See also Bug 27301 for python-pip).
python-urllib3 package list: python2-urllib3-1.24.3-1.2.mga7 python3-urllib3-1.24.3-1.2.mga7 from python-urllib3-1.24.3-1.2.mga7.src.rpm
Status comment: (none) => Bundled copy in python-pip also needs to be fixed
python-pip now fixed
CC: (none) => bruno
New python-pip fixing fully this BR
Status: NEW => ASSIGNED
Advisory: ======================== Updated python-urllib3 packages fix security vulnerability: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest() (CVE-2020-26137). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137 https://ubuntu.com/security/notices/USN-4570-1 ======================== Updated packages in core/updates_testing: ======================== python2-urllib3-1.24.3-1.2.mga7 python3-urllib3-1.24.3-1.2.mga7 from python-urllib3-1.24.3-1.2.mga7.src.rpm
Depends on: (none) => 27301Status comment: Bundled copy in python-pip also needs to be fixed => (none)Assignee: makowski.mageia => qa-bugs
Installation done with no message error. Using QA Repo with mentioned above packages list, update over existing installation returns no errors. ========================================== installation de python3-urllib3-1.24.3-1.2.mga7.noarch.rpm depuis //home/guillaume/qa-testing/x86_64 Préparation... ########################### 1/1: python3-urllib3 ########################### 1/1: désinstallation de python3-urllib3-1.24.3-1.1.mga7.noarch ########################### writing /var/lib/rpm/installed-through-deps.list
CC: (none) => guillaume.royer
See this script for basic testing. Annotations will be added later. The jls8.pdf produced by one of the tests covers the Java Language Specification. $ cat tutorial.py # This python snippet exercizes the basic functions of urllib3. # It is a truncated version of the introduction at https://zetcode.com/python/urllib3/ # *** Install python3-certifi before running this *** # The script was intended for python3 but seems to work with python2. import urllib3 print( urllib3.__version__ ) http = urllib3.PoolManager( ) url = 'http://webcode.me' resp = http.request( 'GET', url ) print( resp.status ) print( resp.data.decode('utf-8') ) resp = http.request( 'HEAD', url ) print( resp.headers['Server'] ) print( resp.headers['Date'] ) print( resp.headers['Content-Type'] ) print( resp.headers['Last-Modified'] ) # Install python3-certifi to make this work import certifi url = 'https://httpbin.org/anything' http = urllib3.PoolManager( ca_certs=certifi.where( ) ) resp = http.request( 'GET', url ) print( resp.status ) payload = { 'name': 'Peter', 'age': 23 } url = 'https://httpbin.org/get' req = http.request( 'GET', url, fields=payload ) print( req.data.decode( 'utf-8' ) ) url = 'https://httpbin.org/post' req = http.request( 'POST', url, fields={ 'name': 'John Doe' } ) print( req.data.decode( 'utf-8' ) ) import json payload = {'name': 'John Doe'} encoded_data = json.dumps(payload).encode('utf-8') resp = http.request( 'POST', 'https://httpbin.org/post', body=encoded_data, headers={ 'Content-Type': 'application/json' } ) data = json.loads( resp.data.decode( 'utf-8' ) )['json'] print( data ) url = 'http://webcode.me/favicon.ico' req = http.request( 'GET', url ) with open( 'favicon.ico', 'wb' ) as f: f.write( req.data ) url = "https://docs.oracle.com/javase/specs/jls/se8/jls8.pdf" local_filename = url.split('/')[-1] http = urllib3.PoolManager( ca_certs=certifi.where() ) resp = http.request( 'GET', url, preload_content=False ) with open( local_filename, 'wb' ) as f: for chunk in resp.stream( 1024 ): f.write( chunk ) resp.release_conn( ) url = 'https://httpbin.org/redirect-to?url=/' resp = http.request( 'GET', url, redirect=True ) print( resp.status ) print( resp.geturl( ) ) print( resp.info( ) )
CC: (none) => tarazed25
You have tested it in Bug 27301 for same fix because of embedded one. Great work. So, validating. Advisory pushed to SVN.
Keywords: Triaged => advisory, validated_updateWhiteboard: (none) => MGA7-64-OKCC: (none) => ouaurelien, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0055.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
Created attachment 12259 [details] Tests urllib3 module with a few simple examples $ python3 tutorial.py See session file for sample output.
Created attachment 12260 [details] Output from running tutorial.py
Note that this is the same issue as CVE-2020-26116 in python itself (Bug 26268).