httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.
CVE: (none) => CVE-2021-21240
Upstream advisory released on February 8th 2021: https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m Hi, thanks for reporting this. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
CC: (none) => ouaurelienAssignee: bugsquad => makowski.mageiaKeywords: (none) => TriagedSeverity: normal => major
Keywords: Triaged => (none)Whiteboard: (none) => MGA7TOO MGA8TOO
Status comment: (none) => Fixed upstream in 0.19.0
src: - python-httplib2-0.19.0-1.mga7 - python-httplib2-0.19.0-1.mga8
Status comment: Fixed upstream in 0.19.0 => (none)Assignee: makowski.mageia => qa-bugsCC: (none) => mageia
RPMS list: python-httplib2-0.19.0-1.mga7 python3-httplib2-0.19.0-1.mga7 python3-httplib2-0.19.0-1.mga8
Version: Cauldron => 8Whiteboard: MGA7TOO MGA8TOO => MGA7TOO
# urpmi python-httplib2 python3-httplib2 Some requested packages cannot be installed: python-httplib2-0.19.0-1.mga7.noarch (due to unsatisfied python2.7dist(pyparsing)[>= 2.4.2]) python3-httplib2-0.19.0-1.mga7.noarch (due to unsatisfied python3.7dist(pyparsing)[>= 2.4.2])
CC: (none) => davidwhodgins
we need to make sure i can update it w/o breaking deps. Can someone using a mga 7 can do urpmq --whatrequires python3-pyparsing for ex ?
$ urpmq --whatrequires python3-pyparsing|sort -u certbot-nginx dot2tex mitmproxy odoo11 python3-cliff python3-configshell python3-httplib2 python3-matplotlib python3-oslo-utils python3-packaging python3-pydot python3-pyparsing python3-rdflib python3-rustcfg
$ urpmq --whatrequires python2-pyparsing|sort -u odoo puddletag python2-celery python2-cliff python2-cmd2 python2-configshell python2-matplotlib python2-oslo-utils python2-packaging python2-pydot python2-pyparsing python-httplib2 python-rdflib wfuzz
Advisory: ======================== Updated python-httplib2 packages fix security vulnerability: A malicious server which responds with long series of \xa0 characters in the www-authenticate header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server (CVE-2021-21240). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21240 https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m
mga8, x64 Referring to bug 26750 for test script. Before update: $ python Python 3.8.7 (default, Jan 24 2021, 11:10:31) [GCC 10.2.1 20210123] on linux >>> import httplib2 >>> h = httplib2.Http('.cache') >>> response, content = h.request('https://mageia.org', 'GET') >>> print (dict(response.items())) {'date': 'Thu, 04 Mar 2021 23:17:15 GMT', 'server': 'Apache/2.4.46 (Mageia) OpenSSL/1.1.0l mod_fcgid/2.3.9 PHP/7.3.27 mod_perl/2.0.10 Perl/v5.28.3', 'x-powered-by': 'PHP/7.3.27', 'transfer-encoding': 'chunked', 'content-type': 'text/html; charset=UTF-8', 'status': '200', 'content-location': 'https://www.mageia.org/en/'} >>> exit() Updated to python3-httplib2-0.19.0-1.mga8. $ python Python 3.8.7 (default, Jan 24 2021, 11:10:31) >>> import httplib2 >>> h = httplib2.Http('.cache') >>> response, content = h.request('https://mageia.org', 'GET') >>> print (dict(response.items())) {'date': 'Thu, 04 Mar 2021 23:25:53 GMT', 'server': 'Apache/2.4.46 (Mageia) OpenSSL/1.1.0l mod_fcgid/2.3.9 PHP/7.3.27 mod_perl/2.0.10 Perl/v5.28.3', 'x-powered-by': 'PHP/7.3.27', 'transfer-encoding': 'chunked', 'content-type': 'text/html; charset=UTF-8', 'status': '200', 'content-location': 'https://www.mageia.org/en/'} >>> exit() Fair enough.
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OKCC: (none) => tarazed25
Adding feedback tag due to python-httplib2-0.19.0-1.mga7.noarch (due to unsatisfied python2.7dist(pyparsing)[>= 2.4.2]) python3-httplib2-0.19.0-1.mga7.noarch (due to unsatisfied python3.7dist(pyparsing)[>= 2.4.2]) and reassigning back to the maintainer.
Keywords: (none) => feedbackAssignee: qa-bugs => makowski.mageiaWhiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK
Assignee: makowski.mageia => python
can someone under mageia 7 provide the packages requiring python2.7dist(pyparsing) and python3.7dist(pyparsing) ?
(In reply to Nicolas Lécureuil from comment #12) > can someone under mageia 7 provide the packages requiring > python2.7dist(pyparsing) and python3.7dist(pyparsing) ? See comment 6 and comment 7
(In reply to Dave Hodgins from comment #13) > (In reply to Nicolas Lécureuil from comment #12) > > can someone under mageia 7 provide the packages requiring > > python2.7dist(pyparsing) and python3.7dist(pyparsing) ? > > See comment 6 and comment 7 sorry, perfect :-)
New rpm: python-pyparsing-2.4.2-1.mga7 RPMS list: python-httplib2-0.19.0-1.mga7 python3-httplib2-0.19.0-1.mga7 python2-pyparsing-2.4.2-1.mga7 python3-pyparsing-2.4.2-1.mga7 python3-httplib2-0.19.0-1.mga8
Assignee: python => qa-bugs
Keywords: feedback => (none)
MGA7-64 MATE on Peaq C1011 No installation issues. Ref bug 26750 Comment 5 using test files. Output is same as there. OK
CC: (none) => herman.viaeneWhiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK MGA7-64-OK
Validating. Advisory in Comment 8.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory committed to SVN.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0122.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
*** Bug 28590 has been marked as a duplicate of this bug. ***
CC: (none) => petlaw726