Ubuntu has issued an advisory on May 19: https://ubuntu.com/security/notices/USN-4961-1 The issue is fixed upstream in 21.1. Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Fixed upstream in 21.1Whiteboard: (none) => MGA8TOO, MGA7TOOCC: (none) => bruno
To Python group; CC vicolas L, registered maintainer.
CC: (none) => mageiaAssignee: bugsquad => python
Fedora has issued an advisory for this on May 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/ They also fixed CVE-2021-28363 in the bundled python-urllib3.
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=29041
Fedora has issued an advisory for the original issue on May 28: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3L3JUBMPJJ7WYXI6JHX6KKYPPX676PR6/
python-pip-21.1.1-1.mga9 uploaded for Cauldron by Jani.
CC: (none) => jani.valimaaVersion: Cauldron => 8Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Whiteboard: MGA7TOO => (none)
SUSE has issued an advisory for this today (July 13): https://lists.suse.com/pipermail/sle-security-updates/2021-July/009129.html
Summary: python-pip new security issue fixed upstream in 21.1 => python-pip new security issue fixed upstream in 21.1 (CVE-2021-3572)
fixed in mga8: src: - python-pip-20.3.3-3.1.mga8
Status comment: Fixed upstream in 21.1 => (none)Assignee: python => qa-bugs
(In reply to David Walser from comment #2) > Fedora has issued an advisory for this on May 24: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/ > > They also fixed CVE-2021-28363 in the bundled python-urllib3. It looks like this was forgotten.
Assignee: qa-bugs => python
fix pushed with CVE-2021-28363 included src: - python-pip-20.3.3-3.2.mga8
Assignee: python => qa-bugs
Per bug 29041, I've also added the patch for CVE-2021-33503 in urllib3. python-pip-wheel-20.3.3-3.3.mga8 python3-pip-20.3.3-3.3.mga8 from python-pip-20.3.3-3.3.mga8.src.rpm
mga8, x64 CVE-2021-3572 has been reserved for the issue. No PoC as yet. From https://bugzilla.suse.com/show_bug.cgi?id=1186819 It was discovered that pip incorrectly handled unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. Installed the updates. Don't know any way to test this other than using pip. Correct me if that is wrong. $ sudo pip install pandas WARNING: Running pip install with root privileges is generally not a good idea. Try `pip install --user` instead. Collecting pandas Downloading pandas-1.3.0-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.whl (10.6 MB) |████████████████████████████████| 10.6 MB 2.9 MB/s Requirement already satisfied: pytz>=2017.3 in /usr/lib/python3.8/site-packages (from pandas) (2020.5) Requirement already satisfied: python-dateutil>=2.7.3 in /usr/lib/python3.8/site-packages (from pandas) (2.8.1) Requirement already satisfied: numpy>=1.17.3 in /usr/lib64/python3.8/site-packages (from pandas) (1.19.4) Requirement already satisfied: six>=1.5 in /usr/lib/python3.8/site-packages (from python-dateutil>=2.7.3->pandas) (1.15.0) Installing collected packages: pandas Successfully installed pandas-1.3.0
CC: (none) => tarazed25
Er, just noticed the advice to employ the --user option. $ pip install --user pandas Requirement already satisfied: pandas in /usr/local/lib64/python3.8/site-packages (1.3.0) Requirement already satisfied: pytz>=2017.3 in /usr/lib/python3.8/site-packages (from pandas) (2020.5) Requirement already satisfied: python-dateutil>=2.7.3 in /usr/lib/python3.8/site-packages (from pandas) (2.8.1) Requirement already satisfied: numpy>=1.17.3 in /usr/lib64/python3.8/site-packages (from pandas) (1.19.4) Requirement already satisfied: six>=1.5 in /usr/lib/python3.8/site-packages (from python-dateutil>=2.7.3->pandas) (1.15.0)
Advisory: ======================== Updated python-pip package fix security vulnerabilities: A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository (CVE-2021-3572). The bundled python-urllib3 is also vulnerable to: The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted (CVE-2021-28363). An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect (CVE-2021-33503). References: - https://bugs.mageia.org/show_bug.cgi?id=29010 - https://bugs.mageia.org/show_bug.cgi?id=29041 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3572 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28363 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33503 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3L3JUBMPJJ7WYXI6JHX6KKYPPX676PR6/ - https://lists.suse.com/pipermail/sle-security-updates/2021-July/009129.html ======================== Updated packages in core/updates_testing: ======================== python-pip-wheel-20.3.3-3.3.mga8 python3-pip-20.3.3-3.3.mga8 from python-pip-20.3.3-3.3.mga8.src.rpm
CC: (none) => ouaurelien
(In reply to Aurelien Oudelet from comment #13) > The bundled python-urllib3 is also vulnerable to: You mean "was" not "is," let's not scare people :D
(In reply to David Walser from comment #14) > (In reply to Aurelien Oudelet from comment #13) > > The bundled python-urllib3 is also vulnerable to: > > You mean "was" not "is," let's not scare people :D Oh yeah, agree!
Just to confirm that urllib3 works OK - ran the PoC for an earlier bug: $ python >>> import urllib >>> import http.client >>> conn = http.client.HTTPConnection('localhost',80) >>> conn.request(method="GET / HTTP/1.1\r\nHost: abc\r\nRemainder:", url="/index.html") Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python3.8/http/client.py", line 1252, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.8/http/client.py", line 1263, in _send_request self.putrequest(method, url, **skips) File "/usr/lib64/python3.8/http/client.py", line 1091, in putrequest self._validate_method(method) File "/usr/lib64/python3.8/http/client.py", line 1188, in _validate_method raise ValueError( ValueError: method can't contain control characters. 'GET / HTTP/1.1\r\nHost: abc\r\nRemainder:' (found at least '\r') $ pip install --user easygui Collecting easygui Downloading easygui-0.98.2-py2.py3-none-any.whl (92 kB) |████████████████████████████████| 92 kB 2.3 MB/s Installing collected packages: easygui Successfully installed easygui-0.98.2 $ cd .local/lib/python3.8/site-packages/easygui $ python easygui.py This launched the gui with a selection menu for graphical demos. That all worked well. python-pip looks OK for 64-bits.
Whiteboard: (none) => MGA8-64-OK
Validating. type: security subject: Updated python-pip packages fix security vulnerabilities CVE: - CVE-2021-3572 - CVE-2021-28363 - CVE-2021-33503 src: 8: core: - python-pip-20.3.3-3.3.mga8 description: | A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository (CVE-2021-3572). The bundled python-urllib3 was also vulnerable to: The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted (CVE-2021-28363). An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect (CVE-2021-33503). references: - https://bugs.mageia.org/show_bug.cgi?id=29010 - https://bugs.mageia.org/show_bug.cgi?id=29041 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3L3JUBMPJJ7WYXI6JHX6KKYPPX676PR6/ - https://lists.suse.com/pipermail/sle-security-updates/2021-July/009129.html
CVE: (none) => CVE-2021-3572, CVE-2021-28363, CVE-2021-33503Keywords: (none) => advisory, validated_updateSource RPM: python-pip-20.3.3-5.mga9.src.rpm => python-pip-20.3.3-3.mga8.src.rpmCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0371.html
Status: NEW => RESOLVEDResolution: (none) => FIXED