Fedora has issued an advisory on May 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/ That is for python-pip (see Bug 29010), but it fixes an issue in python-urllib3, which is bundled in pip. The issue is fixed upstream in 1.26.4. Mageia 8 is also affected.
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=29010Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 1.26.4
CC: (none) => bruno
Assigning.
Assignee: bugsquad => pythonCC: (none) => ouaurelien
SUSE has issued an advisory on June 18: https://lists.suse.com/pipermail/sle-security-updates/2021-June/009038.html The issue is fixed upstream in 1.26.5: https://github.com/advisories/GHSA-q2q7-5pp4-w6pg Mageia 7 and Mageia 8 are also affected.
Summary: python-urllib3 new security issue CVE-2021-28363 => python-urllib3 new security issues CVE-2021-28363 and CVE-2021-33503Status comment: Fixed upstream in 1.26.4 => Fixed upstream in 1.26.5Whiteboard: MGA8TOO => MGA8TOO, MGA7TOO
Fedora has issued an advisory for CVE-2021-33503 on June 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JWEE334W43EIJUKSMQSEH6ML7VU57K5B/
pip 21.1 updates urllib3 to 1.26.4, but as of pip 21.1.2, urllib3 still hasn't been updated to 1.26.5 to address CVE-2021-33503. The python-urllib3 package itself has been updated to 1.26.5 in Cauldron.
The first part of the patch in this commit: https://src.fedoraproject.org/rpms/mingw-python-urllib3/c/370b56fc70416e75e1ad05ec4449ae7624e0e991?branch=f34 can be added to patch pip-21.1.2/src/pip/_vendor/urllib3 but I'm sure it'll be fixed upstream in pip before long. For slightly older pips, Fedora's patch could be used as a starting point: https://src.fedoraproject.org/rpms/python-pip/c/e36c561614df9a20c4ec1b9b9100f271d210ceb9?branch=f34
Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO
Fedora has issued an advisory for this today (July 4): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/
openSUSE has issued an advisory for the second CVE on July 10: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NYARUF6IH56FOIKBV7PTO7AXODL5GKNT/
python-pip in Cauldron has been patched to fix CVE-2021-33503.
Source RPM: python-urllib3-1.26.2-3.mga9.src.rpm => python-urllib3-1.26.2-1.mga8.src.rpmWhiteboard: MGA8TOO => (none)CC: (none) => mageiaVersion: Cauldron => 8
Pushed python-urllib3-1.26.5-1.mga8 to core/udpates_testing. SRPM(S): python-urllib3-1.26.5-1.mga8 RPM(S): python3-urllib3-1.26.5-1.mga8
CC: (none) => jani.valimaaAssignee: python => qa-bugs
Thanks Jani! Some more references: https://github.com/urllib3/urllib3/releases/tag/1.26.3 https://github.com/urllib3/urllib3/releases/tag/1.26.4 https://github.com/urllib3/urllib3/releases/tag/1.26.5
Status comment: Fixed upstream in 1.26.5 => (none)
mga8, x64 CVE-2021-33503 https://src.fedoraproject.org/rpms/python-urllib3/pull-request/16 Shows poc test. No poc file though (upstream - where is that?). It appears that the poc is buried in the patch -> https://src.fedoraproject.org/rpms/python-urllib3/pull-request/16#_1 The upstream quote shows over 4 minutes for a GET request before and a split second after the update. We shall have to take their word for it. $ rpm -q python3-urllib3 python3-urllib3-1.26.2-1.mga8 https://github.com/urllib3/urllib3 simple tests: $ python >>> import urllib3 >>> http = urllib3.PoolManager() >>> resp = http.request("GET", "http://httpbin.org/robots.txt") >>> resp.status 200 >>> resp.data b'User-agent: *\nDisallow: /deny\n' >>> exit() Updated the package. $ urpmq --whatrequires python3-urllib3 | sort -u buku meteo-qt python3-botocore python3-conda python3-coveralls python3-dulwich python3-requests python3-requests-unixsocket python3-responses python3-selenium sansimera-qt transifex-client Installed buku, a browser bookmarks manager. $ buku --ai <Answered questions and picked Firefox browser. Bookmarks imported to database.> $ strace -o buku.trace buku a <open all results in browser> s extrasolar 1. The Extrasolar Planets Encyclopaedia [153] > http://exoplanet.eu/ # 2021jul26,menu 2. systemic [378] > http://www.oklo.org/ # 2021jul26,astro,extrasolar,menu 3. systemic - Downloadable Console [379] > http://www.oklo.org/?page_id=86 # 2021jul26,astro,extrasolar,menu 4. HubbleSite - NewsCenter - 'Survivor' Planets: Astronomers Witness First Steps of Planet Growth - and Destruction (04/26/2001) - Introduction [380] > http://hubblesite.org/newscenter/archive/releases/2001/13 # 2021jul26,astro,extrasolar,menu <and so on> 0 4 <That opened https://hubblesite.org/news/news-releases which contained the item required> s mageia updates <returned 164 results> 0 6 <switched to Mageia identity management> ^D to exit. That works as far as it went. $ grep urllib3 buku.trace <lots of entries> openat(AT_FDCWD, "/usr/lib/python3.8/site-packages/urllib3/__pycache__/__init__.cpython-38.pyc", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib/python3.8/site-packages/urllib3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 This will do.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
type: security subject: Updated python-urllib3 package fixes security vulnerabilities CVE: - CVE-2021-28363 - CVE-2021-33503 src: 8: core: - python-urllib3-1.26.5-1.mga8 description: | The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted (CVE-2021-28363). An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect (CVE-2021-33503). references: - https://bugs.mageia.org/show_bug.cgi?id=29041 - https://github.com/urllib3/urllib3/releases/tag/1.26.3 - https://github.com/urllib3/urllib3/releases/tag/1.26.4 - https://github.com/urllib3/urllib3/releases/tag/1.26.5 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NYARUF6IH56FOIKBV7PTO7AXODL5GKNT/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JWEE334W43EIJUKSMQSEH6ML7VU57K5B/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/
Keywords: (none) => advisoryCVE: (none) => CVE-2021-28363, CVE-2021-33503
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0377.html
Status: NEW => RESOLVEDResolution: (none) => FIXED