32032 – python-requests new security issue CVE-2023-32681

Bug 32032 - python-requests new security issue CVE-2023-32681

Summary: python-requests new security issue CVE-2023-32681

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-06-20 14:02 CEST by David Walser
Modified:	2023-06-28 07:23 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	python-requests-2.28.2-1.mga9.src.rpm
CVE:
Status comment:

Attachments
test1 (140 bytes, text/plain) 2023-06-22 13:48 CEST, Herman Viaene	Details
test2 (148 bytes, text/plain) 2023-06-22 13:49 CEST, Herman Viaene	Details
test1 (148 bytes, text/plain) 2023-06-22 14:03 CEST, Herman Viaene	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-06-20 14:02:17 CEST

Debian-LTS has issued an advisory on June 18:
https://www.debian.org/lts/security/2023/dla-3456

The issue is fixed upstream in 2.31.0:
https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q

Mageia 8 is also affected.

David Walser 2023-06-20 14:02:31 CEST

Status comment: (none) => Fixed upstream in 2.31.0
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2023-06-20 15:00:02 CEST

Ubuntu has issued an advisory for this on June 12:
https://ubuntu.com/security/notices/USN-6155-1

Comment 2 David GEIGER 2023-06-20 16:37:39 CEST

Done for both mga8 and cauldron adding patches!

Packages in 8/Core/Updates_testing:
======================

python3-requests-2.25.1-1.1.mga8.noarch.rpm
python3-requests+security-2.25.1-1.1.mga8.noarch.rpm
python3-requests+socks-2.25.1-1.1.mga8.noarch.rpm


From SRPMS:
python-requests-2.25.1-1.1.mga8.src.rpm

Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 2.31.0 => (none)
CC: (none) => geiger.david68210
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 3 Herman Viaene 2023-06-21 15:04:01 CEST

Sorry, the following package cannot be selected:

- python3-requests+socks-2.25.1-1.1.mga8.noarch (due to unsatisfied python3.8dist(pysocks)[< 1.5.7])
In the mean time I'll attach the test files from bug 15496.

CC: (none) => herman.viaene

David Walser 2023-06-21 15:08:40 CEST

Keywords: (none) => feedback

Comment 4 David GEIGER 2023-06-22 05:50:49 CEST

Dependency fixed in:

Packages in 8/Core/Updates_testing:
======================

python3-requests-2.25.1-1.2.mga8.noarch.rpm
python3-requests+security-2.25.1-1.2.mga8.noarch.rpm
python3-requests+socks-2.25.1-1.2.mga8.noarch.rpm


From SRPMS:
python-requests-2.25.1-1.2.mga8.src.rpm

David Walser 2023-06-22 06:07:11 CEST

Keywords: feedback => (none)

Comment 5 Herman Viaene 2023-06-22 13:48:24 CEST

Created attachment 13885 [details]
test1

Comment 6 Herman Viaene 2023-06-22 13:49:06 CEST

Created attachment 13886 [details]
test2

Comment 7 Herman Viaene 2023-06-22 14:03:03 CEST

Created attachment 13887 [details]
test1

Attachment 13885 is obsolete: 0 => 1

Comment 8 Herman Viaene 2023-06-22 14:05:50 CEST

After correctiing the print commands for the test1 file:
$ python pyrequests_test1.py 
[<Response [301]>]
https://github.com/
200
<RequestsCookieJar[<Cookie _octo=GH1.1.1639238983.1687435232 for .github.com/>, <Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=R0p4YNyXHtbr6VpXQVZhobz8ZjU75duEkBijj6gKeS058HP5mYvqkgNjqqlWFFNITpIxFFrYQUlOA5J5YYpIgj0plQ3Z3mTb%2FfIRRalBMjNbhXwmWe%2BnZx2Rn0wSbSFYxQV5YcWQzsiKF38Ss8zGDHV9GiT6K5e4Z11KkpI%2Br81%2Br6UQ41%2B7lr42oHzXnC%2Bg8dKKEcUrYAG%2FQzhnyZOdbFXbZ1u1Nc7DgFhC8t27mO%2BiwPcd69sW386rjW94G1X6cuPN1I72vzYcpisU42Vp1A%3D%3D--ZDyDuTbfHsaH1zjs--t%2BRcaB8abwSK79e6Pl%2BDlA%3D%3D for github.com/>]>
[tester8@mach7 Documents]$ python3 p
py3requests_test2.py  pyrequests_test1.py   

$ python3 py3requests_test2.py 
[<Response [301]>]
https://github.com/
200
<RequestsCookieJar[<Cookie _octo=GH1.1.2019270416.1687435316 for .github.com/>, <Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=dDaqAK0D93igtK4%2BxzvRWPd5wyFOzNlOQUublDfYLiJwy19rqGFSuB9X5U39ntKMmZRf5YmafaHwVNpoLDt6IoDhfUv0xWsu%2BS%2BQcJt5M9fYWLHqjNyjtrfWr%2BPPpCVH2PsVtfKBvf3bPIrlaGlAlmWhiRIjK%2FwXuNxWb4QgTMWlYvDxSCpDgYNZPgVjtUs3YsT1am2EhFJJzzBIaJdjU3d0zPmlnd86bcfijLguiDdrtl%2B1vgv2TqByxrXMKtBFyYEYph2fJSj0mEy1dheNcw%3D%3D--3MIyhRfZNXNYo11M--RZJbZ%2BuKp4IDIsCzzEw2Jw%3D%3D for github.com/>]>

which corresponds nicely with the results in bug 15496, so good to go.

Whiteboard: (none) => MGA8-64-OK

Comment 9 Thomas Andrews 2023-06-22 16:25:25 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-06-27 22:41:02 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 10 Mageia Robot 2023-06-28 07:23:15 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0210.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.