Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-11078 (GCVE-0-2020-11078)
Vulnerability from cvelistv5 – Published: 2020-05-20 16:00 – Updated: 2024-08-04 11:21
VLAI
EPSS
Title
CRLF injection in httplib2
Summary
In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
Severity
6.8 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
11 references
| URL | Tags |
|---|---|
| https://github.com/httplib2/httplib2/security/adv… | x_refsource_CONFIRM |
| https://github.com/httplib2/httplib2/commit/a1457… | x_refsource_MISC |
| https://lists.apache.org/thread.html/rc9eff957294… | mailing-listx_refsource_MLIST |
| https://lists.debian.org/debian-lts-announce/2020… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r23711190c2e… | mailing-listx_refsource_MLIST |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://lists.apache.org/thread.html/r69a462e690b… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/rad8872fc99f… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r7f364000066… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r4d35dac106f… | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:14.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
},
{
"name": "[allura-commits] 20200521 [allura] branch master updated: Upgrade httplib2 for CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200601 [SECURITY] [DLA 2232-1] python-httplib2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
},
{
"name": "[beam-issues] 20200602 [jira] [Created] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E"
},
{
"name": "FEDORA-2020-a7a15a9687",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
},
{
"name": "FEDORA-2020-37779a5c93",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
},
{
"name": "[beam-issues] 20200802 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200802 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "httplib2",
"vendor": "httplib2",
"versions": [
{
"status": "affected",
"version": "\u003c 0.81.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-16T18:06:04.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
},
{
"name": "[allura-commits] 20200521 [allura] branch master updated: Upgrade httplib2 for CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200601 [SECURITY] [DLA 2232-1] python-httplib2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
},
{
"name": "[beam-issues] 20200602 [jira] [Created] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E"
},
{
"name": "FEDORA-2020-a7a15a9687",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
},
{
"name": "FEDORA-2020-37779a5c93",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
},
{
"name": "[beam-issues] 20200802 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200802 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E"
}
],
"source": {
"advisory": "GHSA-gg84-qgv9-w4pq",
"discovery": "UNKNOWN"
},
"title": "CRLF injection in httplib2",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-11078",
"STATE": "PUBLIC",
"TITLE": "CRLF injection in httplib2"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "httplib2",
"version": {
"version_data": [
{
"version_value": "\u003c 0.81.0"
}
]
}
}
]
},
"vendor_name": "httplib2"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq",
"refsource": "CONFIRM",
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
},
{
"name": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e",
"refsource": "MISC",
"url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
},
{
"name": "[allura-commits] 20200521 [allura] branch master updated: Upgrade httplib2 for CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89@%3Ccommits.allura.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200601 [SECURITY] [DLA 2232-1] python-httplib2 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
},
{
"name": "[beam-issues] 20200602 [jira] [Created] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc@%3Cissues.beam.apache.org%3E"
},
{
"name": "FEDORA-2020-a7a15a9687",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
},
{
"name": "FEDORA-2020-37779a5c93",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
},
{
"name": "[beam-issues] 20200802 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f@%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200802 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23@%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202@%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1@%3Cissues.beam.apache.org%3E"
}
]
},
"source": {
"advisory": "GHSA-gg84-qgv9-w4pq",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11078",
"datePublished": "2020-05-20T16:00:16.000Z",
"dateReserved": "2020-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:21:14.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2020-11078",
"date": "2026-05-31",
"epss": "0.03277",
"percentile": "0.87394"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2020-11078\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-05-20T16:15:10.657\",\"lastModified\":\"2024-11-21T04:56:44.373\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.\"},{\"lang\":\"es\",\"value\":\"En httplib2 versiones anteriores a 0.18.0, un atacante controla una parte no escapada de un uri para la funci\u00f3n \\\"httplib2.Http.request()\\\" pod\u00eda cambiar los encabezados y el cuerpo de las peticiones, enviar peticiones ocultas adicionales hacia el mismo servidor. Esta vulnerabilidad impacta al software que usa httplib2 con un uri construido mediante una concatenaci\u00f3n en cadena, a diferencia de una construcci\u00f3n apropiada de urllib con escape. Esto ha sido corregido en la versi\u00f3n 0.18.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":4.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-93\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:httplib2_project:httplib2:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.18.0\",\"matchCriteriaId\":\"AD58F185-66FE-4DD5-845F-7AF423F1859B\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36D96259-24BD-44E2-96D9-78CE1D41F956\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}]}]}],\"references\":[{\"url\":\"https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
Title
Уязвимость компонента httplib2 библиотеки HTTP Python-httplib2, позволяющая нарушителю оказать воздействие на целостность данных
Description
Уязвимость компонента httplib2 библиотеки HTTP Python-httplib2 связана с непринятием мер по нейтрализации последовательностей CRLF. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, оказать воздействие на целостность данных
Severity
Vendor
ООО «РусБИТех-Астра», Сообщество свободного программного обеспечения
Software Name
Astra Linux Special Edition (запись в едином реестре российских программ №369), Debian GNU/Linux, Python-httplib2
Software Version
1.6 «Смоленск» (Astra Linux Special Edition), 10 (Debian GNU/Linux), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), до 0.18.0 (Python-httplib2)
Possible Mitigations
Для Python-httplib2:
использование рекомендаций производителя: https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq
Для Debian:
использование рекомендаций производителя: https://security-tracker.debian.org/tracker/CVE-2020-11078
Для ОС Astra Linux:
обновить пакет python-httplib2 до 0.11.3-2+astra2+ci202309151042+astra1 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-1023SE17
Для Astra Linux 1.6 «Смоленск»:
обновить пакет python-httplib2 до 0.11.3-2+astra2+ci202309151042+astra1 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20231214SE16
Для Astra Linux Special Edition 4.7:
обновить пакет python-httplib2 до 0.11.3-2+astra2+ci202309151042+astra1 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-0416SE47
Reference
https://github.com/
https://nvd.nist.gov/vuln/detail/CVE-2020-11078
https://security-tracker.debian.org/tracker/CVE-2020-11078
https://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-1023SE17
https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq
https://wiki.astralinux.ru/astra-linux-se16-bulletin-20231214SE16
https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-0416SE47
CWE
CWE-93
{
"CVSS 2.0": "AV:N/AC:M/Au:N/C:N/I:C/A:N",
"CVSS 3.0": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Special Edition), 10 (Debian GNU/Linux), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), \u0434\u043e 0.18.0 (Python-httplib2)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0414\u043b\u044f Python-httplib2:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq\n\n\u0414\u043b\u044f Debian:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://security-tracker.debian.org/tracker/CVE-2020-11078\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 python-httplib2 \u0434\u043e 0.11.3-2+astra2+ci202309151042+astra1 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-1023SE17\n\n\u0414\u043b\u044f Astra Linux 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 python-httplib2 \u0434\u043e 0.11.3-2+astra2+ci202309151042+astra1 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20231214SE16\n\n\u0414\u043b\u044f Astra Linux Special Edition 4.7:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 python-httplib2 \u0434\u043e 0.11.3-2+astra2+ci202309151042+astra1 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-0416SE47",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "20.05.2020",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "27.04.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "11.11.2023",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2023-07617",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2020-11078",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Debian GNU/Linux, Python-httplib2",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 12 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 4.7 ARM (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 httplib2 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 HTTP Python-httplib2, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043e\u0437\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0430 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0434\u0430\u043d\u043d\u044b\u0445",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435 \u043c\u0435\u0440 \u043f\u043e \u043d\u0435\u0439\u0442\u0440\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u043e\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u043d\u043e\u0441\u0442\u0435\u0439 CRLF (\u0412\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 CRLF) (CWE-93)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 httplib2 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 HTTP Python-httplib2 \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435\u043c \u043c\u0435\u0440 \u043f\u043e \u043d\u0435\u0439\u0442\u0440\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u043e\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u043d\u043e\u0441\u0442\u0435\u0439 CRLF. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043e\u0437\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0430 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0434\u0430\u043d\u043d\u044b\u0445",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-11078\nhttps://security-tracker.debian.org/tracker/CVE-2020-11078\nhttps://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-1023SE17\nhttps://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq\nhttps://wiki.astralinux.ru/astra-linux-se16-bulletin-20231214SE16\nhttps://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-0416SE47",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-93",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,1)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,8)"
}
Title
httplib2注入漏洞
Description
httplib2是一款HTTP客户端库。
httplib2 0.18.0之前版本中存在注入漏洞。攻击者可通过控制的uri(httplib2.Http.request())未转义部分利用该漏洞更改请求标头和正文,并将其他隐藏请求发送到同一服务器。
Severity
中
Patch Name
httplib2注入漏洞 的补丁
Patch Description
httplib2是一款HTTP客户端库。
httplib2 0.18.0之前版本中存在注入漏洞。攻击者可通过控制的uri(httplib2.Http.request())未转义部分利用该漏洞更改请求标头和正文,并将其他隐藏请求发送到同一服务器。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq
Reference
https://nvd.nist.gov/vuln/detail/CVE-2020-11078
Impacted products
| Name | httplib2 httplib2 <0.18.0 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2020-11078"
}
},
"description": "httplib2\u662f\u4e00\u6b3eHTTP\u5ba2\u6237\u7aef\u5e93\u3002\n\nhttplib2 0.18.0\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u63a7\u5236\u7684uri\uff08httplib2.Http.request()\uff09\u672a\u8f6c\u4e49\u90e8\u5206\u5229\u7528\u8be5\u6f0f\u6d1e\u66f4\u6539\u8bf7\u6c42\u6807\u5934\u548c\u6b63\u6587\uff0c\u5e76\u5c06\u5176\u4ed6\u9690\u85cf\u8bf7\u6c42\u53d1\u9001\u5230\u540c\u4e00\u670d\u52a1\u5668\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2021-37699",
"openTime": "2021-05-28",
"patchDescription": "httplib2\u662f\u4e00\u6b3eHTTP\u5ba2\u6237\u7aef\u5e93\u3002\r\n\r\nhttplib2 0.18.0\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u63a7\u5236\u7684uri\uff08httplib2.Http.request()\uff09\u672a\u8f6c\u4e49\u90e8\u5206\u5229\u7528\u8be5\u6f0f\u6d1e\u66f4\u6539\u8bf7\u6c42\u6807\u5934\u548c\u6b63\u6587\uff0c\u5e76\u5c06\u5176\u4ed6\u9690\u85cf\u8bf7\u6c42\u53d1\u9001\u5230\u540c\u4e00\u670d\u52a1\u5668\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "httplib2\u6ce8\u5165\u6f0f\u6d1e \u7684\u8865\u4e01",
"products": {
"product": "httplib2 httplib2 \u003c0.18.0"
},
"referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-11078",
"serverity": "\u4e2d",
"submitTime": "2020-05-21",
"title": "httplib2\u6ce8\u5165\u6f0f\u6d1e"
}
FKIE_CVE-2020-11078
Vulnerability from fkie_nvd - Published: 2020-05-20 16:15 - Updated: 2024-11-21 04:56
Severity
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Summary
In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| httplib2_project | httplib2 | * | |
| fedoraproject | fedora | 31 | |
| fedoraproject | fedora | 32 | |
| debian | debian_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:httplib2_project:httplib2:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AD58F185-66FE-4DD5-845F-7AF423F1859B",
"versionEndExcluding": "0.18.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0."
},
{
"lang": "es",
"value": "En httplib2 versiones anteriores a 0.18.0, un atacante controla una parte no escapada de un uri para la funci\u00f3n \"httplib2.Http.request()\" pod\u00eda cambiar los encabezados y el cuerpo de las peticiones, enviar peticiones ocultas adicionales hacia el mismo servidor. Esta vulnerabilidad impacta al software que usa httplib2 con un uri construido mediante una concatenaci\u00f3n en cadena, a diferencia de una construcci\u00f3n apropiada de urllib con escape. Esto ha sido corregido en la versi\u00f3n 0.18.0."
}
],
"id": "CVE-2020-11078",
"lastModified": "2024-11-21T04:56:44.373",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-20T16:15:10.657",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc%40%3Cissues.beam.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1%40%3Cissues.beam.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f%40%3Cissues.beam.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202%40%3Cissues.beam.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23%40%3Cissues.beam.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89%40%3Ccommits.allura.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-93"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-GG84-QGV9-W4PQ
Vulnerability from github – Published: 2020-05-20 15:55 – Updated: 2024-09-20 21:55
VLAI
Summary
CRLF injection in httplib2
Details
Impact
Attacker controlling unescaped part of uri for httplib2.Http.request() could change request headers and body, send additional hidden requests to same server.
Impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping.
Patches
Problem has been fixed in 0.18.0 Space, CR, LF characters are now quoted before any use. This solution should not impact any valid usage of httplib2 library, that is uri constructed by urllib.
Workarounds
Create URI with urllib.parse family functions: urlencode, urlunsplit.
user_input = " HTTP/1.1\r\ninjected: attack\r\nignore-http:"
-uri = "https://api.server/?q={}".format(user_input)
+uri = urllib.parse.urlunsplit(("https", "api.server", "/v1", urllib.parse.urlencode({"q": user_input}), ""))
http.request(uri)
References
https://cwe.mitre.org/data/definitions/93.html https://docs.python.org/3/library/urllib.parse.html
Thanks to Recar https://github.com/Ciyfly for finding vulnerability and discrete notification.
For more information
If you have any questions or comments about this advisory: * Open an issue in httplib2 * Email current maintainer at 2020-05
Severity
6.8 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "httplib2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.18.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-11078"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2020-05-20T15:55:36Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nAttacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server.\n\nImpacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping.\n\n### Patches\nProblem has been fixed in 0.18.0\nSpace, CR, LF characters are now quoted before any use.\nThis solution should not impact any valid usage of httplib2 library, that is uri constructed by urllib.\n\n### Workarounds\nCreate URI with `urllib.parse` family functions: `urlencode`, `urlunsplit`.\n\n```diff\nuser_input = \" HTTP/1.1\\r\\ninjected: attack\\r\\nignore-http:\"\n-uri = \"https://api.server/?q={}\".format(user_input)\n+uri = urllib.parse.urlunsplit((\"https\", \"api.server\", \"/v1\", urllib.parse.urlencode({\"q\": user_input}), \"\"))\nhttp.request(uri)\n```\n\n### References\nhttps://cwe.mitre.org/data/definitions/93.html\nhttps://docs.python.org/3/library/urllib.parse.html\n\nThanks to Recar https://github.com/Ciyfly for finding vulnerability and discrete notification.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [httplib2](https://github.com/httplib2/httplib2/issues/new)\n* Email [current maintainer at 2020-05](mailto:temotor@gmail.com)",
"id": "GHSA-gg84-qgv9-w4pq",
"modified": "2024-09-20T21:55:12Z",
"published": "2020-05-20T15:55:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11078"
},
{
"type": "WEB",
"url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
},
{
"type": "PACKAGE",
"url": "https://github.com/httplib2/httplib2"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/httplib2/PYSEC-2020-46.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc@%3Cissues.beam.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1@%3Cissues.beam.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f@%3Cissues.beam.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202@%3Cissues.beam.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23@%3Cissues.beam.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89@%3Ccommits.allura.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CRLF injection in httplib2"
}
GSD-2020-11078
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-11078",
"description": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.",
"id": "GSD-2020-11078",
"references": [
"https://www.suse.com/security/cve/CVE-2020-11078.html",
"https://access.redhat.com/errata/RHSA-2021:2116",
"https://access.redhat.com/errata/RHSA-2020:5004",
"https://access.redhat.com/errata/RHSA-2020:5003",
"https://access.redhat.com/errata/RHSA-2020:4605",
"https://advisories.mageia.org/CVE-2020-11078.html",
"https://alas.aws.amazon.com/cve/html/CVE-2020-11078.html",
"https://linux.oracle.com/cve/CVE-2020-11078.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-11078"
],
"details": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.",
"id": "GSD-2020-11078",
"modified": "2023-12-13T01:22:08.284395Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-11078",
"STATE": "PUBLIC",
"TITLE": "CRLF injection in httplib2"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "httplib2",
"version": {
"version_data": [
{
"version_value": "\u003c 0.81.0"
}
]
}
}
]
},
"vendor_name": "httplib2"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq",
"refsource": "CONFIRM",
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
},
{
"name": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e",
"refsource": "MISC",
"url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
},
{
"name": "[allura-commits] 20200521 [allura] branch master updated: Upgrade httplib2 for CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89@%3Ccommits.allura.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200601 [SECURITY] [DLA 2232-1] python-httplib2 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
},
{
"name": "[beam-issues] 20200602 [jira] [Created] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc@%3Cissues.beam.apache.org%3E"
},
{
"name": "FEDORA-2020-a7a15a9687",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
},
{
"name": "FEDORA-2020-37779a5c93",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
},
{
"name": "[beam-issues] 20200802 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f@%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200802 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23@%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202@%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1@%3Cissues.beam.apache.org%3E"
}
]
},
"source": {
"advisory": "GHSA-gg84-qgv9-w4pq",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c0.18.0",
"affected_versions": "All versions before 0.18.0",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-93",
"CWE-937"
],
"date": "2020-08-19",
"description": "In httplib2, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping.",
"fixed_versions": [
"0.18.0"
],
"identifier": "CVE-2020-11078",
"identifiers": [
"CVE-2020-11078",
"GHSA-gg84-qgv9-w4pq"
],
"not_impacted": "All versions starting from 0.18.0",
"package_slug": "pypi/httplib2",
"pubdate": "2020-05-20",
"solution": "Upgrade to version 0.18.0 or above.",
"title": "Injection Vulnerability",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-11078"
],
"uuid": "27212464-5aad-4cfb-bb81-e0899aa75bbf"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:httplib2_project:httplib2:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "0.18.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-11078"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-93"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
},
{
"name": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
},
{
"name": "[allura-commits] 20200521 [allura] branch master updated: Upgrade httplib2 for CVE-2020-11078",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89@%3Ccommits.allura.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200601 [SECURITY] [DLA 2232-1] python-httplib2 security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
},
{
"name": "[beam-issues] 20200602 [jira] [Created] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc@%3Cissues.beam.apache.org%3E"
},
{
"name": "FEDORA-2020-a7a15a9687",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J/"
},
{
"name": "FEDORA-2020-37779a5c93",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI/"
},
{
"name": "[beam-issues] 20200802 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23@%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200802 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f@%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Updated] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1@%3Cissues.beam.apache.org%3E"
},
{
"name": "[beam-issues] 20200816 [jira] [Commented] (BEAM-10180) Upgrade httplib2 to \u003e 0.18.0 to resolve CVE-2020-11078",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202@%3Cissues.beam.apache.org%3E"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 4.0
}
},
"lastModifiedDate": "2020-08-19T18:56Z",
"publishedDate": "2020-05-20T16:15Z"
}
}
}
OPENSUSE-SU-2021:0772-1
Vulnerability from csaf_opensuse - Published: 2021-05-23 04:05 - Updated: 2021-05-23 04:05Summary
Security update for python-httplib2
Severity
Moderate
Notes
Title of the patch: Security update for python-httplib2
Description of the patch: This update for python-httplib2 contains the following fixes:
Security fixes included in this update:
- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).
- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).
Non security fixes included in this update:
- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)
- update to 0.19.0:
* auth: parse headers using pyparsing instead of regexp
* auth: WSSE token needs to be string not bytes
- update to 0.18.1: (bsc#1171998, CVE-2020-11078)
* explicit build-backend workaround for pip build isolation bug
* IMPORTANT security vulnerability CWE-93 CRLF injection
Force %xx quote of space, CR, LF characters in uri.
* Ship test suite in source dist
- Update to 0.17.1
* python3: no_proxy was not checked with https
* feature: Http().redirect_codes set, works after follow(_all)_redirects check
This allows one line workaround for old gcloud library that uses 308
response without redirect semantics.
* IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects
* proxy: username/password as str compatible with pysocks
* python2: regression in connect() error handling
* add support for password protected certificate files
* feature: Http.close() to clean persistent connections and sensitive data
- Update to 0.14.0:
* Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError
- version update to 0.13.1
0.13.1
* Python3: Use no_proxy
https://github.com/httplib2/httplib2/pull/140
0.13.0
* Allow setting TLS max/min versions
https://github.com/httplib2/httplib2/pull/138
0.12.3
* No changes to library. Distribute py3 wheels.
0.12.1
* Catch socket timeouts and clear dead connection
https://github.com/httplib2/httplib2/issues/18
https://github.com/httplib2/httplib2/pull/111
* Officially support Python 3.7 (package metadata)
https://github.com/httplib2/httplib2/issues/123
0.12.0
* Drop support for Python 3.3
* ca_certs from environment HTTPLIB2_CA_CERTS or certifi
https://github.com/httplib2/httplib2/pull/117
* PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required
https://github.com/httplib2/httplib2/pull/115
* Revert http:443->https workaround
https://github.com/httplib2/httplib2/issues/112
* eliminate connection pool read race
https://github.com/httplib2/httplib2/pull/110
* cache: stronger safename
https://github.com/httplib2/httplib2/pull/101
0.11.3
* No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.
0.11.2
* proxy: py3 NameError basestring
https://github.com/httplib2/httplib2/pull/100
0.11.1
* Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info
https://github.com/httplib2/httplib2/pull/97
0.11.0
* Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5
https://github.com/httplib2/httplib2/pull/91
* python3 proxy support
https://github.com/httplib2/httplib2/pull/90
* If no_proxy environment value ends with comma then proxy is not used
https://github.com/httplib2/httplib2/issues/11
* fix UnicodeDecodeError using socks5 proxy
https://github.com/httplib2/httplib2/pull/64
* Respect NO_PROXY env var in proxy_info_from_url
https://github.com/httplib2/httplib2/pull/58
* NO_PROXY=bar was matching foobar (suffix without dot delimiter)
New behavior matches curl/wget:
- no_proxy=foo.bar will only skip proxy for exact hostname match
- no_proxy=.wild.card will skip proxy for any.subdomains.wild.card
https://github.com/httplib2/httplib2/issues/94
* Bugfix for Content-Encoding: deflate
https://stackoverflow.com/a/22311297
- deleted patches
- Removing certifi patch:
httplib2 started to use certifi and this is already bent to
use system certificate bundle by another patch
This update was imported from the SUSE:SLE-15:Update update project.
Patchnames: openSUSE-2021-772
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.8 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:python2-httplib2-0.19.0-lp152.6.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python3-httplib2-0.19.0-lp152.6.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:python2-httplib2-0.19.0-lp152.6.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python3-httplib2-0.19.0-lp152.6.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-httplib2",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-httplib2 contains the following fixes:\n\nSecurity fixes included in this update:\n- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).\n- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).\n\nNon security fixes included in this update:\n- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)\n\n- update to 0.19.0:\n * auth: parse headers using pyparsing instead of regexp\n * auth: WSSE token needs to be string not bytes\n\n- update to 0.18.1: (bsc#1171998, CVE-2020-11078)\n * explicit build-backend workaround for pip build isolation bug\n * IMPORTANT security vulnerability CWE-93 CRLF injection\n Force %xx quote of space, CR, LF characters in uri.\n * Ship test suite in source dist\n\n- Update to 0.17.1\n * python3: no_proxy was not checked with https\n * feature: Http().redirect_codes set, works after follow(_all)_redirects check\n This allows one line workaround for old gcloud library that uses 308\n response without redirect semantics.\n * IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects\n * proxy: username/password as str compatible with pysocks\n * python2: regression in connect() error handling\n * add support for password protected certificate files\n * feature: Http.close() to clean persistent connections and sensitive data\n\n- Update to 0.14.0:\n * Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError\n\n- version update to 0.13.1\n 0.13.1\n * Python3: Use no_proxy\n https://github.com/httplib2/httplib2/pull/140\n 0.13.0\n * Allow setting TLS max/min versions\n https://github.com/httplib2/httplib2/pull/138\n 0.12.3\n * No changes to library. Distribute py3 wheels.\n 0.12.1\n * Catch socket timeouts and clear dead connection\n https://github.com/httplib2/httplib2/issues/18\n https://github.com/httplib2/httplib2/pull/111\n * Officially support Python 3.7 (package metadata)\n https://github.com/httplib2/httplib2/issues/123\n 0.12.0\n * Drop support for Python 3.3\n * ca_certs from environment HTTPLIB2_CA_CERTS or certifi\n https://github.com/httplib2/httplib2/pull/117\n * PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required\n https://github.com/httplib2/httplib2/pull/115\n * Revert http:443-\u003ehttps workaround\n https://github.com/httplib2/httplib2/issues/112\n * eliminate connection pool read race\n https://github.com/httplib2/httplib2/pull/110\n * cache: stronger safename\n https://github.com/httplib2/httplib2/pull/101\n 0.11.3\n * No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.\n 0.11.2\n * proxy: py3 NameError basestring\n https://github.com/httplib2/httplib2/pull/100\n 0.11.1\n * Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info\n https://github.com/httplib2/httplib2/pull/97\n 0.11.0\n * Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5\n https://github.com/httplib2/httplib2/pull/91\n * python3 proxy support\n https://github.com/httplib2/httplib2/pull/90\n * If no_proxy environment value ends with comma then proxy is not used\n https://github.com/httplib2/httplib2/issues/11\n * fix UnicodeDecodeError using socks5 proxy\n https://github.com/httplib2/httplib2/pull/64\n * Respect NO_PROXY env var in proxy_info_from_url\n https://github.com/httplib2/httplib2/pull/58\n * NO_PROXY=bar was matching foobar (suffix without dot delimiter)\n New behavior matches curl/wget:\n - no_proxy=foo.bar will only skip proxy for exact hostname match\n - no_proxy=.wild.card will skip proxy for any.subdomains.wild.card\n https://github.com/httplib2/httplib2/issues/94\n * Bugfix for Content-Encoding: deflate\n https://stackoverflow.com/a/22311297\n- deleted patches\n - Removing certifi patch:\n httplib2 started to use certifi and this is already bent to\n use system certificate bundle by another patch\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2021-772",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0772-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:0772-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ANZIEBB4AJVGYC2KYDE7RDSTFBBTL5ID/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:0772-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ANZIEBB4AJVGYC2KYDE7RDSTFBBTL5ID/"
},
{
"category": "self",
"summary": "SUSE Bug 1171998",
"url": "https://bugzilla.suse.com/1171998"
},
{
"category": "self",
"summary": "SUSE Bug 1182053",
"url": "https://bugzilla.suse.com/1182053"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11078 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11078/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-21240 page",
"url": "https://www.suse.com/security/cve/CVE-2021-21240/"
}
],
"title": "Security update for python-httplib2",
"tracking": {
"current_release_date": "2021-05-23T04:05:51Z",
"generator": {
"date": "2021-05-23T04:05:51Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:0772-1",
"initial_release_date": "2021-05-23T04:05:51Z",
"revision_history": [
{
"date": "2021-05-23T04:05:51Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python2-httplib2-0.19.0-lp152.6.3.1.noarch",
"product": {
"name": "python2-httplib2-0.19.0-lp152.6.3.1.noarch",
"product_id": "python2-httplib2-0.19.0-lp152.6.3.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-httplib2-0.19.0-lp152.6.3.1.noarch",
"product": {
"name": "python3-httplib2-0.19.0-lp152.6.3.1.noarch",
"product_id": "python3-httplib2-0.19.0-lp152.6.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-httplib2-0.19.0-lp152.6.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python2-httplib2-0.19.0-lp152.6.3.1.noarch"
},
"product_reference": "python2-httplib2-0.19.0-lp152.6.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-httplib2-0.19.0-lp152.6.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python3-httplib2-0.19.0-lp152.6.3.1.noarch"
},
"product_reference": "python3-httplib2-0.19.0-lp152.6.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-11078",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11078"
}
],
"notes": [
{
"category": "general",
"text": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:python2-httplib2-0.19.0-lp152.6.3.1.noarch",
"openSUSE Leap 15.2:python3-httplib2-0.19.0-lp152.6.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11078",
"url": "https://www.suse.com/security/cve/CVE-2020-11078"
},
{
"category": "external",
"summary": "SUSE Bug 1171998 for CVE-2020-11078",
"url": "https://bugzilla.suse.com/1171998"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:python2-httplib2-0.19.0-lp152.6.3.1.noarch",
"openSUSE Leap 15.2:python3-httplib2-0.19.0-lp152.6.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:python2-httplib2-0.19.0-lp152.6.3.1.noarch",
"openSUSE Leap 15.2:python3-httplib2-0.19.0-lp152.6.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-23T04:05:51Z",
"details": "moderate"
}
],
"title": "CVE-2020-11078"
},
{
"cve": "CVE-2021-21240",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-21240"
}
],
"notes": [
{
"category": "general",
"text": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:python2-httplib2-0.19.0-lp152.6.3.1.noarch",
"openSUSE Leap 15.2:python3-httplib2-0.19.0-lp152.6.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-21240",
"url": "https://www.suse.com/security/cve/CVE-2021-21240"
},
{
"category": "external",
"summary": "SUSE Bug 1182053 for CVE-2021-21240",
"url": "https://bugzilla.suse.com/1182053"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:python2-httplib2-0.19.0-lp152.6.3.1.noarch",
"openSUSE Leap 15.2:python3-httplib2-0.19.0-lp152.6.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:python2-httplib2-0.19.0-lp152.6.3.1.noarch",
"openSUSE Leap 15.2:python3-httplib2-0.19.0-lp152.6.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-23T04:05:51Z",
"details": "moderate"
}
],
"title": "CVE-2021-21240"
}
]
}
OPENSUSE-SU-2021:0796-1
Vulnerability from csaf_opensuse - Published: 2021-05-26 12:05 - Updated: 2021-05-26 12:05Summary
Security update for python-httplib2
Severity
Moderate
Notes
Title of the patch: Security update for python-httplib2
Description of the patch: This update for python-httplib2 contains the following fixes:
Security fixes included in this update:
- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).
- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).
Non security fixes included in this update:
- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)
- update to 0.19.0:
* auth: parse headers using pyparsing instead of regexp
* auth: WSSE token needs to be string not bytes
- update to 0.18.1: (bsc#1171998, CVE-2020-11078)
* explicit build-backend workaround for pip build isolation bug
* IMPORTANT security vulnerability CWE-93 CRLF injection
Force %xx quote of space, CR, LF characters in uri.
* Ship test suite in source dist
- Update to 0.17.1
* python3: no_proxy was not checked with https
* feature: Http().redirect_codes set, works after follow(_all)_redirects check
This allows one line workaround for old gcloud library that uses 308
response without redirect semantics.
* IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects
* proxy: username/password as str compatible with pysocks
* python2: regression in connect() error handling
* add support for password protected certificate files
* feature: Http.close() to clean persistent connections and sensitive data
- Update to 0.14.0:
* Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError
- version update to 0.13.1
0.13.1
* Python3: Use no_proxy
https://github.com/httplib2/httplib2/pull/140
0.13.0
* Allow setting TLS max/min versions
https://github.com/httplib2/httplib2/pull/138
0.12.3
* No changes to library. Distribute py3 wheels.
0.12.1
* Catch socket timeouts and clear dead connection
https://github.com/httplib2/httplib2/issues/18
https://github.com/httplib2/httplib2/pull/111
* Officially support Python 3.7 (package metadata)
https://github.com/httplib2/httplib2/issues/123
0.12.0
* Drop support for Python 3.3
* ca_certs from environment HTTPLIB2_CA_CERTS or certifi
https://github.com/httplib2/httplib2/pull/117
* PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required
https://github.com/httplib2/httplib2/pull/115
* Revert http:443->https workaround
https://github.com/httplib2/httplib2/issues/112
* eliminate connection pool read race
https://github.com/httplib2/httplib2/pull/110
* cache: stronger safename
https://github.com/httplib2/httplib2/pull/101
0.11.3
* No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.
0.11.2
* proxy: py3 NameError basestring
https://github.com/httplib2/httplib2/pull/100
0.11.1
* Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info
https://github.com/httplib2/httplib2/pull/97
0.11.0
* Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5
https://github.com/httplib2/httplib2/pull/91
* python3 proxy support
https://github.com/httplib2/httplib2/pull/90
* If no_proxy environment value ends with comma then proxy is not used
https://github.com/httplib2/httplib2/issues/11
* fix UnicodeDecodeError using socks5 proxy
https://github.com/httplib2/httplib2/pull/64
* Respect NO_PROXY env var in proxy_info_from_url
https://github.com/httplib2/httplib2/pull/58
* NO_PROXY=bar was matching foobar (suffix without dot delimiter)
New behavior matches curl/wget:
- no_proxy=foo.bar will only skip proxy for exact hostname match
- no_proxy=.wild.card will skip proxy for any.subdomains.wild.card
https://github.com/httplib2/httplib2/issues/94
* Bugfix for Content-Encoding: deflate
https://stackoverflow.com/a/22311297
- deleted patches
- Removing certifi patch:
httplib2 started to use certifi and this is already bent to
use system certificate bundle by another patch
This update was imported from the SUSE:SLE-15:Update update project.
This update was imported from the openSUSE:Leap:15.2:Update update project.
Patchnames: openSUSE-2021-796
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.8 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP2:python2-httplib2-0.19.0-bp152.3.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 15 SP2:python2-httplib2-0.19.0-bp152.3.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-httplib2",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-httplib2 contains the following fixes:\n\nSecurity fixes included in this update:\n- CVE-2021-21240: Fixed a regular expression denial of service via malicious header (bsc#1182053).\n- CVE-2020-11078: Fixed an issue where an attacker could change request headers and body (bsc#1171998).\n\nNon security fixes included in this update:\n- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)\n\n- update to 0.19.0:\n * auth: parse headers using pyparsing instead of regexp\n * auth: WSSE token needs to be string not bytes\n\n- update to 0.18.1: (bsc#1171998, CVE-2020-11078)\n * explicit build-backend workaround for pip build isolation bug\n * IMPORTANT security vulnerability CWE-93 CRLF injection\n Force %xx quote of space, CR, LF characters in uri.\n * Ship test suite in source dist\n\n- Update to 0.17.1\n * python3: no_proxy was not checked with https\n * feature: Http().redirect_codes set, works after follow(_all)_redirects check\n This allows one line workaround for old gcloud library that uses 308\n response without redirect semantics.\n * IMPORTANT cache invalidation change, fix 307 keep method, add 308 Redirects\n * proxy: username/password as str compatible with pysocks\n * python2: regression in connect() error handling\n * add support for password protected certificate files\n * feature: Http.close() to clean persistent connections and sensitive data\n\n- Update to 0.14.0:\n * Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError\n\n- version update to 0.13.1\n 0.13.1\n * Python3: Use no_proxy\n https://github.com/httplib2/httplib2/pull/140\n 0.13.0\n * Allow setting TLS max/min versions\n https://github.com/httplib2/httplib2/pull/138\n 0.12.3\n * No changes to library. Distribute py3 wheels.\n 0.12.1\n * Catch socket timeouts and clear dead connection\n https://github.com/httplib2/httplib2/issues/18\n https://github.com/httplib2/httplib2/pull/111\n * Officially support Python 3.7 (package metadata)\n https://github.com/httplib2/httplib2/issues/123\n 0.12.0\n * Drop support for Python 3.3\n * ca_certs from environment HTTPLIB2_CA_CERTS or certifi\n https://github.com/httplib2/httplib2/pull/117\n * PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes required\n https://github.com/httplib2/httplib2/pull/115\n * Revert http:443-\u003ehttps workaround\n https://github.com/httplib2/httplib2/issues/112\n * eliminate connection pool read race\n https://github.com/httplib2/httplib2/pull/110\n * cache: stronger safename\n https://github.com/httplib2/httplib2/pull/101\n 0.11.3\n * No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.\n 0.11.2\n * proxy: py3 NameError basestring\n https://github.com/httplib2/httplib2/pull/100\n 0.11.1\n * Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info\n https://github.com/httplib2/httplib2/pull/97\n 0.11.0\n * Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5\n https://github.com/httplib2/httplib2/pull/91\n * python3 proxy support\n https://github.com/httplib2/httplib2/pull/90\n * If no_proxy environment value ends with comma then proxy is not used\n https://github.com/httplib2/httplib2/issues/11\n * fix UnicodeDecodeError using socks5 proxy\n https://github.com/httplib2/httplib2/pull/64\n * Respect NO_PROXY env var in proxy_info_from_url\n https://github.com/httplib2/httplib2/pull/58\n * NO_PROXY=bar was matching foobar (suffix without dot delimiter)\n New behavior matches curl/wget:\n - no_proxy=foo.bar will only skip proxy for exact hostname match\n - no_proxy=.wild.card will skip proxy for any.subdomains.wild.card\n https://github.com/httplib2/httplib2/issues/94\n * Bugfix for Content-Encoding: deflate\n https://stackoverflow.com/a/22311297\n- deleted patches\n - Removing certifi patch:\n httplib2 started to use certifi and this is already bent to\n use system certificate bundle by another patch\n\nThis update was imported from the SUSE:SLE-15:Update update project.\nThis update was imported from the openSUSE:Leap:15.2:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2021-796",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0796-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:0796-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BX6XMG6VSE6RQ4LZXDDXUYZZZ2FYOQM7/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:0796-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BX6XMG6VSE6RQ4LZXDDXUYZZZ2FYOQM7/"
},
{
"category": "self",
"summary": "SUSE Bug 1171998",
"url": "https://bugzilla.suse.com/1171998"
},
{
"category": "self",
"summary": "SUSE Bug 1182053",
"url": "https://bugzilla.suse.com/1182053"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11078 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11078/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-21240 page",
"url": "https://www.suse.com/security/cve/CVE-2021-21240/"
}
],
"title": "Security update for python-httplib2",
"tracking": {
"current_release_date": "2021-05-26T12:05:23Z",
"generator": {
"date": "2021-05-26T12:05:23Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:0796-1",
"initial_release_date": "2021-05-26T12:05:23Z",
"revision_history": [
{
"date": "2021-05-26T12:05:23Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python2-httplib2-0.19.0-bp152.3.3.1.noarch",
"product": {
"name": "python2-httplib2-0.19.0-bp152.3.3.1.noarch",
"product_id": "python2-httplib2-0.19.0-bp152.3.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP2",
"product": {
"name": "SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-httplib2-0.19.0-bp152.3.3.1.noarch as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:python2-httplib2-0.19.0-bp152.3.3.1.noarch"
},
"product_reference": "python2-httplib2-0.19.0-bp152.3.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-11078",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11078"
}
],
"notes": [
{
"category": "general",
"text": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:python2-httplib2-0.19.0-bp152.3.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11078",
"url": "https://www.suse.com/security/cve/CVE-2020-11078"
},
{
"category": "external",
"summary": "SUSE Bug 1171998 for CVE-2020-11078",
"url": "https://bugzilla.suse.com/1171998"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:python2-httplib2-0.19.0-bp152.3.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP2:python2-httplib2-0.19.0-bp152.3.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-26T12:05:23Z",
"details": "moderate"
}
],
"title": "CVE-2020-11078"
},
{
"cve": "CVE-2021-21240",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-21240"
}
],
"notes": [
{
"category": "general",
"text": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP2:python2-httplib2-0.19.0-bp152.3.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-21240",
"url": "https://www.suse.com/security/cve/CVE-2021-21240"
},
{
"category": "external",
"summary": "SUSE Bug 1182053 for CVE-2021-21240",
"url": "https://bugzilla.suse.com/1182053"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP2:python2-httplib2-0.19.0-bp152.3.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP2:python2-httplib2-0.19.0-bp152.3.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-26T12:05:23Z",
"details": "moderate"
}
],
"title": "CVE-2021-21240"
}
]
}
OPENSUSE-SU-2021:1806-1
Vulnerability from csaf_opensuse - Published: 2021-07-11 12:03 - Updated: 2021-07-11 12:03Summary
Security update for python-httplib2
Severity
Moderate
Notes
Title of the patch: Security update for python-httplib2
Description of the patch: This update for python-httplib2 fixes the following issues:
- Update to version 0.19.0 (bsc#1182053).
- CVE-2021-21240: Fixed regular expression denial of service via malicious header (bsc#1182053).
- CVE-2020-11078: Fixed unescaped part of uri where an attacker could change request headers and body (bsc#1182053).
Patchnames: openSUSE-SLE-15.3-2021-1806
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.8 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:python2-httplib2-0.19.0-3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-httplib2-0.19.0-3.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:python2-httplib2-0.19.0-3.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-httplib2-0.19.0-3.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-httplib2",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-httplib2 fixes the following issues:\n\n- Update to version 0.19.0 (bsc#1182053).\n- CVE-2021-21240: Fixed regular expression denial of service via malicious header (bsc#1182053).\n- CVE-2020-11078: Fixed unescaped part of uri where an attacker could change request headers and body (bsc#1182053).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-SLE-15.3-2021-1806",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_1806-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:1806-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DTGWJY2VML3YAAFAOOYJAQP5SZ4X6XWG/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:1806-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DTGWJY2VML3YAAFAOOYJAQP5SZ4X6XWG/"
},
{
"category": "self",
"summary": "SUSE Bug 1171998",
"url": "https://bugzilla.suse.com/1171998"
},
{
"category": "self",
"summary": "SUSE Bug 1182053",
"url": "https://bugzilla.suse.com/1182053"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11078 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11078/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-21240 page",
"url": "https://www.suse.com/security/cve/CVE-2021-21240/"
}
],
"title": "Security update for python-httplib2",
"tracking": {
"current_release_date": "2021-07-11T12:03:47Z",
"generator": {
"date": "2021-07-11T12:03:47Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:1806-1",
"initial_release_date": "2021-07-11T12:03:47Z",
"revision_history": [
{
"date": "2021-07-11T12:03:47Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python2-httplib2-0.19.0-3.3.1.noarch",
"product": {
"name": "python2-httplib2-0.19.0-3.3.1.noarch",
"product_id": "python2-httplib2-0.19.0-3.3.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-httplib2-0.19.0-3.3.1.noarch",
"product": {
"name": "python3-httplib2-0.19.0-3.3.1.noarch",
"product_id": "python3-httplib2-0.19.0-3.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-httplib2-0.19.0-3.3.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python2-httplib2-0.19.0-3.3.1.noarch"
},
"product_reference": "python2-httplib2-0.19.0-3.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-httplib2-0.19.0-3.3.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python3-httplib2-0.19.0-3.3.1.noarch"
},
"product_reference": "python3-httplib2-0.19.0-3.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-11078",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11078"
}
],
"notes": [
{
"category": "general",
"text": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:python2-httplib2-0.19.0-3.3.1.noarch",
"openSUSE Leap 15.3:python3-httplib2-0.19.0-3.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11078",
"url": "https://www.suse.com/security/cve/CVE-2020-11078"
},
{
"category": "external",
"summary": "SUSE Bug 1171998 for CVE-2020-11078",
"url": "https://bugzilla.suse.com/1171998"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:python2-httplib2-0.19.0-3.3.1.noarch",
"openSUSE Leap 15.3:python3-httplib2-0.19.0-3.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:python2-httplib2-0.19.0-3.3.1.noarch",
"openSUSE Leap 15.3:python3-httplib2-0.19.0-3.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-11T12:03:47Z",
"details": "moderate"
}
],
"title": "CVE-2020-11078"
},
{
"cve": "CVE-2021-21240",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-21240"
}
],
"notes": [
{
"category": "general",
"text": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:python2-httplib2-0.19.0-3.3.1.noarch",
"openSUSE Leap 15.3:python3-httplib2-0.19.0-3.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-21240",
"url": "https://www.suse.com/security/cve/CVE-2021-21240"
},
{
"category": "external",
"summary": "SUSE Bug 1182053 for CVE-2021-21240",
"url": "https://bugzilla.suse.com/1182053"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:python2-httplib2-0.19.0-3.3.1.noarch",
"openSUSE Leap 15.3:python3-httplib2-0.19.0-3.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:python2-httplib2-0.19.0-3.3.1.noarch",
"openSUSE Leap 15.3:python3-httplib2-0.19.0-3.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-11T12:03:47Z",
"details": "moderate"
}
],
"title": "CVE-2021-21240"
}
]
}
OPENSUSE-SU-2024:11231-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
python36-httplib2-0.19.1-1.2 on GA media
Severity
Moderate
Notes
Title of the patch: python36-httplib2-0.19.1-1.2 on GA media
Description of the patch: These are all security issues fixed in the python36-httplib2-0.19.1-1.2 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-11231
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.8 (Medium)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python36-httplib2-0.19.1-1.2 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python36-httplib2-0.19.1-1.2 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-11231",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11231-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11078 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11078/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-21240 page",
"url": "https://www.suse.com/security/cve/CVE-2021-21240/"
}
],
"title": "python36-httplib2-0.19.1-1.2 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:11231-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python36-httplib2-0.19.1-1.2.aarch64",
"product": {
"name": "python36-httplib2-0.19.1-1.2.aarch64",
"product_id": "python36-httplib2-0.19.1-1.2.aarch64"
}
},
{
"category": "product_version",
"name": "python38-httplib2-0.19.1-1.2.aarch64",
"product": {
"name": "python38-httplib2-0.19.1-1.2.aarch64",
"product_id": "python38-httplib2-0.19.1-1.2.aarch64"
}
},
{
"category": "product_version",
"name": "python39-httplib2-0.19.1-1.2.aarch64",
"product": {
"name": "python39-httplib2-0.19.1-1.2.aarch64",
"product_id": "python39-httplib2-0.19.1-1.2.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python36-httplib2-0.19.1-1.2.ppc64le",
"product": {
"name": "python36-httplib2-0.19.1-1.2.ppc64le",
"product_id": "python36-httplib2-0.19.1-1.2.ppc64le"
}
},
{
"category": "product_version",
"name": "python38-httplib2-0.19.1-1.2.ppc64le",
"product": {
"name": "python38-httplib2-0.19.1-1.2.ppc64le",
"product_id": "python38-httplib2-0.19.1-1.2.ppc64le"
}
},
{
"category": "product_version",
"name": "python39-httplib2-0.19.1-1.2.ppc64le",
"product": {
"name": "python39-httplib2-0.19.1-1.2.ppc64le",
"product_id": "python39-httplib2-0.19.1-1.2.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python36-httplib2-0.19.1-1.2.s390x",
"product": {
"name": "python36-httplib2-0.19.1-1.2.s390x",
"product_id": "python36-httplib2-0.19.1-1.2.s390x"
}
},
{
"category": "product_version",
"name": "python38-httplib2-0.19.1-1.2.s390x",
"product": {
"name": "python38-httplib2-0.19.1-1.2.s390x",
"product_id": "python38-httplib2-0.19.1-1.2.s390x"
}
},
{
"category": "product_version",
"name": "python39-httplib2-0.19.1-1.2.s390x",
"product": {
"name": "python39-httplib2-0.19.1-1.2.s390x",
"product_id": "python39-httplib2-0.19.1-1.2.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python36-httplib2-0.19.1-1.2.x86_64",
"product": {
"name": "python36-httplib2-0.19.1-1.2.x86_64",
"product_id": "python36-httplib2-0.19.1-1.2.x86_64"
}
},
{
"category": "product_version",
"name": "python38-httplib2-0.19.1-1.2.x86_64",
"product": {
"name": "python38-httplib2-0.19.1-1.2.x86_64",
"product_id": "python38-httplib2-0.19.1-1.2.x86_64"
}
},
{
"category": "product_version",
"name": "python39-httplib2-0.19.1-1.2.x86_64",
"product": {
"name": "python39-httplib2-0.19.1-1.2.x86_64",
"product_id": "python39-httplib2-0.19.1-1.2.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python36-httplib2-0.19.1-1.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.aarch64"
},
"product_reference": "python36-httplib2-0.19.1-1.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python36-httplib2-0.19.1-1.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.ppc64le"
},
"product_reference": "python36-httplib2-0.19.1-1.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python36-httplib2-0.19.1-1.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.s390x"
},
"product_reference": "python36-httplib2-0.19.1-1.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python36-httplib2-0.19.1-1.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.x86_64"
},
"product_reference": "python36-httplib2-0.19.1-1.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python38-httplib2-0.19.1-1.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.aarch64"
},
"product_reference": "python38-httplib2-0.19.1-1.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python38-httplib2-0.19.1-1.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.ppc64le"
},
"product_reference": "python38-httplib2-0.19.1-1.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python38-httplib2-0.19.1-1.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.s390x"
},
"product_reference": "python38-httplib2-0.19.1-1.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python38-httplib2-0.19.1-1.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.x86_64"
},
"product_reference": "python38-httplib2-0.19.1-1.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-httplib2-0.19.1-1.2.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.aarch64"
},
"product_reference": "python39-httplib2-0.19.1-1.2.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-httplib2-0.19.1-1.2.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.ppc64le"
},
"product_reference": "python39-httplib2-0.19.1-1.2.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-httplib2-0.19.1-1.2.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.s390x"
},
"product_reference": "python39-httplib2-0.19.1-1.2.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-httplib2-0.19.1-1.2.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.x86_64"
},
"product_reference": "python39-httplib2-0.19.1-1.2.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-11078",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11078"
}
],
"notes": [
{
"category": "general",
"text": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.x86_64",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.x86_64",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11078",
"url": "https://www.suse.com/security/cve/CVE-2020-11078"
},
{
"category": "external",
"summary": "SUSE Bug 1171998 for CVE-2020-11078",
"url": "https://bugzilla.suse.com/1171998"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.x86_64",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.x86_64",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.x86_64",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.x86_64",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-11078"
},
{
"cve": "CVE-2021-21240",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-21240"
}
],
"notes": [
{
"category": "general",
"text": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.x86_64",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.x86_64",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-21240",
"url": "https://www.suse.com/security/cve/CVE-2021-21240"
},
{
"category": "external",
"summary": "SUSE Bug 1182053 for CVE-2021-21240",
"url": "https://bugzilla.suse.com/1182053"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.x86_64",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.x86_64",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2.x86_64",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2.x86_64",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.aarch64",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.ppc64le",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.s390x",
"openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2021-21240"
}
]
}
OPENSUSE-SU-2024:14141-1
Vulnerability from csaf_opensuse - Published: 2024-07-12 00:00 - Updated: 2024-07-12 00:00Summary
python310-httplib2-0.22.0-4.5 on GA media
Severity
Moderate
Notes
Title of the patch: python310-httplib2-0.22.0-4.5 on GA media
Description of the patch: These are all security issues fixed in the python310-httplib2-0.22.0-4.5 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14141
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.8 (Medium)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.5 (Medium)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python310-httplib2-0.22.0-4.5 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python310-httplib2-0.22.0-4.5 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14141",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14141-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-11078 page",
"url": "https://www.suse.com/security/cve/CVE-2020-11078/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-21240 page",
"url": "https://www.suse.com/security/cve/CVE-2021-21240/"
}
],
"title": "python310-httplib2-0.22.0-4.5 on GA media",
"tracking": {
"current_release_date": "2024-07-12T00:00:00Z",
"generator": {
"date": "2024-07-12T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14141-1",
"initial_release_date": "2024-07-12T00:00:00Z",
"revision_history": [
{
"date": "2024-07-12T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python310-httplib2-0.22.0-4.5.aarch64",
"product": {
"name": "python310-httplib2-0.22.0-4.5.aarch64",
"product_id": "python310-httplib2-0.22.0-4.5.aarch64"
}
},
{
"category": "product_version",
"name": "python311-httplib2-0.22.0-4.5.aarch64",
"product": {
"name": "python311-httplib2-0.22.0-4.5.aarch64",
"product_id": "python311-httplib2-0.22.0-4.5.aarch64"
}
},
{
"category": "product_version",
"name": "python312-httplib2-0.22.0-4.5.aarch64",
"product": {
"name": "python312-httplib2-0.22.0-4.5.aarch64",
"product_id": "python312-httplib2-0.22.0-4.5.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-httplib2-0.22.0-4.5.ppc64le",
"product": {
"name": "python310-httplib2-0.22.0-4.5.ppc64le",
"product_id": "python310-httplib2-0.22.0-4.5.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-httplib2-0.22.0-4.5.ppc64le",
"product": {
"name": "python311-httplib2-0.22.0-4.5.ppc64le",
"product_id": "python311-httplib2-0.22.0-4.5.ppc64le"
}
},
{
"category": "product_version",
"name": "python312-httplib2-0.22.0-4.5.ppc64le",
"product": {
"name": "python312-httplib2-0.22.0-4.5.ppc64le",
"product_id": "python312-httplib2-0.22.0-4.5.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-httplib2-0.22.0-4.5.s390x",
"product": {
"name": "python310-httplib2-0.22.0-4.5.s390x",
"product_id": "python310-httplib2-0.22.0-4.5.s390x"
}
},
{
"category": "product_version",
"name": "python311-httplib2-0.22.0-4.5.s390x",
"product": {
"name": "python311-httplib2-0.22.0-4.5.s390x",
"product_id": "python311-httplib2-0.22.0-4.5.s390x"
}
},
{
"category": "product_version",
"name": "python312-httplib2-0.22.0-4.5.s390x",
"product": {
"name": "python312-httplib2-0.22.0-4.5.s390x",
"product_id": "python312-httplib2-0.22.0-4.5.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-httplib2-0.22.0-4.5.x86_64",
"product": {
"name": "python310-httplib2-0.22.0-4.5.x86_64",
"product_id": "python310-httplib2-0.22.0-4.5.x86_64"
}
},
{
"category": "product_version",
"name": "python311-httplib2-0.22.0-4.5.x86_64",
"product": {
"name": "python311-httplib2-0.22.0-4.5.x86_64",
"product_id": "python311-httplib2-0.22.0-4.5.x86_64"
}
},
{
"category": "product_version",
"name": "python312-httplib2-0.22.0-4.5.x86_64",
"product": {
"name": "python312-httplib2-0.22.0-4.5.x86_64",
"product_id": "python312-httplib2-0.22.0-4.5.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-httplib2-0.22.0-4.5.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.aarch64"
},
"product_reference": "python310-httplib2-0.22.0-4.5.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-httplib2-0.22.0-4.5.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.ppc64le"
},
"product_reference": "python310-httplib2-0.22.0-4.5.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-httplib2-0.22.0-4.5.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.s390x"
},
"product_reference": "python310-httplib2-0.22.0-4.5.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-httplib2-0.22.0-4.5.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.x86_64"
},
"product_reference": "python310-httplib2-0.22.0-4.5.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-httplib2-0.22.0-4.5.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.aarch64"
},
"product_reference": "python311-httplib2-0.22.0-4.5.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-httplib2-0.22.0-4.5.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.ppc64le"
},
"product_reference": "python311-httplib2-0.22.0-4.5.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-httplib2-0.22.0-4.5.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.s390x"
},
"product_reference": "python311-httplib2-0.22.0-4.5.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-httplib2-0.22.0-4.5.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.x86_64"
},
"product_reference": "python311-httplib2-0.22.0-4.5.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-httplib2-0.22.0-4.5.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.aarch64"
},
"product_reference": "python312-httplib2-0.22.0-4.5.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-httplib2-0.22.0-4.5.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.ppc64le"
},
"product_reference": "python312-httplib2-0.22.0-4.5.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-httplib2-0.22.0-4.5.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.s390x"
},
"product_reference": "python312-httplib2-0.22.0-4.5.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-httplib2-0.22.0-4.5.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.x86_64"
},
"product_reference": "python312-httplib2-0.22.0-4.5.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-11078",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-11078"
}
],
"notes": [
{
"category": "general",
"text": "In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.x86_64",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.x86_64",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-11078",
"url": "https://www.suse.com/security/cve/CVE-2020-11078"
},
{
"category": "external",
"summary": "SUSE Bug 1171998 for CVE-2020-11078",
"url": "https://bugzilla.suse.com/1171998"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.x86_64",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.x86_64",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.x86_64",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.x86_64",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-07-12T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-11078"
},
{
"cve": "CVE-2021-21240",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-21240"
}
],
"notes": [
{
"category": "general",
"text": "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.x86_64",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.x86_64",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-21240",
"url": "https://www.suse.com/security/cve/CVE-2021-21240"
},
{
"category": "external",
"summary": "SUSE Bug 1182053 for CVE-2021-21240",
"url": "https://bugzilla.suse.com/1182053"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.x86_64",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.x86_64",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python310-httplib2-0.22.0-4.5.x86_64",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python311-httplib2-0.22.0-4.5.x86_64",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.aarch64",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.ppc64le",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.s390x",
"openSUSE Tumbleweed:python312-httplib2-0.22.0-4.5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-07-12T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2021-21240"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…