SUSE-SU-2021:1807-1: moderate: Security update for python-httplib2
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Mon May 31 19:27:12 UTC 2021
SUSE Security Update: Security update for python-httplib2
Announcement ID: SUSE-SU-2021:1807-1
References: #1171998 #1182053
Cross-References: CVE-2020-11078 CVE-2021-21240
CVE-2020-11078 (NVD) : 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
CVE-2020-11078 (SUSE): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
CVE-2021-21240 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-21240 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
SUSE OpenStack Cloud 7
SUSE Linux Enterprise Module for Public Cloud 12
An update that fixes two vulnerabilities is now available.
This update for python-httplib2 contains the following fixes:
Security fixes included in this update:
- CVE-2021-21240: Fixed a regular expression denial of service via
malicious header (bsc#1182053).
- CVE-2020-11078: Fixed an issue where an attacker could change request
headers and body (bsc#1171998).
Non-security fixes included in this update:
- Update in SLE to 0.19.0 (bsc#1182053, CVE-2021-21240)
- update to 0.19.0:
* auth: parse headers using pyparsing instead of regexp
* auth: WSSE token needs to be string not bytes
- update to 0.18.1: (bsc#1171998, CVE-2020-11078)
* explicit build-backend workaround for pip build isolation bug
* IMPORTANT security vulnerability CWE-93 CRLF injection Force %xx quote
of space, CR, LF characters in uri.
* Ship test suite in source dist
- update to 0.17.3:
- Update to 0.17.1
* python3: no_proxy was not checked with https
* feature: Http().redirect_codes set, works after follow(_all)_redirects
check This allows one line workaround for old gcloud library that uses
308 response without redirect semantics.
* IMPORTANT cache invalidation change, fix 307 keep method, add 308
* proxy: username/password as str compatible with pysocks
* python2: regression in connect() error handling
* add support for password protected certificate files
* feature: Http.close() to clean persistent connections and sensitive
- Update to 0.14.0:
* Python3: PROXY_TYPE_SOCKS5 with str user/pass raised TypeError
- version update to 0.13.1 0.13.1
* Python3: Use no_proxy https://github.com/httplib2/httplib2/pull/140
* Allow setting TLS max/min versions
* No changes to library. Distribute py3 wheels. 0.12.1
* Catch socket timeouts and clear dead connection
* Officially support Python 3.7 (package metadata)
* Drop support for Python 3.3
* ca_certs from environment HTTPLIB2_CA_CERTS or certifi
* PROXY_TYPE_HTTP with non-empty user/pass raised TypeError: bytes
* Revert http:443->https workaround
* eliminate connection pool read race
* cache: stronger safename
* No changes, just reupload of 0.11.2 after fixing automatic release
conditions in Travis. 0.11.2
* proxy: py3 NameError basestring
* Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info
* Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5
* python3 proxy support https://github.com/httplib2/httplib2/pull/90
* If no_proxy environment value ends with comma then proxy is not used
* fix UnicodeDecodeError using socks5 proxy
* Respect NO_PROXY env var in proxy_info_from_url
* NO_PROXY=bar was matching foobar (suffix without dot delimiter) New
behavior matches curl/wget:
- no_proxy=foo.bar will only skip proxy for exact hostname match
- no_proxy=.wild.card will skip proxy for any.subdomains.wild.card
* Bugfix for Content-Encoding: deflate
- deleted patches httplib2 started to use certifi and this is already bent
to use system certificate bundle.
- handle the case when validation is disabled correctly. The
'check_hostname' context attribute has to be set first, othewise a
"ValueError: Cannot set verify_mode to CERT_NONE when check_hostname is
enabled." exception is raised.
- handle the case with ssl_version being None correctly
- Use ssl.create_default_context in the python2 case so that the system
wide certificates are loaded as trusted again.
- Source url must be https.
- Spec file cleanups
- Update to 0.10.3
* Fix certificate validation on Python<=2.7.8 without
- Update to 0.10.2
* Just a reupload of 0.10.1, which was broken for Python3 because wheel
distribution doesn't play well with our 2/3 split code base.
- Update to 0.10.1
* Remove VeriSign Class 3 CA from trusted certs
* Add IdenTrust DST Root CA X3
* Support for specifying the SSL protocol version (Python v2)
* On App Engine use urlfetch's default deadline if None is passed.
* Fix TypeError on AppEngine â__init__() got an unexpected keyword
* Send SNI data for SSL connections on Python 2.7.9+
* Verify the server hostname if certificate validation is enabled
* Add proxy_headers argument to ProxyInfo constructor
* Make disable_ssl_certificate_validation work with Python 3.5.
* Fix socket error handling
- Remove httplib2-bnc-818100.patch, merged upstream.
- Project moved from code.google.com to GitHub, fix the url accordingly
- attempt to build multi-python
- update and cleanup of httplib2-use-system-certs.patch, so that the
passthrough is clean for python2 and so that it does the right thing in
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE OpenStack Cloud 7:
zypper in -t patch SUSE-OpenStack-Cloud-7-2021-1807=1
- SUSE Linux Enterprise Module for Public Cloud 12:
zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2021-1807=1
- SUSE OpenStack Cloud 7 (noarch):
- SUSE Linux Enterprise Module for Public Cloud 12 (noarch):
More information about the sle-security-updates