python36-httplib2-0.19.1-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11231 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python36-httplib2-0.19.1-1.2 on GA media These are all security issues fixed in the python36-httplib2-0.19.1-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11231 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11231 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2020-11078/ SUSE CVE CVE-2020-11078 page https://www.suse.com/security/cve/CVE-2021-21240/ SUSE CVE CVE-2021-21240 page openSUSE Tumbleweed python36-httplib2-0.19.1-1.2 python38-httplib2-0.19.1-1.2 python39-httplib2-0.19.1-1.2 python36-httplib2-0.19.1-1.2 as a component of openSUSE Tumbleweed python38-httplib2-0.19.1-1.2 as a component of openSUSE Tumbleweed python39-httplib2-0.19.1-1.2 as a component of openSUSE Tumbleweed In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0. CVE-2020-11078 openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2 openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2 openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-11078.html CVE-2020-11078 https://bugzilla.suse.com/1171998 SUSE Bug 1171998 httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library. CVE-2021-21240 openSUSE Tumbleweed:python36-httplib2-0.19.1-1.2 openSUSE Tumbleweed:python38-httplib2-0.19.1-1.2 openSUSE Tumbleweed:python39-httplib2-0.19.1-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-21240.html CVE-2021-21240 https://bugzilla.suse.com/1182053 SUSE Bug 1182053