python-Scrapy-doc-2.5.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11558-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python-Scrapy-doc-2.5.1-1.1 on GA media These are all security issues fixed in the python-Scrapy-doc-2.5.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11558 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2021-41125/ SUSE CVE CVE-2021-41125 page openSUSE Tumbleweed python-Scrapy-doc-2.5.1-1.1 python38-Scrapy-2.5.1-1.1 python39-Scrapy-2.5.1-1.1 python-Scrapy-doc-2.5.1-1.1 as a component of openSUSE Tumbleweed python38-Scrapy-2.5.1-1.1 as a component of openSUSE Tumbleweed python39-Scrapy-2.5.1-1.1 as a component of openSUSE Tumbleweed Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`. CVE-2021-41125 openSUSE Tumbleweed:python-Scrapy-doc-2.5.1-1.1 openSUSE Tumbleweed:python38-Scrapy-2.5.1-1.1 openSUSE Tumbleweed:python39-Scrapy-2.5.1-1.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-41125.html CVE-2021-41125 https://bugzilla.suse.com/1191446 SUSE Bug 1191446