[Buildroot] [git commit branch/2021.02.x] package/python-httplib2: security bump to version 0.19.1

Peter Korsgaard peter at korsgaard.com
Sun Apr 25 06:50:38 UTC 2021


commit: https://git.buildroot.net/buildroot/commit/?id=6c0c05d6d53f821aadc66c02a0de707749da26d0
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2021.02.x

- Fix CVE-2021-21240: httplib2 is a comprehensive HTTP client library
  for Python. In httplib2 before version 0.19.0, a malicious server
  which responds with long series of "\xa0" characters in the
  "www-authenticate" header may cause Denial of Service (CPU burn while
  parsing header) of the httplib2 client accessing said server. This is
  fixed in version 0.19.0 which contains a new implementation of auth
  headers parsing using the pyparsing library.
- Fix CVE-2020-11078: In httplib2 before version 0.18.0, an attacker
  controlling unescaped part of uri for `httplib2.Http.request()` could
  change request headers and body, send additional hidden requests to
  same server. This vulnerability impacts software that uses httplib2
  with uri constructed by string concatenation, as opposed to proper
  urllib building with escaping. This has been fixed in 0.18.0.
- Use LICENSE file instead of PKG-INFO
- pyparsing is a runtime dependency since version 0.19.0 and
  https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc

https://github.com/httplib2/httplib2/blob/v0.19.1/CHANGELOG

Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
(cherry picked from commit 2050b4869dc14002ab15df8c9ffbf03105143566)
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
 package/python-httplib2/Config.in            | 1 +
 package/python-httplib2/python-httplib2.hash | 8 ++++----
 package/python-httplib2/python-httplib2.mk   | 6 +++---
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/package/python-httplib2/Config.in b/package/python-httplib2/Config.in
index e42f5132b7..39671f2386 100644
--- a/package/python-httplib2/Config.in
+++ b/package/python-httplib2/Config.in
@@ -4,6 +4,7 @@ config BR2_PACKAGE_PYTHON_HTTPLIB2
 	select BR2_PACKAGE_PYTHON_SSL if BR2_PACKAGE_PYTHON
 	select BR2_PACKAGE_PYTHON3_ZLIB if BR2_PACKAGE_PYTHON3
 	select BR2_PACKAGE_PYTHON3_SSL if BR2_PACKAGE_PYTHON3
+	select BR2_PACKAGE_PYTHON_PYPARSING # runtime
 	help
 	  httplib2 is a comprehensive HTTP client library, httplib2.py
 	  supports many features left out of other HTTP libraries.
diff --git a/package/python-httplib2/python-httplib2.hash b/package/python-httplib2/python-httplib2.hash
index c272d8517c..2c5914c5f6 100644
--- a/package/python-httplib2/python-httplib2.hash
+++ b/package/python-httplib2/python-httplib2.hash
@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/httplib2/json
-md5  4c05b09eb6f6c20a31ca488c7a87dda9  httplib2-0.17.2.tar.gz
-sha256  eb7a6b137ae31e61c5f429083c5bebb71fe5fd1958e7f3d5c39b21b11cd4b290  httplib2-0.17.2.tar.gz
-# Locally computer sha256 checksums
-sha256  4205f0d88e04380ba13b9c60e2f85771196b66ee84bf48971d30d82a78e84c3f  PKG-INFO
+md5  de7f5e3a4adb3105889867327bdd39dc  httplib2-0.19.1.tar.gz
+sha256  0b12617eeca7433d4c396a100eaecfa4b08ee99aa881e6df6e257a7aad5d533d  httplib2-0.19.1.tar.gz
+# Locally computed sha256 checksums
+sha256  589eec38f72df2be203711d3b8cbece9b908c5e7ff00bc3cab7f63bae9e366b4  LICENSE
diff --git a/package/python-httplib2/python-httplib2.mk b/package/python-httplib2/python-httplib2.mk
index fbdb6d83c4..7b9b400241 100644
--- a/package/python-httplib2/python-httplib2.mk
+++ b/package/python-httplib2/python-httplib2.mk
@@ -4,11 +4,11 @@
 #
 ################################################################################
 
-PYTHON_HTTPLIB2_VERSION = 0.17.2
+PYTHON_HTTPLIB2_VERSION = 0.19.1
 PYTHON_HTTPLIB2_SOURCE = httplib2-$(PYTHON_HTTPLIB2_VERSION).tar.gz
-PYTHON_HTTPLIB2_SITE = https://files.pythonhosted.org/packages/1b/f0/a35a448afea308aeb6a1430dbcfb46f4cef11360cbc18f22af6e567bb847
+PYTHON_HTTPLIB2_SITE = https://files.pythonhosted.org/packages/ed/cd/533a1e9e04671bcee5d2854b4f651a3fab9586d698de769d93b05ee2bff1
 PYTHON_HTTPLIB2_SETUP_TYPE = setuptools
 PYTHON_HTTPLIB2_LICENSE = MIT
-PYTHON_HTTPLIB2_LICENSE_FILES = PKG-INFO
+PYTHON_HTTPLIB2_LICENSE_FILES = LICENSE
 
 $(eval $(python-package))


More information about the buildroot mailing list