[Buildroot] [PATCH 1/2] package/python-httplib2: security bump to version 0.19.1
Peter Korsgaard
peter at korsgaard.com
Sun Apr 25 06:51:05 UTC 2021
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:
> - Fix CVE-2021-21240: httplib2 is a comprehensive HTTP client library
> for Python. In httplib2 before version 0.19.0, a malicious server
> which responds with long series of "\xa0" characters in the
> "www-authenticate" header may cause Denial of Service (CPU burn while
> parsing header) of the httplib2 client accessing said server. This is
> fixed in version 0.19.0 which contains a new implementation of auth
> headers parsing using the pyparsing library.
> - Fix CVE-2020-11078: In httplib2 before version 0.18.0, an attacker
> controlling unescaped part of uri for `httplib2.Http.request()` could
> change request headers and body, send additional hidden requests to
> same server. This vulnerability impacts software that uses httplib2
> with uri constructed by string concatenation, as opposed to proper
> urllib building with escaping. This has been fixed in 0.18.0.
> - Use LICENSE file instead of PKG-INFO
> - pyparsing is a runtime dependency since version 0.19.0 and
> https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc
> https://github.com/httplib2/httplib2/blob/v0.19.1/CHANGELOG
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Committed to 2021.02.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list