SUSE: 2020:1792-1 moderate: python3-requests
SUSE: 2020:1792-1 moderate: python3-requests
An update that solves two vulnerabilities and has 10 fixes is now available.
SUSE Security Update: Security update for python3-requests ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1792-1 Rating: moderate References: #1054413 #1073879 #1111622 #1122668 #761500 #922448 #929736 #935252 #945455 #947357 #961596 #967128 Cross-References: CVE-2015-2296 CVE-2018-18074 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Manager Server 3.2 SUSE Manager Proxy 3.2 SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Module for Public Cloud 12 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves two vulnerabilities and has 10 fixes is now available. Description: This update for python3-requests provides the following fix: python-requests was updated to 2.20.1. Update to version 2.20.1: * Fixed bug with unintended Authorization header stripping for redirects using default ports (http/80, https/443). Update to version 2.20.0: * Bugfixes + Content-Type header parsing is now case-insensitive (e.g. charset=utf8 v Charset=utf8). + Fixed exception leak where certain redirect urls would raise uncaught urllib3 exceptions. + Requests removes Authorization header from requests redirected from https to http on the same hostname. (CVE-2018-18074) + should_bypass_proxies now handles URIs without hostnames (e.g. files). Update to version 2.19.1: * Fixed issue where status_codes.py’s init function failed trying to append to a __doc__ value of None. Update to version 2.19.0: * Improvements + Warn about possible slowdown with cryptography version < 1.3.4 + Check host in proxy URL, before forwarding request to adapter. + Maintain fragments properly across redirects. (RFC7231 7.1.2) + Removed use of cgi module to expedite library load time. + Added support for SHA-256 and SHA-512 digest auth algorithms. + Minor performance improvement to Request.content. * Bugfixes + Parsing empty Link headers with parse_header_links() no longer return one bogus entry. + Fixed issue where loading the default certificate bundle from a zip archive would raise an IOError. + Fixed issue with unexpected ImportError on windows system which do not support winreg module. + DNS resolution in proxy bypass no longer includes the username and password in the request. This also fixes the issue of DNS queries failing on macOS. + Properly normalize adapter prefixes for url comparison. + Passing None as a file pointer to the files param no longer raises an exception. + Calling copy on a RequestsCookieJar will now preserve the cookie policy correctly. Update to version 2.18.4: * Improvements + Error messages for invalid headers now include the header name for easier debugging Update to version 2.18.3: * Improvements + Running $ python -m requests.help now includes the installed version of idna. * Bugfixes + Fixed issue where Requests would raise ConnectionError instead of SSLError when encountering SSL problems when using urllib3 v1.22. - Add ca-certificates (and ca-certificates-mozilla) to dependencies, otherwise https connections will fail. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1792=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1792=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1792=1 - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-1792=1 - SUSE Manager Proxy 3.2: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2020-1792=1 - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1792=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1792=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1792=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1792=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1792=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1792=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1792=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1792=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1792=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1792=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2020-1792=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1792=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1792=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE OpenStack Cloud 8 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE OpenStack Cloud 7 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Manager Server 3.2 (noarch): python-certifi-2018.4.16-3.6.1 python-chardet-3.0.4-5.6.1 python-urllib3-1.22-3.20.1 python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Manager Proxy 3.2 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): python-certifi-2018.4.16-3.6.1 python-chardet-3.0.4-5.6.1 python-urllib3-1.22-3.20.1 python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): python-chardet-3.0.4-5.6.1 python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Module for Public Cloud 12 (noarch): python-certifi-2018.4.16-3.6.1 python-chardet-3.0.4-5.6.1 python-urllib3-1.22-3.20.1 python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-urllib3-1.22-3.20.1 - SUSE Enterprise Storage 5 (noarch): python-urllib3-1.22-3.20.1 python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - HPE Helion Openstack 8 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 References: https://www.suse.com/security/cve/CVE-2015-2296.html https://www.suse.com/security/cve/CVE-2018-18074.html https://bugzilla.suse.com/1054413 https://bugzilla.suse.com/1073879 https://bugzilla.suse.com/1111622 https://bugzilla.suse.com/1122668 https://bugzilla.suse.com/761500 https://bugzilla.suse.com/922448 https://bugzilla.suse.com/929736 https://bugzilla.suse.com/935252 https://bugzilla.suse.com/945455 https://bugzilla.suse.com/947357 https://bugzilla.suse.com/961596 https://bugzilla.suse.com/967128