SUSE: 2020:1792-1 moderate: python3-requests

    Date 26 Jun 2020
    186
    Posted By LinuxSecurity Advisories
    An update that solves two vulnerabilities and has 10 fixes is now available.
    
       SUSE Security Update: Security update for python3-requests
    ______________________________________________________________________________
    
    Announcement ID:    SUSE-SU-2020:1792-1
    Rating:             moderate
    References:         #1054413 #1073879 #1111622 #1122668 #761500 
                        #922448 #929736 #935252 #945455 #947357 #961596 
                        #967128 
    Cross-References:   CVE-2015-2296 CVE-2018-18074
    Affected Products:
                        SUSE OpenStack Cloud Crowbar 8
                        SUSE OpenStack Cloud 8
                        SUSE OpenStack Cloud 7
                        SUSE Manager Server 3.2
                        SUSE Manager Proxy 3.2
                        SUSE Linux Enterprise Workstation Extension 12-SP5
                        SUSE Linux Enterprise Software Development Kit 12-SP5
                        SUSE Linux Enterprise Server for SAP 12-SP3
                        SUSE Linux Enterprise Server for SAP 12-SP2
                        SUSE Linux Enterprise Server 12-SP5
                        SUSE Linux Enterprise Server 12-SP4
                        SUSE Linux Enterprise Server 12-SP3-LTSS
                        SUSE Linux Enterprise Server 12-SP3-BCL
                        SUSE Linux Enterprise Server 12-SP2-LTSS
                        SUSE Linux Enterprise Server 12-SP2-BCL
                        SUSE Linux Enterprise Module for Public Cloud 12
                        SUSE Enterprise Storage 5
                        HPE Helion Openstack 8
    ______________________________________________________________________________
    
       An update that solves two vulnerabilities and has 10 fixes
       is now available.
    
    Description:
    
       This update for python3-requests provides the following fix:
    
       python-requests was updated to 2.20.1.
    
       Update to version 2.20.1:
    
       * Fixed bug with unintended Authorization header stripping for redirects
         using default ports (http/80, https/443).
    
       Update to version 2.20.0:
    
       * Bugfixes
    
         + Content-Type header parsing is now case-insensitive (e.g. charset=utf8
           v Charset=utf8).
         + Fixed exception leak where certain redirect urls would raise uncaught
           urllib3 exceptions.
         + Requests removes Authorization header from requests redirected from
           https to http on the same hostname. (CVE-2018-18074)
         + should_bypass_proxies now handles URIs without hostnames (e.g. files).
    
       Update to version 2.19.1:
    
       * Fixed issue where status_codes.py’s init function failed trying to
         append to a __doc__ value of None.
    
       Update to version 2.19.0:
    
       * Improvements
    
         + Warn about possible slowdown with cryptography version < 1.3.4
         + Check host in proxy URL, before forwarding request to adapter.
         + Maintain fragments properly across redirects. (RFC7231 7.1.2)
         + Removed use of cgi module to expedite library load time.
         + Added support for SHA-256 and SHA-512 digest auth algorithms.
         + Minor performance improvement to Request.content.
    
       * Bugfixes
    
         + Parsing empty Link headers with parse_header_links() no longer return
           one bogus entry.
         + Fixed issue where loading the default certificate bundle from a zip
           archive would raise an IOError.
         + Fixed issue with unexpected ImportError on windows system which do not
           support winreg module.
         + DNS resolution in proxy bypass no longer includes the username and
           password in the request. This also fixes the issue of DNS queries
           failing on macOS.
         + Properly normalize adapter prefixes for url comparison.
         + Passing None as a file pointer to the files param no longer raises an
           exception.
         + Calling copy on a RequestsCookieJar will now preserve the cookie
           policy correctly.
    
       Update to version 2.18.4:
    
       * Improvements
    
         + Error messages for invalid headers now include the header name for
           easier debugging
    
       Update to version 2.18.3:
    
       * Improvements
         + Running $ python -m requests.help now includes the installed version
           of idna.
       * Bugfixes
         + Fixed issue where Requests would raise ConnectionError instead
           of SSLError when encountering SSL problems when using urllib3 v1.22.
    
       - Add ca-certificates (and ca-certificates-mozilla) to dependencies,
         otherwise https connections will fail.
    
    
    Patch Instructions:
    
       To install this SUSE Security Update use the SUSE recommended installation methods
       like YaST online_update or "zypper patch".
    
       Alternatively you can run the command listed for your product:
    
       - SUSE OpenStack Cloud Crowbar 8:
    
          zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1792=1
    
       - SUSE OpenStack Cloud 8:
    
          zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1792=1
    
       - SUSE OpenStack Cloud 7:
    
          zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1792=1
    
       - SUSE Manager Server 3.2:
    
          zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-1792=1
    
       - SUSE Manager Proxy 3.2:
    
          zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2020-1792=1
    
       - SUSE Linux Enterprise Workstation Extension 12-SP5:
    
          zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1792=1
    
       - SUSE Linux Enterprise Software Development Kit 12-SP5:
    
          zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1792=1
    
       - SUSE Linux Enterprise Server for SAP 12-SP3:
    
          zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1792=1
    
       - SUSE Linux Enterprise Server for SAP 12-SP2:
    
          zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1792=1
    
       - SUSE Linux Enterprise Server 12-SP5:
    
          zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1792=1
    
       - SUSE Linux Enterprise Server 12-SP4:
    
          zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1792=1
    
       - SUSE Linux Enterprise Server 12-SP3-LTSS:
    
          zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1792=1
    
       - SUSE Linux Enterprise Server 12-SP3-BCL:
    
          zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1792=1
    
       - SUSE Linux Enterprise Server 12-SP2-LTSS:
    
          zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1792=1
    
       - SUSE Linux Enterprise Server 12-SP2-BCL:
    
          zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1792=1
    
       - SUSE Linux Enterprise Module for Public Cloud 12:
    
          zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2020-1792=1
    
       - SUSE Enterprise Storage 5:
    
          zypper in -t patch SUSE-Storage-5-2020-1792=1
    
       - HPE Helion Openstack 8:
    
          zypper in -t patch HPE-Helion-OpenStack-8-2020-1792=1
    
    
    
    Package List:
    
       - SUSE OpenStack Cloud Crowbar 8 (noarch):
    
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-requests-2.20.1-5.2
          python3-urllib3-1.22-3.20.1
    
       - SUSE OpenStack Cloud 8 (noarch):
    
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-requests-2.20.1-5.2
          python3-urllib3-1.22-3.20.1
    
       - SUSE OpenStack Cloud 7 (noarch):
    
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-requests-2.20.1-5.2
          python3-urllib3-1.22-3.20.1
    
       - SUSE Manager Server 3.2 (noarch):
    
          python-certifi-2018.4.16-3.6.1
          python-chardet-3.0.4-5.6.1
          python-urllib3-1.22-3.20.1
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-requests-2.20.1-5.2
          python3-urllib3-1.22-3.20.1
    
       - SUSE Manager Proxy 3.2 (noarch):
    
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-requests-2.20.1-5.2
          python3-urllib3-1.22-3.20.1
    
       - SUSE Linux Enterprise Workstation Extension 12-SP5 (noarch):
    
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-requests-2.20.1-5.2
          python3-urllib3-1.22-3.20.1
    
       - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch):
    
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-requests-2.20.1-5.2
          python3-urllib3-1.22-3.20.1
    
       - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch):
    
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-requests-2.20.1-5.2
          python3-urllib3-1.22-3.20.1
    
       - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch):
    
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-requests-2.20.1-5.2
          python3-urllib3-1.22-3.20.1
    
       - SUSE Linux Enterprise Server 12-SP5 (noarch):
    
          python-certifi-2018.4.16-3.6.1
          python-chardet-3.0.4-5.6.1
          python-urllib3-1.22-3.20.1
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-requests-2.20.1-5.2
          python3-urllib3-1.22-3.20.1
    
       - SUSE Linux Enterprise Server 12-SP4 (noarch):
    
          python-chardet-3.0.4-5.6.1
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-requests-2.20.1-5.2
          python3-urllib3-1.22-3.20.1
    
       - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch):
    
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-requests-2.20.1-5.2
          python3-urllib3-1.22-3.20.1
    
       - SUSE Linux Enterprise Server 12-SP3-BCL (noarch):
    
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-requests-2.20.1-5.2
          python3-urllib3-1.22-3.20.1
    
       - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch):
    
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-requests-2.20.1-5.2
          python3-urllib3-1.22-3.20.1
    
       - SUSE Linux Enterprise Server 12-SP2-BCL (noarch):
    
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-requests-2.20.1-5.2
          python3-urllib3-1.22-3.20.1
    
       - SUSE Linux Enterprise Module for Public Cloud 12 (noarch):
    
          python-certifi-2018.4.16-3.6.1
          python-chardet-3.0.4-5.6.1
          python-urllib3-1.22-3.20.1
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-urllib3-1.22-3.20.1
    
       - SUSE Enterprise Storage 5 (noarch):
    
          python-urllib3-1.22-3.20.1
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-requests-2.20.1-5.2
          python3-urllib3-1.22-3.20.1
    
       - HPE Helion Openstack 8 (noarch):
    
          python3-certifi-2018.4.16-3.6.1
          python3-chardet-3.0.4-5.6.1
          python3-requests-2.20.1-5.2
          python3-urllib3-1.22-3.20.1
    
    
    References:
    
       https://www.suse.com/security/cve/CVE-2015-2296.html
       https://www.suse.com/security/cve/CVE-2018-18074.html
       https://bugzilla.suse.com/1054413
       https://bugzilla.suse.com/1073879
       https://bugzilla.suse.com/1111622
       https://bugzilla.suse.com/1122668
       https://bugzilla.suse.com/761500
       https://bugzilla.suse.com/922448
       https://bugzilla.suse.com/929736
       https://bugzilla.suse.com/935252
       https://bugzilla.suse.com/945455
       https://bugzilla.suse.com/947357
       https://bugzilla.suse.com/961596
       https://bugzilla.suse.com/967128
    

    LinuxSecurity Poll

    Are you considering making the switch to Purism's new Librem 14 Linux laptop to improve your security and privacy online?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/31-are-you-considering-making-the-switch-to-purism-s-new-librem-14-linux-laptop-to-improve-your-security-and-privacy-online?task=poll.vote&format=json
    31
    radio
    [{"id":"109","title":"Yes - the hardware kill switches and default ad blocking\/tracking protection sold me on it.","votes":"3","type":"x","order":"1","pct":37.5,"resources":[]},{"id":"110","title":"Not sure yet - I need to do more research.","votes":"4","type":"x","order":"2","pct":50,"resources":[]},{"id":"111","title":"No - I'm satisfied with my current laptop and have no security\/privacy concerns.","votes":"1","type":"x","order":"3","pct":12.5,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.