CVE-2020-11078

NameCVE-2020-11078
DescriptionIn httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2232-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-httplib2 (PTS)buster0.11.3-2vulnerable
bullseye0.18.1-3fixed
sid, trixie, bookworm0.20.4-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-httplib2sourcejessie0.9+dfsg-2+deb8u1DLA-2232-1
python-httplib2source(unstable)0.18.1-1

Notes

[buster] - python-httplib2 <no-dsa> (Minor issue)
[stretch] - python-httplib2 <no-dsa> (Minor issue)
https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq
https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e

Search for package or bug name: Reporting problems