CVE-2020-11078

NameCVE-2020-11078
DescriptionIn httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2232-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-httplib2 (PTS)jessie0.9+dfsg-2vulnerable
jessie (security)0.9+dfsg-2+deb8u1fixed
stretch0.9.2+dfsg-1vulnerable
buster0.11.3-2vulnerable
bullseye, sid0.18.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-httplib2source(unstable)0.18.1-1
python-httplib2sourcejessie0.9+dfsg-2+deb8u1DLA-2232-1

Notes

[buster] - python-httplib2 <no-dsa> (Minor issue)
[stretch] - python-httplib2 <no-dsa> (Minor issue)
https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq
https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e

Search for package or bug name: Reporting problems