Debian Bug report logs - #706602
python-httplib2: CVE-2013-2037

version graph

Package: python-httplib2; Maintainer for python-httplib2 is Luca Falavigna <dktrkranz@debian.org>; Source for python-httplib2 is src:python-httplib2.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Thu, 2 May 2013 09:24:02 UTC

Severity: important

Tags: security

Fixed in versions python-httplib2/0.8-2, python-httplib2/0.7.4-2+deb7u1

Done: Vincent Bernat <bernat@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://code.google.com/p/httplib2/issues/detail?id=282

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Luca Falavigna <dktrkranz@debian.org>:
Bug#706602; Package python-httplib2. (Thu, 02 May 2013 09:24:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Luca Falavigna <dktrkranz@debian.org>. (Thu, 02 May 2013 09:24:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: python-httplib2: CVE-2013-2037
Date: Thu, 02 May 2013 11:21:05 +0200
Package: python-httplib2
Severity: important
Tags: security

Please see http://seclists.org/oss-sec/2013/q2/257 for details.

I suppose this is rather material for a point update rather than a DSA.

Cheers,
        Moritz



Set Bug forwarded-to-address to 'https://code.google.com/p/httplib2/issues/detail?id=282'. Request was from Luca Falavigna <dktrkranz@debian.org> to control@bugs.debian.org. (Sun, 05 May 2013 10:21:07 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from bernat@users.alioth.debian.org to control@bugs.debian.org. (Fri, 16 Aug 2013 16:15:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Luca Falavigna <dktrkranz@debian.org>:
Bug#706602; Package python-httplib2. (Fri, 16 Aug 2013 16:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Bernat <bernat@debian.org>:
Extra info received and forwarded to list. Copy sent to Luca Falavigna <dktrkranz@debian.org>. (Fri, 16 Aug 2013 16:18:04 GMT) Full text and rfc822 format available.

Message #14 received at 706602@bugs.debian.org (full text, mbox):

From: Vincent Bernat <bernat@debian.org>
To: Luca Falavigna <dktrkranz@debian.org>
Cc: 706602@bugs.debian.org
Subject: Re: bug 706602 is forwarded to https://code.google.com/p/httplib2/issues/detail?id=282
Date: Fri, 16 Aug 2013 18:13:24 +0200
[Message part 1 (text/plain, inline)]
 ❦  5 mai 2013 12:18 CEST, Luca Falavigna <dktrkranz@debian.org> :

> forwarded 706602
> https://code.google.com/p/httplib2/issues/detail?id=282

I have tried the patch proposed in this issue. It works as expected (you
can try with api.stage-01.dailymotion.com which has a name mismatch). I
have pushed the change to the SVN and targeted this upload to unstable.

If you don't mind, I can upload the result.
-- 
Let the machine do the dirty work.
            - The Elements of Programming Style (Kernighan & Plauger)
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#706602; Package python-httplib2. (Fri, 16 Aug 2013 19:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luca Falavigna <dktrkranz@debian.org>:
Extra info received and forwarded to list. (Fri, 16 Aug 2013 19:12:05 GMT) Full text and rfc822 format available.

Message #19 received at 706602@bugs.debian.org (full text, mbox):

From: Luca Falavigna <dktrkranz@debian.org>
To: Vincent Bernat <bernat@debian.org>
Cc: 706602@bugs.debian.org
Subject: Re: bug 706602 is forwarded to https://code.google.com/p/httplib2/issues/detail?id=282
Date: Fri, 16 Aug 2013 21:08:41 +0200
Hi Vincent,

2013/8/16 Vincent Bernat <bernat@debian.org>:
> I have tried the patch proposed in this issue. It works as expected (you
> can try with api.stage-01.dailymotion.com which has a name mismatch). I
> have pushed the change to the SVN and targeted this upload to unstable.

I was waiting for upstream to incorporate the patch because I hadn't a
site to check whether the fix was OK or not. Thanks for checking!

> If you don't mind, I can upload the result.

Feel free to upload it, as I've limited bandwith here.

Cheers,
Luca



Information forwarded to debian-bugs-dist@lists.debian.org, Luca Falavigna <dktrkranz@debian.org>:
Bug#706602; Package python-httplib2. (Fri, 16 Aug 2013 19:27:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Bernat <bernat@debian.org>:
Extra info received and forwarded to list. Copy sent to Luca Falavigna <dktrkranz@debian.org>. (Fri, 16 Aug 2013 19:27:08 GMT) Full text and rfc822 format available.

Message #24 received at 706602@bugs.debian.org (full text, mbox):

From: Vincent Bernat <bernat@debian.org>
To: Luca Falavigna <dktrkranz@debian.org>
Cc: 706602@bugs.debian.org
Subject: Re: bug 706602 is forwarded to https://code.google.com/p/httplib2/issues/detail?id=282
Date: Fri, 16 Aug 2013 21:22:40 +0200
[Message part 1 (text/plain, inline)]
 ❦ 16 août 2013 21:08 CEST, Luca Falavigna <dktrkranz@debian.org> :

>> If you don't mind, I can upload the result.
>
> Feel free to upload it, as I've limited bandwith here.

Thanks, just uploaded.
-- 
Program defensively.
            - The Elements of Programming Style (Kernighan & Plauger)
[signature.asc (application/pgp-signature, inline)]

Reply sent to Vincent Bernat <bernat@debian.org>:
You have taken responsibility. (Fri, 16 Aug 2013 19:36:13 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Fri, 16 Aug 2013 19:36:13 GMT) Full text and rfc822 format available.

Message #29 received at 706602-close@bugs.debian.org (full text, mbox):

From: Vincent Bernat <bernat@debian.org>
To: 706602-close@bugs.debian.org
Subject: Bug#706602: fixed in python-httplib2 0.8-2
Date: Fri, 16 Aug 2013 19:33:53 +0000
Source: python-httplib2
Source-Version: 0.8-2

We believe that the bug you reported is fixed in the latest version of
python-httplib2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 706602@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated python-httplib2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 16 Aug 2013 17:53:42 +0200
Source: python-httplib2
Binary: python-httplib2 python3-httplib2
Architecture: source all
Version: 0.8-2
Distribution: unstable
Urgency: low
Maintainer: Luca Falavigna <dktrkranz@debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description: 
 python-httplib2 - comprehensive HTTP client library written for Python
 python3-httplib2 - comprehensive HTTP client library written for Python3
Closes: 706602
Changes: 
 python-httplib2 (0.8-2) unstable; urgency=low
 .
   * Team upload.
 .
   [ Vincent Bernat ]
   * Upload to unstable.
   * Fix CVE-2013-2037 with the appropriate patch. Closes: #706602.
Checksums-Sha1: 
 38363e3df78c7e12d91227df305c1f98e8059cca 2130 python-httplib2_0.8-2.dsc
 95f19ccd9afa9f9218fbcc8db97c8874d99320df 14175 python-httplib2_0.8-2.debian.tar.gz
 227b86c7b0f93da8fb1f2a891d512339a333b3e6 40312 python-httplib2_0.8-2_all.deb
 82c432cdc7d7acb9de3d93c4a1f55f2107d3306f 31606 python3-httplib2_0.8-2_all.deb
Checksums-Sha256: 
 653cdc4adb9521d88e05f66905003e8fd5d790323ec2393648d8829d706190b6 2130 python-httplib2_0.8-2.dsc
 11d14cb50dfb7187a217c008059436d90ef878108a86cf571f08eb9ba7d5fa38 14175 python-httplib2_0.8-2.debian.tar.gz
 c9de4e1ae27a5164a53322e937783ed154f8c30390e4b7ddec3889f25da76d2e 40312 python-httplib2_0.8-2_all.deb
 bd39e31db002ebbc94405ae4d93cabd6d4faf1e7d7cd348c8c6b8b7949c58322 31606 python3-httplib2_0.8-2_all.deb
Files: 
 2529516d03cf31c9912e4af340af8671 2130 python optional python-httplib2_0.8-2.dsc
 b3b0bc94f24133b007c6763cc6caa1b4 14175 python optional python-httplib2_0.8-2.debian.tar.gz
 caa9fcba7b730d11f7ad6c0afe82f2b8 40312 python optional python-httplib2_0.8-2_all.deb
 ee7474b1f1710f9a65b4dc841de4d703 31606 python optional python3-httplib2_0.8-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCAAGBQJSDnueAAoJEJWkL+g1NSX5RPoQAI66PfkarzfNO9tT6Aip3nXV
dOe9xVD6uAD1EWno/HGave5P02z+lblUkbWVJVTxxRzuSFbszgPSD7WQmmIX3bV/
98UFjPEdryZ/XbVY8yi5xvghZSg3bieGsN4FHJNhrD3HDapFoyZhdNVgWC+hSGMs
/svBUmWRK3O1DeXHaV4BW/5TckEbTWR/EzyR5f9YAWnzNLqdKPCDhDWNNsu1mGFv
kL1QSE3Z3mTuMr8OHZZmL8XXHsNQtst3n4h1aJZ9gqF+DYnASQjVfzScnb2FrGuf
V283evi5B0d+EeFbksV5nzqzsoD3uR5lHt1I27DvGw+R+esnhTdcEoH9GapufLUd
TvCvDmY46i8j/n5XsRKxOJMKPXaOozBTI/LE7gmn0aIejwEgOvyVgEjl1ju4tVw3
XPJO3nRywr64n4HR7UqubRYXwPSkqrGAWVfQEMD5Ma3Je5wDNzMWWQS/K2/BKW9k
+kfZ3BOuNPC8s8uBL+xH8h5ZUnnDaRHEvqBZtX4gDsO6XB1Xsi5EkvIFPz6OjUgM
pRcgcciQ92sPGO8D5npLMvJpe3inEu/eomKlk7ckTsYBk0hcNMmjE4QMwkqG5VT1
tIY2MeaUzrdeJyftI9khfKtXjCT/rzBs3mDElvMJVV5wvzCarSTXk/dqsOZk2DzM
3lkCaIYVb3jGtujcz0bE
=azmC
-----END PGP SIGNATURE-----




Reply sent to Vincent Bernat <bernat@debian.org>:
You have taken responsibility. (Mon, 19 Aug 2013 21:06:05 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Mon, 19 Aug 2013 21:06:05 GMT) Full text and rfc822 format available.

Message #34 received at 706602-close@bugs.debian.org (full text, mbox):

From: Vincent Bernat <bernat@debian.org>
To: 706602-close@bugs.debian.org
Subject: Bug#706602: fixed in python-httplib2 0.7.4-2+deb7u1
Date: Mon, 19 Aug 2013 21:02:36 +0000
Source: python-httplib2
Source-Version: 0.7.4-2+deb7u1

We believe that the bug you reported is fixed in the latest version of
python-httplib2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 706602@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated python-httplib2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 16 Aug 2013 23:36:17 +0200
Source: python-httplib2
Binary: python-httplib2 python3-httplib2
Architecture: source all
Version: 0.7.4-2+deb7u1
Distribution: stable
Urgency: low
Maintainer: Luca Falavigna <dktrkranz@debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description: 
 python-httplib2 - comprehensive HTTP client library written for Python
 python3-httplib2 - comprehensive HTTP client library written for Python3
Closes: 706602
Changes: 
 python-httplib2 (0.7.4-2+deb7u1) stable; urgency=low
 .
   * Team upload.
 .
   [Vincent Bernat]
   * Stable update to fix CVE-2013-2037. This closes: #706602 by applying
     the same patch as in unstable.
Checksums-Sha1: 
 a7c83c192a92c9e4271cbc019109bc5cf558254f 2164 python-httplib2_0.7.4-2+deb7u1.dsc
 791949ad6fbac4125e86ba0820821a16c7a49412 14269 python-httplib2_0.7.4-2+deb7u1.debian.tar.gz
 da19ed55ea9dacfca4c5019faa3d2841ff3437b5 61194 python-httplib2_0.7.4-2+deb7u1_all.deb
 d82effb3ab58701731e734976cc618e02e1f3c67 50682 python3-httplib2_0.7.4-2+deb7u1_all.deb
Checksums-Sha256: 
 02f77048605f053934940d886000d4e9ca916269617cd07e59d1bcc9160d1939 2164 python-httplib2_0.7.4-2+deb7u1.dsc
 1046d3a0a4b9052c5a175b14cc5e71edcc1e39c0ad0069350fcca1f7c9469290 14269 python-httplib2_0.7.4-2+deb7u1.debian.tar.gz
 176e79cdaba0060d1e005c38f8e8e0e1c3eda5d5b3c64417636b88d9b5ba9090 61194 python-httplib2_0.7.4-2+deb7u1_all.deb
 fa9975578d85a00907065ded656598ef31c7960d573784126fc4fdbd1031d2ae 50682 python3-httplib2_0.7.4-2+deb7u1_all.deb
Files: 
 6a54d90234620f1134c9debde268f2b5 2164 python optional python-httplib2_0.7.4-2+deb7u1.dsc
 3f477b32b3014389d07a5e65e5013625 14269 python optional python-httplib2_0.7.4-2+deb7u1.debian.tar.gz
 f085dbee8575902b33b65534246ea097 61194 python optional python-httplib2_0.7.4-2+deb7u1_all.deb
 8fa27d739b4f9763c0a4c52cb6b6096c 50682 python optional python3-httplib2_0.7.4-2+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCAAGBQJSDpvwAAoJEJWkL+g1NSX5US4P/1XFvrCXS2FRi//FB7wd4nrY
CsZk6JiKZ4XWsN8361gTJXj7cnFSqfBsHBwt1rYtvMuoY3qEWZ/Huf8W63sKGH77
gyOa2bP076POOGcnaKl5AQWuqcnmnJEByYk+IOe4/nhV8lh87RvOZj7ho5gwhEPy
MHdyKop53qeVf1/+yFnu0ZXy/v39NkUcfAZhBbK1qYke2HGB1BSc3E4l3oRMy6/y
x3evD8gwPf+EvJudsb+l54AeiM53xgYhZmegEPO8TEY86Dwab/r1MPIxcvM9BDlt
rTmg+OF+4Jie/vfCLlqpvul24yIW7bKizhpIOiR6oA/6hyGXK2XJZs768yS4NdeF
gHF45XfUyoQa5fSAfyRhOQunXt6Yn+JbrzQtg7fswnaPbizaBUs8SoqZMyAjx9to
Gw/wqkdV8n1A1yAjTmT5lbV9uvrvDVngDlZk1u5TLln9IwE5WOZgT9acTPrXBvYb
EvDCdghk1XJLk9CJyx/BRwfw8ssZrCNXEzT6a/Jo+oFIza9KZrr9svHSvbFULMa7
Q/NZBXJysn0BKaug/5r8vD/DK6AG0Pf/v02s9fx26eUaizme7ZLS49UuXNAhLVtj
/1DLDU5sEXEKPyl6ayBxEK9B18UyoBgX/jM/X5w9gIz3oM9q1W1IFH/F0RCUT3d3
zRj/mRryFNgp38SB3Pts
=/IDN
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 24 Sep 2013 07:25:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 12:12:43 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.