Security update for python3-requests

Announcement ID:	SUSE-SU-2020:1792-1
Rating:	moderate
References:	bsc#1054413 bsc#1073879 bsc#1111622 bsc#1122668 bsc#761500 bsc#922448 bsc#929736 bsc#935252 bsc#945455 bsc#947357 bsc#961596 bsc#967128
Cross-References:	CVE-2015-2296 CVE-2018-18074
CVSS scores:	CVE-2018-18074 ( SUSE ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2018-18074 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2018-18074 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	HPE Helion OpenStack 8 Public Cloud Module 12 SUSE Enterprise Storage 5 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Point of Service Image Server 12 12-SP2 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2 SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3 SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3 SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 SUSE Linux Enterprise Workstation Extension 12 12-SP5 SUSE Manager Proxy 3.2 SUSE Manager Server 3.2 SUSE OpenStack Cloud 7 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud Crowbar 8

An update that solves two vulnerabilities and has 10 security fixes can now be installed.

Description:

This update for python3-requests provides the following fix:

python-requests was updated to 2.20.1.

Update to version 2.20.1:

• Fixed bug with unintended Authorization header stripping for redirects using default ports (http/80, https/443).

Update to version 2.20.0:

• Bugfixes

• Content-Type header parsing is now case-insensitive (e.g. charset=utf8 v Charset=utf8).

• Fixed exception leak where certain redirect urls would raise uncaught urllib3 exceptions.
• Requests removes Authorization header from requests redirected from https to http on the same hostname. (CVE-2018-18074)
• should_bypass_proxies now handles URIs without hostnames (e.g. files).

Update to version 2.19.1:

• Fixed issue where status_codes.py’s init function failed trying to append to a doc value of None.

Update to version 2.19.0:

• Improvements

• Warn about possible slowdown with cryptography version < 1.3.4

• Check host in proxy URL, before forwarding request to adapter.
• Maintain fragments properly across redirects. (RFC7231 7.1.2)
• Removed use of cgi module to expedite library load time.
• Added support for SHA-256 and SHA-512 digest auth algorithms.

• Minor performance improvement to Request.content.

• Bugfixes

• Parsing empty Link headers with parse_header_links() no longer return one bogus entry.

• Fixed issue where loading the default certificate bundle from a zip archive would raise an IOError.
• Fixed issue with unexpected ImportError on windows system which do not support winreg module.
• DNS resolution in proxy bypass no longer includes the username and password in the request. This also fixes the issue of DNS queries failing on macOS.
• Properly normalize adapter prefixes for url comparison.
• Passing None as a file pointer to the files param no longer raises an exception.
• Calling copy on a RequestsCookieJar will now preserve the cookie policy correctly.

Update to version 2.18.4:

• Improvements

• Error messages for invalid headers now include the header name for easier debugging

Update to version 2.18.3:

• Improvements
• Running $ python -m requests.help now includes the installed version of idna.
• Bugfixes

• Fixed issue where Requests would raise ConnectionError instead of SSLError when encountering SSL problems when using urllib3 v1.22.

• Add ca-certificates (and ca-certificates-mozilla) to dependencies, otherwise https connections will fail.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• HPE Helion OpenStack 8
  zypper in -t patch HPE-Helion-OpenStack-8-2020-1792=1
• SUSE OpenStack Cloud 7
  zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1792=1
• SUSE OpenStack Cloud 8
  zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1792=1
• SUSE OpenStack Cloud Crowbar 8
  zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1792=1
• Public Cloud Module 12
  zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2020-1792=1
• SUSE Linux Enterprise Point of Service Image Server 12 12-SP2
  zypper in -t patch SUSE-SLE-POS-12-SP2-CLIENT-2020-1792=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2
  zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1792=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP3
  zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1792=1
• SUSE Linux Enterprise Software Development Kit 12 SP5
  zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1792=1
• SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1792=1
• SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-ESPOS-2020-1792=1
• SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1792=1
• SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3
  zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1792=1
• SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3
  zypper in -t patch SUSE-SLE-SERVER-12-SP3-ESPOS-2020-1792=1
• SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3
  zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1792=1
• SUSE Linux Enterprise High Performance Computing 12 SP4
  zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1792=1
• SUSE Linux Enterprise Server 12 SP4
  zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1792=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP4
  zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1792=1
• SUSE Linux Enterprise High Performance Computing 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1792=1
• SUSE Linux Enterprise Server 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1792=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1792=1
• SUSE Linux Enterprise Workstation Extension 12 12-SP5
  zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1792=1
• SUSE Enterprise Storage 5
  zypper in -t patch SUSE-Storage-5-2020-1792=1
• SUSE Manager Proxy 3.2
  zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2020-1792=1
• SUSE Manager Server 3.2
  zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-1792=1

Package List:

• HPE Helion OpenStack 8 (noarch)
  • python3-chardet-3.0.4-5.6.1
  • python3-requests-2.20.1-5.2
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
• SUSE OpenStack Cloud 7 (noarch)
  • python3-chardet-3.0.4-5.6.1
  • python3-requests-2.20.1-5.2
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
• SUSE OpenStack Cloud 8 (noarch)
  • python3-chardet-3.0.4-5.6.1
  • python3-requests-2.20.1-5.2
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
• SUSE OpenStack Cloud Crowbar 8 (noarch)
  • python3-chardet-3.0.4-5.6.1
  • python3-requests-2.20.1-5.2
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
• Public Cloud Module 12 (noarch)
  • python-certifi-2018.4.16-3.6.1
  • python3-chardet-3.0.4-5.6.1
  • python3-certifi-2018.4.16-3.6.1
  • python3-urllib3-1.22-3.20.1
  • python-chardet-3.0.4-5.6.1
  • python-urllib3-1.22-3.20.1
• SUSE Linux Enterprise Point of Service Image Server 12 12-SP2 (noarch)
  • python3-chardet-3.0.4-5.6.1
  • python3-requests-2.20.1-5.2
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2 (noarch)
  • python3-chardet-3.0.4-5.6.1
  • python3-requests-2.20.1-5.2
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP3 (noarch)
  • python3-chardet-3.0.4-5.6.1
  • python3-requests-2.20.1-5.2
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
• SUSE Linux Enterprise Software Development Kit 12 SP5 (noarch)
  • python3-chardet-3.0.4-5.6.1
  • python3-requests-2.20.1-5.2
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
• SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (noarch)
  • python3-chardet-3.0.4-5.6.1
  • python3-requests-2.20.1-5.2
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
• SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2 (noarch)
  • python3-chardet-3.0.4-5.6.1
  • python3-requests-2.20.1-5.2
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
• SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2 (noarch)
  • python3-chardet-3.0.4-5.6.1
  • python3-requests-2.20.1-5.2
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
• SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3 (noarch)
  • python3-chardet-3.0.4-5.6.1
  • python3-requests-2.20.1-5.2
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
• SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3 (noarch)
  • python3-chardet-3.0.4-5.6.1
  • python3-requests-2.20.1-5.2
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
• SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3 (noarch)
  • python3-chardet-3.0.4-5.6.1
  • python3-requests-2.20.1-5.2
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
• SUSE Linux Enterprise High Performance Computing 12 SP4 (noarch)
  • python3-requests-2.20.1-5.2
  • python3-chardet-3.0.4-5.6.1
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
  • python-chardet-3.0.4-5.6.1
• SUSE Linux Enterprise Server 12 SP4 (noarch)
  • python3-requests-2.20.1-5.2
  • python3-chardet-3.0.4-5.6.1
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
  • python-chardet-3.0.4-5.6.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP4 (noarch)
  • python3-requests-2.20.1-5.2
  • python3-chardet-3.0.4-5.6.1
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
  • python-chardet-3.0.4-5.6.1
• SUSE Linux Enterprise High Performance Computing 12 SP5 (noarch)
  • python3-requests-2.20.1-5.2
  • python-certifi-2018.4.16-3.6.1
  • python3-chardet-3.0.4-5.6.1
  • python3-certifi-2018.4.16-3.6.1
  • python3-urllib3-1.22-3.20.1
  • python-chardet-3.0.4-5.6.1
  • python-urllib3-1.22-3.20.1
• SUSE Linux Enterprise Server 12 SP5 (noarch)
  • python3-requests-2.20.1-5.2
  • python-certifi-2018.4.16-3.6.1
  • python3-chardet-3.0.4-5.6.1
  • python3-certifi-2018.4.16-3.6.1
  • python3-urllib3-1.22-3.20.1
  • python-chardet-3.0.4-5.6.1
  • python-urllib3-1.22-3.20.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (noarch)
  • python3-requests-2.20.1-5.2
  • python-certifi-2018.4.16-3.6.1
  • python3-chardet-3.0.4-5.6.1
  • python3-certifi-2018.4.16-3.6.1
  • python3-urllib3-1.22-3.20.1
  • python-chardet-3.0.4-5.6.1
  • python-urllib3-1.22-3.20.1
• SUSE Linux Enterprise Workstation Extension 12 12-SP5 (noarch)
  • python3-chardet-3.0.4-5.6.1
  • python3-requests-2.20.1-5.2
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
• SUSE Enterprise Storage 5 (noarch)
  • python3-requests-2.20.1-5.2
  • python3-chardet-3.0.4-5.6.1
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
  • python-urllib3-1.22-3.20.1
• SUSE Manager Proxy 3.2 (noarch)
  • python3-chardet-3.0.4-5.6.1
  • python3-requests-2.20.1-5.2
  • python3-urllib3-1.22-3.20.1
  • python3-certifi-2018.4.16-3.6.1
• SUSE Manager Server 3.2 (noarch)
  • python3-requests-2.20.1-5.2
  • python-certifi-2018.4.16-3.6.1
  • python3-chardet-3.0.4-5.6.1
  • python3-certifi-2018.4.16-3.6.1
  • python3-urllib3-1.22-3.20.1
  • python-chardet-3.0.4-5.6.1
  • python-urllib3-1.22-3.20.1

References:

• https://www.suse.com/security/cve/CVE-2015-2296.html
• https://www.suse.com/security/cve/CVE-2018-18074.html
• https://bugzilla.suse.com/show_bug.cgi?id=1054413
• https://bugzilla.suse.com/show_bug.cgi?id=1073879
• https://bugzilla.suse.com/show_bug.cgi?id=1111622
• https://bugzilla.suse.com/show_bug.cgi?id=1122668
• https://bugzilla.suse.com/show_bug.cgi?id=761500
• https://bugzilla.suse.com/show_bug.cgi?id=922448
• https://bugzilla.suse.com/show_bug.cgi?id=929736
• https://bugzilla.suse.com/show_bug.cgi?id=935252
• https://bugzilla.suse.com/show_bug.cgi?id=945455
• https://bugzilla.suse.com/show_bug.cgi?id=947357
• https://bugzilla.suse.com/show_bug.cgi?id=961596
• https://bugzilla.suse.com/show_bug.cgi?id=967128