Bug 1189241 (CVE-2021-3737)

Summary: VUL-0: CVE-2021-3737: python3,python36,python38,python39,python27,python: infinitely reading potential HTTP headers after a 100 Continue status response from the server
Product: [Novell Products] SUSE Security Incidents Reporter: Fusion Future <qydwhotmail>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gianluca.gabrielli, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE Leap 15.3   
URL: https://smash.suse.de/issue/306132
Whiteboard: CVSSv3.1:SUSE:CVE-2021-3737:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Fusion Future 2021-08-09 16:42:54 UTC
HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a '100 Continue' HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server.

References:
https://bugs.python.org/issue44022
https://github.com/python/cpython/pull/25916
Comment 1 Marcus Meissner 2021-08-10 08:40:19 UTC
no cve yet
Comment 2 Fusion Future 2021-08-10 10:40:34 UTC
I have submitted a request for CVE ID, not sure how long will it take. The patch and updates is in review state.

Python 2.7
https://build.opensuse.org/request/show/911135
Python 3.6
https://build.opensuse.org/request/show/911137
Python 3.8
https://build.opensuse.org/request/show/911136
Python 3.9
https://build.opensuse.org/request/show/911061
Comment 3 Gianluca Gabrielli 2021-08-26 15:24:19 UTC
I requested a CVE 3 days ago to Redhat, and CVE-2021-3737 as been assigned.
Comment 4 Fusion Future 2021-08-26 15:25:09 UTC
(In reply to Gianluca Gabrielli from comment #3)
> I requested a CVE 3 days ago to Redhat, and CVE-2021-3737 as been assigned.

Thank you
Comment 5 Gianluca Gabrielli 2021-08-26 15:55:26 UTC
Python 3

Affected packages:
 - SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python3   3.6.13
 - SUSE:SLE-12-SP5:Update/python36                           3.6.13
 - SUSE:SLE-15-SP3:Update/python39                           3.9.4
 - SUSE:SLE-12:Update/python3-base                           3.4.10
 - SUSE:Carwos:1/python3                                     3.6.13
 - SUSE:SLE-12:Update/python3                                3.4.10
 - SUSE:SLE-15:Update/python3                                3.6.13

Already Fixed:
 - openSUSE:Factory/python36                                 3.6.14
 - openSUSE:Factory/python39                                 3.9.6

Upstream patches: PR#25916 [0] and PR#26503 [1].

[0] https://github.com/python/cpython/pull/25916
[1] https://github.com/python/cpython/pull/26503
Comment 6 Gianluca Gabrielli 2021-08-26 15:55:37 UTC
Python 2

Affected packages:
 - SUSE:SLE-11-SP1:Update/python                   2.6.9
 - SUSE:SLE-12-SP1:Update/python                   2.7.18
 - SUSE:SLE-15:Update/python                       2.7.18
 - SUSE:SLE-11-SP1:Update/python-base              2.6.9
 - SUSE:SLE-12-SP1:Update/python-base              2.7.18
 - SUSE:SLE-15:Update/python-base                  2.7.18
 - SUSE:SLE-11-SP1:Update/python-doc               2.6
 - SUSE:SLE-12-SP1:Update/python-doc               2.7.18
 - SUSE:SLE-11-SP1:Update:Teradata/python27        2.7.18
 - SUSE:SLE-11-SP1:Update:Teradata/python27-base   2.7.18
 - SUSE:SLE-11-SP1:Update:Teradata/python27-doc    2.7.18

Already Fixed:
 - openSUSE:Factory/python                         2.7.18
 - openSUSE:Factory/python-doc                     2.7.18
 - openSUSE:Factory/python-base                    2.7.18

Upstream patch [0].

[0] https://build.opensuse.org/package/view_file/devel:languages:python:Factory/python/bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch?expand=1
Comment 7 OBSbugzilla Bot 2021-09-15 14:40:11 UTC
This is an autogenerated message for OBS integration:
This bug (1189241) was mentioned in
https://build.opensuse.org/request/show/919164 Factory / python36
Comment 8 Matej Cepl 2021-09-15 15:43:13 UTC
(In reply to Gianluca Gabrielli from comment #5)
>  - SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python3   3.6.13

This is not correct. https://build.suse.de/package/show/SUSE:SLE-12-SP2:Update:Teradata/python3 is the same as base SLE-12, i.e., python 3.4.

>  - SUSE:Carwos:1/python3                                     3.6.13

This is not maintained by our team.
Comment 9 Gianluca Gabrielli 2021-09-15 16:03:15 UTC
(In reply to Matej Cepl from comment #8)
> (In reply to Gianluca Gabrielli from comment #5)
> >  - SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python3   3.6.13
> 
> This is not correct.
> https://build.suse.de/package/show/SUSE:SLE-12-SP2:Update:Teradata/python3
> is the same as base SLE-12, i.e., python 3.4.

You are right.

> >  - SUSE:Carwos:1/python3                                     3.6.13
> 
> This is not maintained by our team.

Please ignore Carwos.
Comment 10 OBSbugzilla Bot 2021-09-15 16:40:27 UTC
This is an autogenerated message for OBS integration:
This bug (1189241) was mentioned in
https://build.opensuse.org/request/show/919259 Factory / python39
Comment 17 Gianluca Gabrielli 2021-09-20 09:53:48 UTC
(In reply to Matej Cepl from comment #8)
> (In reply to Gianluca Gabrielli from comment #5)
> >  - SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python3   3.6.13
> 
> This is not correct.
> https://build.suse.de/package/show/SUSE:SLE-12-SP2:Update:Teradata/python3
> is the same as base SLE-12, i.e., python 3.4.

You are correct, and I now realized that I mistyped the name of the package, I meant python36. So SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python36.
Comment 33 OBSbugzilla Bot 2021-10-06 14:45:14 UTC
This is an autogenerated message for OBS integration:
This bug (1189241) was mentioned in
https://build.opensuse.org/request/show/923499 Factory / python36
Comment 35 Swamp Workflow Management 2021-10-20 10:29:04 UTC
SUSE-SU-2021:3477-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1187668,1189241,1189287
CVE References: CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    python3-3.4.10-25.80.2, python3-base-3.4.10-25.80.2
SUSE Linux Enterprise Server 12-SP5 (src):    python3-3.4.10-25.80.2, python3-base-3.4.10-25.80.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.10-25.80.2, python3-base-3.4.10-25.80.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 36 Swamp Workflow Management 2021-10-20 19:27:23 UTC
SUSE-SU-2021:3486-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1180125,1183374,1183858,1185588,1189241,1189287
CVE References: CVE-2021-3426,CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    python36-3.6.15-11.1, python36-core-3.6.15-11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 37 Swamp Workflow Management 2021-10-20 19:34:30 UTC
openSUSE-SU-2021:3489-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1189241,1189287
CVE References: CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    python-2.7.18-33.1, python-base-2.7.18-33.1, python-doc-2.7.18-33.1
Comment 38 Swamp Workflow Management 2021-10-20 19:41:46 UTC
SUSE-SU-2021:3489-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1189241,1189287
CVE References: CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    python-2.7.18-33.1, python-base-2.7.18-33.1
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    python-2.7.18-33.1, python-base-2.7.18-33.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    python-2.7.18-33.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    python-2.7.18-33.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    python-2.7.18-33.1, python-base-2.7.18-33.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    python-2.7.18-33.1, python-base-2.7.18-33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 39 OBSbugzilla Bot 2021-10-22 08:45:29 UTC
This is an autogenerated message for OBS integration:
This bug (1189241) was mentioned in
https://build.opensuse.org/request/show/926876 Factory / python36
Comment 41 Swamp Workflow Management 2021-10-26 19:28:03 UTC
SUSE-SU-2021:3524-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1189241,1189287
CVE References: CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    python-base-2.7.18-28.74.2
SUSE Linux Enterprise Server 12-SP5 (src):    python-2.7.18-28.74.1, python-base-2.7.18-28.74.2, python-doc-2.7.18-28.74.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 45 Swamp Workflow Management 2021-10-31 20:31:53 UTC
openSUSE-SU-2021:1418-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1189241,1189287
CVE References: CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    python-2.7.18-lp152.3.21.1, python-base-2.7.18-lp152.3.21.1, python-doc-2.7.18-lp152.3.21.1
Comment 48 Swamp Workflow Management 2021-12-13 20:17:56 UTC
SUSE-SU-2021:4015-1: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1180125,1183374,1183858,1185588,1187338,1187668,1189241,1189287
CVE References: CVE-2021-3426,CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE MicroOS 5.0 (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    python3-core-3.6.15-3.91.3
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 49 Swamp Workflow Management 2021-12-16 14:18:31 UTC
openSUSE-SU-2021:4104-1: An update that solves three vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 1180125,1183374,1183858,1185588,1187668,1189241,1189287
CVE References: CVE-2021-3426,CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    python3-3.6.15-10.9.1, python3-core-3.6.15-10.9.1, python3-documentation-3.6.15-10.9.1
Comment 50 Swamp Workflow Management 2021-12-16 14:21:35 UTC
SUSE-SU-2021:4104-1: An update that solves three vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 1180125,1183374,1183858,1185588,1187668,1189241,1189287
CVE References: CVE-2021-3426,CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    python3-core-3.6.15-10.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    python3-3.6.15-10.9.1, python3-core-3.6.15-10.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 51 Swamp Workflow Management 2021-12-23 14:56:44 UTC
SUSE-SU-2021:4015-2: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1180125,1183374,1183858,1185588,1187338,1187668,1189241,1189287
CVE References: CVE-2021-3426,CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise Server for SAP 15 (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise Server 15-SP1-BCL (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise Server 15-LTSS (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Enterprise Storage 6 (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE CaaS Platform 4.0 (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 54 OBSbugzilla Bot 2022-02-06 22:31:16 UTC
This is an autogenerated message for OBS integration:
This bug (1189241) was mentioned in
https://build.opensuse.org/request/show/951983 Factory / python
Comment 55 OBSbugzilla Bot 2022-02-09 19:11:29 UTC
This is an autogenerated message for OBS integration:
This bug (1189241) was mentioned in
https://build.opensuse.org/request/show/953031 Factory / python
Comment 57 Swamp Workflow Management 2022-05-02 19:17:46 UTC
SUSE-SU-2022:1485-1: An update that solves three vulnerabilities, contains one feature and has two fixes is now available.

Category: security (moderate)
Bug References: 1186819,1189241,1189287,1189356,1193179
CVE References: CVE-2021-3572,CVE-2021-3733,CVE-2021-3737
JIRA References: SLE-23849
Sources used:
openSUSE Leap 15.4 (src):    python39-3.9.10-150300.4.8.2, python39-core-3.9.10-150300.4.8.1, python39-documentation-3.9.10-150300.4.8.1
openSUSE Leap 15.3 (src):    python39-3.9.10-150300.4.8.2, python39-core-3.9.10-150300.4.8.1, python39-documentation-3.9.10-150300.4.8.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    python39-core-3.9.10-150300.4.8.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    python39-3.9.10-150300.4.8.2, python39-core-3.9.10-150300.4.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 58 OBSbugzilla Bot 2022-06-10 08:41:29 UTC
This is an autogenerated message for OBS integration:
This bug (1189241) was mentioned in
https://build.opensuse.org/request/show/981989 Factory / python