Bug 1215722

Summary: VUL-0: python-python-redmine: API key leak
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, mardnh, rbranco
Version: unspecifiedFlags: abergmann: needinfo? (mardnh)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/379842/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2023-09-26 12:00:23 UTC 
https://github.com/maxtepkeev/python-redmine/issues/330

The quick way to test it is with no Internet connection:

import os
import logging
from redminelib import Redmine
from redminelib.exceptions import BaseRedmineError
from requests.exceptions import RequestException

URL = os.getenv("URL", "https://progress.opensuse.org")
USER = os.getenv("USER", "test")
API_KEY = "MYAPIKEY"

try:
    client = Redmine(URL, username=USER, key=API_KEY)
    client.issue.get(777)
except (BaseRedmineError, RequestException) as exc:
    logging.error("%s", exc)

ERROR:root:HTTPSConnectionPool(host='progress.opensuse.org', port=443): Max retries exceeded with url: /issues/777.json?key=MYAPIKEY (Caused by NameResolutionError("<urllib3.connection.HTTPSConnection object at 0x7fa218b31450>: Failed to resolve 'progress.opensuse.org' ([Errno -3] Temporary failure in name resolution)")) 

The only workaround is to catch requests.exceptions.ConnectionError.
Comment 1 Ricardo Branco 2023-09-26 12:38:41 UTC 
Another workaround:

https://github.com/maxtepkeev/python-redmine/pull/328#issuecomment-1728431742
Comment 2 Martin Hauke 2023-09-26 19:11:19 UTC 
See https://build.opensuse.org/request/show/1113727
Comment 3 Alexander Bergmann 2023-09-27 06:13:25 UTC 
@Martin, could you please prepare submissions for the following backports:

openSUSE:Backports:SLE-15-SP4
openSUSE:Backports:SLE-15-SP5
openSUSE:Backports:SLE-15-SP6

You can still submit to the SLE-15-SP6 GA project.
Comment 4 OBSbugzilla Bot 2023-09-29 08:35:08 UTC 
This is an autogenerated message for OBS integration:
This bug (1215722) was mentioned in
https://build.opensuse.org/request/show/1114261 Factory / python-python-redmine