Bug 1136184 - python-botocore needs to support urllib 1.25 for CVE-2019-9947
python-botocore needs to support urllib 1.25 for CVE-2019-9947
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Other
Current
Other Other
: P2 - High : Normal (vote)
: ---
Assigned To: John Paul Adrian Glaubitz
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-05-24 08:31 UTC by Dominique Leuenberger
Modified: 2022-02-25 21:06 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dominique Leuenberger 2019-05-24 08:31:28 UTC
The two packages python and python3 are being patched against CVE-2019-9947

This in turn requires a fix / update of python-urllib3 to version 1.25

Python-botocore currently has a BuildRequires: python-urllib3 < 1.25, thus ending up 'unresolvable' with this updated stack.

Python-botocore upstream has this already addressed in git, by means of:

https://github.com/boto/botocore/commit/3a6bd282307ff91cbd04f2a7dfa6369c08015d2f
  through https://github.com/boto/botocore/pull/1735/files

and
https://github.com/boto/botocore/commit/e3ef8a9eae78f630d30fdb19ac091932aa6ed8ca
  through https://github.com/boto/botocore/pull/1737

Can you please add those two commits to the python-botocore package and submit it to openSUSE:Factory in order to get the CVE fixes ready?
Comment 1 John Paul Adrian Glaubitz 2019-05-25 11:15:14 UTC
Yes, I'll update botocore and boto to their latest versions. Note that they always have to be updated together.
Comment 3 Swamp Workflow Management 2019-10-01 16:15:19 UTC
SUSE-RU-2019:2506-1: An update that has three recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1136184,1146853,1146854
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15 (src):    aws-cli-1.16.223-4.10.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    python-boto3-1.9.213-3.8.1, python-botocore-1.12.213-3.8.1, python-s3transfer-0.2.1-3.6.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-boto3-1.9.213-3.8.1, python-botocore-1.12.213-3.8.1, python-s3transfer-0.2.1-3.6.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-boto3-1.9.213-3.8.1, python-botocore-1.12.213-3.8.1, python-s3transfer-0.2.1-3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2019-10-06 19:10:55 UTC
openSUSE-RU-2019:2270-1: An update that has three recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1136184,1146853,1146854
CVE References: 
Sources used:
openSUSE Leap 15.0 (src):    aws-cli-1.16.223-lp150.8.1, python-boto3-1.9.213-lp150.7.1, python-botocore-1.12.213-lp150.7.1, python-s3transfer-0.2.1-lp150.7.1
Comment 5 Robert Schweikert 2019-10-14 13:54:05 UTC
Released
Comment 7 Swamp Workflow Management 2020-02-26 20:12:51 UTC
SUSE-RU-2020:0498-1: An update that has 5 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1122669,1136184,1146853,1146854,1159018
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-PyYAML-5.1.2-6.3.7
SUSE Linux Enterprise Module for Public Cloud 15-SP1 (src):    aws-cli-1.16.223-8.3.3, azure-cli-core-2.0.45-6.3.3, azure-cli-interactive-0.3.28-6.3.3, python-aws-sam-translator-1.11.0-4.3.8, python-cfn-lint-0.21.4-3.3.9
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    python-boto3-1.9.213-7.3.4, python-botocore-1.12.213-7.3.4, python-s3transfer-0.2.1-6.3.5
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-boto3-1.9.213-7.3.4, python-botocore-1.12.213-7.3.4, python-s3transfer-0.2.1-6.3.5
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-PyYAML-5.1.2-6.3.7, python-boto3-1.9.213-7.3.4, python-botocore-1.12.213-7.3.4, python-s3transfer-0.2.1-6.3.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-03-03 05:12:18 UTC
openSUSE-RU-2020:0290-1: An update that has 5 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1122669,1136184,1146853,1146854,1159018
CVE References: 
Sources used:
openSUSE Leap 15.1 (src):    aws-cli-1.16.223-lp151.2.3.1, azure-cli-core-2.0.45-lp151.2.3.1, azure-cli-interactive-0.3.28-lp151.2.3.1, python-PyYAML-5.1.2-lp151.2.3.1, python-boto3-1.9.213-lp151.2.3.1, python-botocore-1.12.213-lp151.2.3.1, python-nose2-0.9.1-lp151.3.3.1, python-parameterized-0.7.0-lp151.3.3.1, python-s3transfer-0.2.1-lp151.2.3.1
Comment 9 Swamp Workflow Management 2020-03-05 20:12:16 UTC
openSUSE-RU-2020:0303-1: An update that has 5 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1122669,1136184,1146853,1146854,1159018
CVE References: 
Sources used:
openSUSE Backports SLE-15-SP1 (src):    python-nose2-0.9.1-bp151.4.3.1, python-parameterized-0.7.0-bp151.2.3.1
Comment 10 Swamp Workflow Management 2020-03-24 20:25:52 UTC
SUSE-RU-2020:0775-1: An update that has 11 recommended fixes can now be installed.

Category: recommended (important)
Bug References: 1069697,1075263,1088310,1095041,1118021,1118024,1118027,1129696,1136184,1146853,1146854
CVE References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python-botocore-1.13.33-28.20.1, python-futures-3.0.2-15.3.1
SUSE OpenStack Cloud 8 (src):    python-botocore-1.13.33-28.20.1, python-futures-3.0.2-15.3.1
SUSE OpenStack Cloud 7 (src):    python-futures-3.0.2-15.3.1
SUSE Manager Tools 12 (src):    python-futures-3.0.2-15.3.1
SUSE Manager Server 3.2 (src):    python-futures-3.0.2-15.3.1
SUSE Manager Proxy 3.2 (src):    python-futures-3.0.2-15.3.1
SUSE Linux Enterprise Point of Sale 12-SP2 (src):    python-futures-3.0.2-15.3.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    python-boto3-1.10.33-14.14.1, python-botocore-1.13.33-28.20.1, python-futures-3.0.2-15.3.1, python-s3transfer-0.2.1-8.7.1
SUSE Linux Enterprise Module for Advanced Systems Management 12 (src):    python-futures-3.0.2-15.3.1
SUSE Enterprise Storage 5 (src):    python-futures-3.0.2-15.3.1
SUSE CaaS Platform 3.0 (src):    python-futures-3.0.2-15.3.1
HPE Helion Openstack 8 (src):    python-botocore-1.13.33-28.20.1, python-futures-3.0.2-15.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.