Bugzilla – Bug 1215718
VUL-0: python-bugzilla: API key leak
Last modified: 2024-05-17 12:45:56 UTC
https://github.com/python-bugzilla/python-bugzilla/pull/188 The used api_key is exposed if the script failed to establish a new connection. -------------------------------- import os import logging from bugzilla import Bugzilla from bugzilla.exceptions import BugzillaError from requests.exceptions import RequestException URL = os.getenv("URL", "https://bugzilla.suse.coma") USER = os.getenv("USER", "test") API_KEY = "MYAPIKEY" try: client = Bugzilla(URL, force_rest=True, user=USER, api_key=API_KEY) except (BugzillaError, RequestException) as exc: error = exc logging.error("%s", exc) -------------------------------- The error message contains the API key in plain text. Before: $ python3 test.py ERROR:root:HTTPSConnectionPool(host='bugzilla.suse.coma', port=443): Max retries exceeded with url: /rest/version?Bugzilla_api_key=MYAPIKEY (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f54f87912b0>: Failed to establish a new connection: [Errno -2] Name or service not known',)) After the following commit, the problem is fixed: https://github.com/python-bugzilla/python-bugzilla/pull/188/commits/95ac3ca7262aee02db60c1fe0ac7fec3631bfd83 After: python3 test.py ERROR:root:HTTPSConnectionPool(host='bugzilla.suse.coma', port=443): Max retries exceeded with url: /rest/version?Bugzilla_api_key= (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f395ab9a8d0>: Failed to establish a new connection: [Errno -2] Name or service not known',))
We need fixes for the following backports: openSUSE:Backports:SLE-15-SP4 openSUSE:Backports:SLE-15-SP5 openSUSE:Backports:SLE-15-SP6
I sent the fixes yesterday, but without bsc as there wasn't one, and I got pinged directly at OBS. Anyway, here are the new submissions with the bsc. Factory: https://build.opensuse.org/request/show/1113660 Backports 15SP4: https://build.opensuse.org/request/show/1113661 For SP5 and SP6... looks to me submitting to SP4 is enough? $ osc mr -m "Fix API Key leak" devel:languages:python python-bugzilla openSUSE:Backports:SLE-15-SP5:Update Using target project 'openSUSE:Maintenance'. (release in 'openSUSE:Backports:SLE-15-SP5:Update') The following maintenance incident request is already open: 1113661. Supersede the old request? (y/n/c) c Aborting aborted. $ osc mr -m "Fix API Key leak" devel:languages:python python-bugzilla openSUSE:Backports:SLE-15-SP6:Update Using target project 'openSUSE:Maintenance'. (release in 'openSUSE:Backports:SLE-15-SP6:Update') The following maintenance incident request is already open: 1113661. Supersede the old request? (y/n/c) c Aborting aborted.
Seems it was not enough, as the MU only covers SP4: https://build.opensuse.org/project/show/openSUSE:Maintenance:18096 Not clear to me why I get the request to supersede, probably because I was not branching from the target codestream.
(In reply to Julio González Gil from comment #3) > Seems it was not enough, as the MU only covers SP4: > https://build.opensuse.org/project/show/openSUSE:Maintenance:18096 > > Not clear to me why I get the request to supersede, probably because I was > not branching from the target codestream. not to sure my self, there is no inheritance so it would need a separate submission. I will ask around, maybe something with the project setup.
(In reply to Robert Frohl from comment #4) > (In reply to Julio González Gil from comment #3) > > Seems it was not enough, as the MU only covers SP4: > > https://build.opensuse.org/project/show/openSUSE:Maintenance:18096 > > > > Not clear to me why I get the request to supersede, probably because I was > > not branching from the target codestream. > > not to sure my self, there is no inheritance so it would need a separate > submission. I will ask around, maybe something with the project setup. No worries, I submitted https://build.opensuse.org/request/show/1113675 for SP5. As soon as it's accepted, I will submit for SP6 as well :-)
one late idea: openSUSE:Backports:SLE-15-SP6 is not GA yet, maybe there you can submit to the base codestream (i.e. without ':Update')
(In reply to Robert Frohl from comment #6) > one late idea: openSUSE:Backports:SLE-15-SP6 is not GA yet, maybe there you > can submit to the base codestream (i.e. without ':Update') Ouch! You are right, of course, and I need a SR, not a MR. Here goes SP6: https://build.opensuse.org/request/show/1113677
openSUSE-SU-2023:0279-1: An update that contains security fixes can now be installed. Category: security (important) Bug References: 1215718 CVE References: JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): python-bugzilla-3.2.0-bp154.3.8.1
openSUSE-SU-2023:0334-1: An update that contains security fixes can now be installed. Category: security (important) Bug References: 1215718 CVE References: JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): python-bugzilla-3.2.0-bp155.2.3.1
Alexander Bergmann, I think this can be closed as fixed... or is there anything missing? As far as I can tell, I submitted to all affected codestreams, and the fix got accepted.