Bug 1189241 – VUL-0: CVE-2021-3737: python3,python36,python38,python39,python27,python: infinitely reading potential HTTP headers after a 100 Continue status response from the server

Bug 1189241 - (CVE-2021-3737) VUL-0: CVE-2021-3737: python3,python36,python38,python39,python27,python: infinitely reading potential HTTP headers after a 100 Continue status response from the server

(CVE-2021-3737)
Summary:	VUL-0: CVE-2021-3737: python3,python36,python38,python39,python27,python: inf...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other openSUSE Leap 15.3

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/306132
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-3737:6.5:(AV:N...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-08-09 16:42 UTC by Fusion Future
Modified:	2022-11-29 14:05 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fusion Future 2021-08-09 16:42:54 UTC

HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a '100 Continue' HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server.

References:
https://bugs.python.org/issue44022
https://github.com/python/cpython/pull/25916

Comment 1 Marcus Meissner 2021-08-10 08:40:19 UTC

no cve yet

Comment 2 Fusion Future 2021-08-10 10:40:34 UTC

I have submitted a request for CVE ID, not sure how long will it take. The patch and updates is in review state.

Python 2.7
https://build.opensuse.org/request/show/911135
Python 3.6
https://build.opensuse.org/request/show/911137
Python 3.8
https://build.opensuse.org/request/show/911136
Python 3.9
https://build.opensuse.org/request/show/911061

Comment 3 Gianluca Gabrielli 2021-08-26 15:24:19 UTC

I requested a CVE 3 days ago to Redhat, and CVE-2021-3737 as been assigned.

Comment 4 Fusion Future 2021-08-26 15:25:09 UTC

(In reply to Gianluca Gabrielli from comment #3)
> I requested a CVE 3 days ago to Redhat, and CVE-2021-3737 as been assigned.

Thank you

Comment 5 Gianluca Gabrielli 2021-08-26 15:55:26 UTC

Python 3

Affected packages:
 - SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python3   3.6.13
 - SUSE:SLE-12-SP5:Update/python36                           3.6.13
 - SUSE:SLE-15-SP3:Update/python39                           3.9.4
 - SUSE:SLE-12:Update/python3-base                           3.4.10
 - SUSE:Carwos:1/python3                                     3.6.13
 - SUSE:SLE-12:Update/python3                                3.4.10
 - SUSE:SLE-15:Update/python3                                3.6.13

Already Fixed:
 - openSUSE:Factory/python36                                 3.6.14
 - openSUSE:Factory/python39                                 3.9.6

Upstream patches: PR#25916 [0] and PR#26503 [1].

[0] https://github.com/python/cpython/pull/25916
[1] https://github.com/python/cpython/pull/26503

Comment 6 Gianluca Gabrielli 2021-08-26 15:55:37 UTC

Python 2

Affected packages:
 - SUSE:SLE-11-SP1:Update/python                   2.6.9
 - SUSE:SLE-12-SP1:Update/python                   2.7.18
 - SUSE:SLE-15:Update/python                       2.7.18
 - SUSE:SLE-11-SP1:Update/python-base              2.6.9
 - SUSE:SLE-12-SP1:Update/python-base              2.7.18
 - SUSE:SLE-15:Update/python-base                  2.7.18
 - SUSE:SLE-11-SP1:Update/python-doc               2.6
 - SUSE:SLE-12-SP1:Update/python-doc               2.7.18
 - SUSE:SLE-11-SP1:Update:Teradata/python27        2.7.18
 - SUSE:SLE-11-SP1:Update:Teradata/python27-base   2.7.18
 - SUSE:SLE-11-SP1:Update:Teradata/python27-doc    2.7.18

Already Fixed:
 - openSUSE:Factory/python                         2.7.18
 - openSUSE:Factory/python-doc                     2.7.18
 - openSUSE:Factory/python-base                    2.7.18

Upstream patch [0].

[0] https://build.opensuse.org/package/view_file/devel:languages:python:Factory/python/bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch?expand=1

Comment 7 OBSbugzilla Bot 2021-09-15 14:40:11 UTC

This is an autogenerated message for OBS integration:
This bug (1189241) was mentioned in
https://build.opensuse.org/request/show/919164 Factory / python36

Comment 8 Matej Cepl 2021-09-15 15:43:13 UTC

(In reply to Gianluca Gabrielli from comment #5)
>  - SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python3   3.6.13

This is not correct. https://build.suse.de/package/show/SUSE:SLE-12-SP2:Update:Teradata/python3 is the same as base SLE-12, i.e., python 3.4.

>  - SUSE:Carwos:1/python3                                     3.6.13

This is not maintained by our team.

Comment 9 Gianluca Gabrielli 2021-09-15 16:03:15 UTC

(In reply to Matej Cepl from comment #8)
> (In reply to Gianluca Gabrielli from comment #5)
> >  - SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python3   3.6.13
> 
> This is not correct.
> https://build.suse.de/package/show/SUSE:SLE-12-SP2:Update:Teradata/python3
> is the same as base SLE-12, i.e., python 3.4.

You are right.

> >  - SUSE:Carwos:1/python3                                     3.6.13
> 
> This is not maintained by our team.

Please ignore Carwos.

Comment 10 OBSbugzilla Bot 2021-09-15 16:40:27 UTC

This is an autogenerated message for OBS integration:
This bug (1189241) was mentioned in
https://build.opensuse.org/request/show/919259 Factory / python39

Comment 17 Gianluca Gabrielli 2021-09-20 09:53:48 UTC

(In reply to Matej Cepl from comment #8)
> (In reply to Gianluca Gabrielli from comment #5)
> >  - SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python3   3.6.13
> 
> This is not correct.
> https://build.suse.de/package/show/SUSE:SLE-12-SP2:Update:Teradata/python3
> is the same as base SLE-12, i.e., python 3.4.

You are correct, and I now realized that I mistyped the name of the package, I meant python36. So SUSE:SLE-12-SP3:Update:Products:Teradata:Update/python36.

Comment 33 OBSbugzilla Bot 2021-10-06 14:45:14 UTC

This is an autogenerated message for OBS integration:
This bug (1189241) was mentioned in
https://build.opensuse.org/request/show/923499 Factory / python36

Comment 35 Swamp Workflow Management 2021-10-20 10:29:04 UTC

SUSE-SU-2021:3477-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1187668,1189241,1189287
CVE References: CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    python3-3.4.10-25.80.2, python3-base-3.4.10-25.80.2
SUSE Linux Enterprise Server 12-SP5 (src):    python3-3.4.10-25.80.2, python3-base-3.4.10-25.80.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.10-25.80.2, python3-base-3.4.10-25.80.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 36 Swamp Workflow Management 2021-10-20 19:27:23 UTC

SUSE-SU-2021:3486-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1180125,1183374,1183858,1185588,1189241,1189287
CVE References: CVE-2021-3426,CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    python36-3.6.15-11.1, python36-core-3.6.15-11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 37 Swamp Workflow Management 2021-10-20 19:34:30 UTC

openSUSE-SU-2021:3489-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1189241,1189287
CVE References: CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    python-2.7.18-33.1, python-base-2.7.18-33.1, python-doc-2.7.18-33.1

Comment 38 Swamp Workflow Management 2021-10-20 19:41:46 UTC

SUSE-SU-2021:3489-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1189241,1189287
CVE References: CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    python-2.7.18-33.1, python-base-2.7.18-33.1
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    python-2.7.18-33.1, python-base-2.7.18-33.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    python-2.7.18-33.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    python-2.7.18-33.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    python-2.7.18-33.1, python-base-2.7.18-33.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    python-2.7.18-33.1, python-base-2.7.18-33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 39 OBSbugzilla Bot 2021-10-22 08:45:29 UTC

This is an autogenerated message for OBS integration:
This bug (1189241) was mentioned in
https://build.opensuse.org/request/show/926876 Factory / python36

Comment 41 Swamp Workflow Management 2021-10-26 19:28:03 UTC

SUSE-SU-2021:3524-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1189241,1189287
CVE References: CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    python-base-2.7.18-28.74.2
SUSE Linux Enterprise Server 12-SP5 (src):    python-2.7.18-28.74.1, python-base-2.7.18-28.74.2, python-doc-2.7.18-28.74.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 45 Swamp Workflow Management 2021-10-31 20:31:53 UTC

openSUSE-SU-2021:1418-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1189241,1189287
CVE References: CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    python-2.7.18-lp152.3.21.1, python-base-2.7.18-lp152.3.21.1, python-doc-2.7.18-lp152.3.21.1

Comment 48 Swamp Workflow Management 2021-12-13 20:17:56 UTC

SUSE-SU-2021:4015-1: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1180125,1183374,1183858,1185588,1187338,1187668,1189241,1189287
CVE References: CVE-2021-3426,CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE MicroOS 5.0 (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    python3-core-3.6.15-3.91.3
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 49 Swamp Workflow Management 2021-12-16 14:18:31 UTC

openSUSE-SU-2021:4104-1: An update that solves three vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 1180125,1183374,1183858,1185588,1187668,1189241,1189287
CVE References: CVE-2021-3426,CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    python3-3.6.15-10.9.1, python3-core-3.6.15-10.9.1, python3-documentation-3.6.15-10.9.1

Comment 50 Swamp Workflow Management 2021-12-16 14:21:35 UTC

SUSE-SU-2021:4104-1: An update that solves three vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 1180125,1183374,1183858,1185588,1187668,1189241,1189287
CVE References: CVE-2021-3426,CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    python3-core-3.6.15-10.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    python3-3.6.15-10.9.1, python3-core-3.6.15-10.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 51 Swamp Workflow Management 2021-12-23 14:56:44 UTC

SUSE-SU-2021:4015-2: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1180125,1183374,1183858,1185588,1187338,1187668,1189241,1189287
CVE References: CVE-2021-3426,CVE-2021-3733,CVE-2021-3737
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise Server for SAP 15 (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise Server 15-SP1-BCL (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise Server 15-LTSS (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE Enterprise Storage 6 (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3
SUSE CaaS Platform 4.0 (src):    python3-3.6.15-3.91.4, python3-core-3.6.15-3.91.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 54 OBSbugzilla Bot 2022-02-06 22:31:16 UTC

This is an autogenerated message for OBS integration:
This bug (1189241) was mentioned in
https://build.opensuse.org/request/show/951983 Factory / python

Comment 55 OBSbugzilla Bot 2022-02-09 19:11:29 UTC

This is an autogenerated message for OBS integration:
This bug (1189241) was mentioned in
https://build.opensuse.org/request/show/953031 Factory / python

Comment 57 Swamp Workflow Management 2022-05-02 19:17:46 UTC

SUSE-SU-2022:1485-1: An update that solves three vulnerabilities, contains one feature and has two fixes is now available.

Category: security (moderate)
Bug References: 1186819,1189241,1189287,1189356,1193179
CVE References: CVE-2021-3572,CVE-2021-3733,CVE-2021-3737
JIRA References: SLE-23849
Sources used:
openSUSE Leap 15.4 (src):    python39-3.9.10-150300.4.8.2, python39-core-3.9.10-150300.4.8.1, python39-documentation-3.9.10-150300.4.8.1
openSUSE Leap 15.3 (src):    python39-3.9.10-150300.4.8.2, python39-core-3.9.10-150300.4.8.1, python39-documentation-3.9.10-150300.4.8.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    python39-core-3.9.10-150300.4.8.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    python39-3.9.10-150300.4.8.2, python39-core-3.9.10-150300.4.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 58 OBSbugzilla Bot 2022-06-10 08:41:29 UTC

This is an autogenerated message for OBS integration:
This bug (1189241) was mentioned in
https://build.opensuse.org/request/show/981989 Factory / python