#1010336 httpx: CVE-2021-41945 blacklist bypass due to implementation of httpx.URL().copy_with

Package:
src:httpx
Source:
httpx
Submitter:
Neil Williams
Date:
2022-06-23 02:51:05 UTC
Severity:
important
Tags:
#1010336#5
Date:
2022-04-29 07:22:32 UTC
From:
To:
Hi,

The following vulnerability was published for httpx.

CVE-2021-41945[0]:
| Encode OSS httpx <=1.0.0.beta0 is affected by improper input
| validation in `httpx.URL`, `httpx.Client` and some functions using
| `httpx.URL.copy_with`.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-41945
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41945

Please adjust the affected versions in the BTS as needed.

Please also note that the affected code has moved upstream, from _models.py
to a new file, _urls.py.

https://sources.debian.org/src/httpx/0.22.0-2/httpx/_models.py/?hl=537#L537
#1010336#12
Date:
2022-06-23 02:16:38 UTC
From:
To:
Hello,

Bug #1010336 in httpx reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/python-team/packages/httpx/-/commit/2f102745791ef56fdfada4bfac9b79990559728d

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1010336
#1010336#19
Date:
2022-06-23 02:47:45 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
httpx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1010336@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sandro Tosi <morph@debian.org> (supplier of updated httpx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 22 Jun 2022 22:16:02 -0400
Source: httpx
Architecture: source
Version: 0.23.0-1
Distribution: unstable
Urgency: medium
Maintainer: Sandro Tosi <morph@debian.org>
Changed-By: Sandro Tosi <morph@debian.org>
Closes: 1010336
Changes:
 httpx (0.23.0-1) unstable; urgency=medium
 .
   * New upstream release; Closes: #1010336 - CVE-2021-41945
   * debian/control
     - bump b-d on httpcore to >= 0.15.0
Checksums-Sha1:
 153eeab0707a05e04c813e2915a5f3a79495cb60 2559 httpx_0.23.0-1.dsc
 d6fb56bc6b2a18f38fff79bf2edaa5980cf83407 2091128 httpx_0.23.0.orig.tar.xz
 3fbbecf7d65b1ca21bf12e00313a17129cd9eae6 5256 httpx_0.23.0-1.debian.tar.xz
 b27b48a8aa176d426912528ac82bcc98a7b20f5d 8629 httpx_0.23.0-1_source.buildinfo
Checksums-Sha256:
 e8f19a99b89c9bb31df521a29eeb591c14c478d44ffb85236894f56f80473806 2559 httpx_0.23.0-1.dsc
 80e3f882bb5214dd46d06e8ccbd522c7fdd2cd3224e2d866c63f4491a9c4f382 2091128 httpx_0.23.0.orig.tar.xz
 9778af3702dc3c0f4b5aea36a6b031eae61ac7fe90db188d34fcf10f8818d29a 5256 httpx_0.23.0-1.debian.tar.xz
 f7648925f7c1a7e2ba87035ba0d7ae55502796a6e473246336035b582486ee3b 8629 httpx_0.23.0-1_source.buildinfo
Files:
 aa57321761d2e92a346e869baf8296c5 2559 python optional httpx_0.23.0-1.dsc
 0b3d5746e779fa286668c3a1c49a8a54 2091128 python optional httpx_0.23.0.orig.tar.xz
 91ed4e5b91489146455cf9a967ea2d08 5256 python optional httpx_0.23.0-1.debian.tar.xz
 51edbbe1eeaef482f11b5458669354ec 8629 python optional httpx_0.23.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEufrTGSrz5KUwnZ05h588mTgBqU8FAmKzzQUACgkQh588mTgB
qU+Egw//WTxu2EdGmOUY1l6L7Cvs7bU/tvudOEji6yeATpnm9Io98THnYZlSObJo
5RgpTI4onPQr+Do+X4vuSs/1Z8ugpeXOpaDE2iP4Sf0cdpZLIwWrauMF1s86BZs+
whq4pEZDc3EvB+0Ukv7MHVsTxijz3uHhjREE1kHRBXSpf82KNSdvKKJ3DlUxfRzl
jol/cKWPi2l7yFIhdG3lS9Pg2XOcwCsod7uPADgFgHUJdJjjbrkrC+/sSP9NuHld
eVTH7ymHq80ZllP60Z7MTPNIlddGkrwblg2OWVFxCh24oHrZ9pu7o5uOzD7TwV0q
A+K1tYlR5VGFUmeguCs+vxgdcUj9/SXoFsWAwBh0yUTyaBf4Kb3jeeSCovZuKHAt
rzh7nyds7u833q7X2PLPU51SxW1vm8JDBXku2wvFJ+4//CHBVetoDXeXjJHDyQJ0
vUGgEGi/AJRaW2t4ryrfb8KF+1yWCBQzwOF8RR15rPPUVjtdInsRJE50E8p7OwM+
Ooq2N8ZVmVT7aiT1GKk8QE7Gtb6kZ/Wfp049es56aKpA7EyO1m46L5KPbe8OKySw
mp8jhnmnAMjaKWvEoxW00WMO1lvpYtQ3rPk92ZrxnE6FZSlttDUYGGrT0O1MFcnj
XH9dZfY/IRIQ/WbwC05s/hyVvfJ7jsDTuC9QbYK3TDCOGXTO7O4=
=vh04
-----END PGP SIGNATURE-----