Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 844193 (CVE-2021-41945)

Summary: <dev-python/httpx-0.23.0: improper URL input validation
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/advisories/GHSA-h8pj-cxx2-jfg2
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-14 16:03:05 UTC 
CVE-2021-41945 (https://github.com/encode/httpx/discussions/1831):
https://github.com/encode/httpx/issues/2184

Encode OSS httpx <=1.0.0.beta0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`.

CVE description is inaccurate/misleading as usual. Fix is here:

https://github.com/encode/httpx/commit/e9b0c85dd4f4e4469c57c4b38e5101fd12081b5c
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-17 19:51:52 UTC 
Tree is clean.

Upstream issue says this might lead to a "blacklist bypass", which would seem to be very low impact in an HTTP client. No GLSA, all done!