CVE-2021-21240: httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library. PR: https://github.com/httplib2/httplib2/pull/182 Patch: https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc Released in 0.19.0, please bump.
Unable to check for sanity: > no match for package: dev-python/httplib2-0.19.0
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01fa5e8e750b5d0baa16ff7f7bd27fcffc247713 commit 01fa5e8e750b5d0baa16ff7f7bd27fcffc247713 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-02-09 09:13:19 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-02-09 09:20:15 +0000 dev-python/httplib2: Bump to 0.19.0 Bug: https://bugs.gentoo.org/769653 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/httplib2/Manifest | 1 + dev-python/httplib2/httplib2-0.19.0.ebuild | 56 ++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+)
All sanity-check issues have been resolved
amd64 arm arm64 hppa ppc ppc64 sparc x86 (ALLARCHES) done all arches done
Please cleanup.
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab3f7a6826c9163829367015573938e8eb78be66
Very limited impact so no GLSA, all done!