Your message dated Mon, 30 Sep 2019 09:35:40 +0000
with message-id <[email protected]>
and subject line Bug#940058: fixed in httpie 1.0.3-1
has caused the Debian Bug report #940058,
regarding httpie: CVE-2019-10751
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
940058: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940058
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: httpie
Version: 0.9.8-2
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for httpie.
CVE-2019-10751[0]:
| All versions of the HTTPie package prior to version 1.0.3 are
| vulnerable to Open Redirect that allows an attacker to write an
| arbitrary file with supplied filename and content to the current
| directory, by redirecting a request from HTTP to a crafted URL
| pointing to a server in his or hers control.
The issue is demostrable via the poc in [1].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10751
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10751
[1] https://snyk.io/vuln/SNYK-PYTHON-HTTPIE-460107
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: httpie
Source-Version: 1.0.3-1
We believe that the bug you reported is fixed in the latest version of
httpie, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bartosz Fenski <[email protected]> (supplier of updated httpie package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 30 Sep 2019 08:29:27 +0200
Source: httpie
Binary: httpie
Architecture: source all
Version: 1.0.3-1
Distribution: unstable
Urgency: medium
Maintainer: Bartosz Fenski <[email protected]>
Changed-By: Bartosz Fenski <[email protected]>
Description:
httpie - CLI, cURL-like tool for humans
Closes: 920214 940058
Changes:
httpie (1.0.3-1) unstable; urgency=medium
.
* New upstream release. (Closes: #920214)
- fixes CVE-2019-10751 (Closes: #940058)
* Bumped Standards-Version.
* The Akamai Technologies paid volunteer days release.
Checksums-Sha1:
427223cb8ba6f0a8a15c7840c99a1868af968503 1852 httpie_1.0.3-1.dsc
70fc5ce3fa233fc28fe94a3fe5562987a70bfce9 1747855 httpie_1.0.3.orig.tar.gz
23ac47c97deb80fd796b85bcc30b559a40e6ca87 7196 httpie_1.0.3-1.debian.tar.xz
7d0c52e41161f7cd5dd77deed0c3e2bd2fec39b2 73000 httpie_1.0.3-1_all.deb
14341cdd43cb0ed20659fca71aa165014c349ba2 6648 httpie_1.0.3-1_amd64.buildinfo
Checksums-Sha256:
8cd902f0f523f49685c6729c8ce6074fd06b9a17ad8669efe7d6e057de11f6cf 1852
httpie_1.0.3-1.dsc
b68b65c1b0fabc2a385e82da1b1c120f1678d95a09185e09cdcadad4460e2a00 1747855
httpie_1.0.3.orig.tar.gz
91cb53ceb88f3146b0dc36f6c2b9dc43094b63e5d23aa645fe50efbc5e3dc6f9 7196
httpie_1.0.3-1.debian.tar.xz
0c1401e4f1de2f05bd8cb4311a5ea29130b9d015083aa495b95ef6240190a27a 73000
httpie_1.0.3-1_all.deb
203e7a66d73b0f6ba359e8b9ac67781b1b2f6d5d625bdcbc00729b2c11991840 6648
httpie_1.0.3-1_amd64.buildinfo
Files:
d41a1fb7929f56e3f4cd7122cc552d25 1852 web optional httpie_1.0.3-1.dsc
551cd1e0294fe5e463c0445ddd8ea8ce 1747855 web optional httpie_1.0.3.orig.tar.gz
6136cf8a266bd6fccbd3ed28a031db2c 7196 web optional httpie_1.0.3-1.debian.tar.xz
da6deea2669670d23ce64691a654b28d 73000 web optional httpie_1.0.3-1_all.deb
91d6cb5439fa971a9486c3ea2463273c 6648 web optional
httpie_1.0.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEEK+x51vtJ+yJ4cpAbsNnUqDzTu8EFAl2RybURHGZlbmlvQGRl
Ymlhbi5vcmcACgkQsNnUqDzTu8HdYQ/+Jfzs5TrLE1zkYYD9K8CNHDMau3XRu1GF
/cupXI+QPWDx55qo+8xmw9/Y3temNviaTMptkhIUmISCa3sQF2MW8Ney3nD4GDd2
FKuXKxwoVG0pSLTuK5QqgzB0iNWOWcNpjcWbreG7ZGlA5E9H0dsJVNy6m3OsSGiy
ISpAVoJFUaweHvn8/2WlKMpYMif3UVEDSDUq1x2FDFR5mF17Vo0I5pghqD/yuJX5
HHdszQachtGJ3i07fj+J4fYPPas632is4K+ToeKd1fWB2y/knMfO3uCf3tFSMZWw
ya25BakilrEnmUbIwmatwmIKVkH9k9/d37kQ7hwYFpx64p1I6Kkd9DuyXHvvQpKx
y+fnywgdMcNKG8QivfeFAQoMdIFfRQEG+NhKPecu0DTso+6UzEJzO4SFsGbf6qW9
m9ewaYbGj3+MUoq4Dyf68TlwDB36oIqxvw4tVIlgL886PXj69DkP1R4tjWZqazy1
Ty84jyuVM50GtJJHXAbwJeGHE/KMhvCbDx+rPA+mg83mIqo886/6R/dIEQZZAIh0
n7kAePzZYcPkVppQ+IEEIYnN8S4oOB5bU3GLE99S04JYausMdNi5PxxFt8T1tpP2
OTSTXsXpiBzj6Ns+xt6J+LvKrA2z8AVMLiwJV6lKQJyBPtoaDHLK5nncIA6sxD/C
ZBuo6aKkyCE=
=FDgz
-----END PGP SIGNATURE-----
--- End Message ---
