Headline
RHSA-2023:4520: Red Hat Security Advisory: python-requests security update
An update for python-requests is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-32681: A flaw was found in the Python-requests package, where it is vulnerable to potentially leaking Proxy-Authorization headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how rebuild_proxies is used to recompute and reattach the Proxy-Authorization header to requests when redirected. This behavior only affects proxied requests when credentials are supplied in the URL user information component (for example, https://username:password@proxy:8080).
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Quarkus
Integration and Automation
All Products
Issued:
2023-08-08
Updated:
2023-08-08
RHSA-2023:4520 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: python-requests security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for python-requests is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The python-requests package contains a library designed to make HTTP requests easy for developers.
Security Fix(es):
- python-requests: Unintended leak of Proxy-Authorization header (CVE-2023-32681)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8 ppc64le
- Red Hat Enterprise Linux Server - TUS 8.8 x86_64
- Red Hat Enterprise Linux for ARM 64 8 aarch64
- Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8 aarch64
- Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le
- Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64
Fixes
- BZ - 2209469 - CVE-2023-32681 python-requests: Unintended leak of Proxy-Authorization header
Red Hat Enterprise Linux for x86_64 8
SRPM
python-requests-2.20.0-3.el8_8.src.rpm
SHA-256: c0538a7dbfa1e6280b7c0d3e0ec8f76ae2eec3a2e940f2b134fd93312ee7a682
x86_64
python3-requests-2.20.0-3.el8_8.noarch.rpm
SHA-256: 0398327f420834a4f3130b634efeaf4c57b0982f0467bc89910c4e17168307b7
Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8
SRPM
python-requests-2.20.0-3.el8_8.src.rpm
SHA-256: c0538a7dbfa1e6280b7c0d3e0ec8f76ae2eec3a2e940f2b134fd93312ee7a682
x86_64
python3-requests-2.20.0-3.el8_8.noarch.rpm
SHA-256: 0398327f420834a4f3130b634efeaf4c57b0982f0467bc89910c4e17168307b7
Red Hat Enterprise Linux for IBM z Systems 8
SRPM
python-requests-2.20.0-3.el8_8.src.rpm
SHA-256: c0538a7dbfa1e6280b7c0d3e0ec8f76ae2eec3a2e940f2b134fd93312ee7a682
s390x
python3-requests-2.20.0-3.el8_8.noarch.rpm
SHA-256: 0398327f420834a4f3130b634efeaf4c57b0982f0467bc89910c4e17168307b7
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8
SRPM
python-requests-2.20.0-3.el8_8.src.rpm
SHA-256: c0538a7dbfa1e6280b7c0d3e0ec8f76ae2eec3a2e940f2b134fd93312ee7a682
s390x
python3-requests-2.20.0-3.el8_8.noarch.rpm
SHA-256: 0398327f420834a4f3130b634efeaf4c57b0982f0467bc89910c4e17168307b7
Red Hat Enterprise Linux for Power, little endian 8
SRPM
python-requests-2.20.0-3.el8_8.src.rpm
SHA-256: c0538a7dbfa1e6280b7c0d3e0ec8f76ae2eec3a2e940f2b134fd93312ee7a682
ppc64le
python3-requests-2.20.0-3.el8_8.noarch.rpm
SHA-256: 0398327f420834a4f3130b634efeaf4c57b0982f0467bc89910c4e17168307b7
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8
SRPM
python-requests-2.20.0-3.el8_8.src.rpm
SHA-256: c0538a7dbfa1e6280b7c0d3e0ec8f76ae2eec3a2e940f2b134fd93312ee7a682
ppc64le
python3-requests-2.20.0-3.el8_8.noarch.rpm
SHA-256: 0398327f420834a4f3130b634efeaf4c57b0982f0467bc89910c4e17168307b7
Red Hat Enterprise Linux Server - TUS 8.8
SRPM
python-requests-2.20.0-3.el8_8.src.rpm
SHA-256: c0538a7dbfa1e6280b7c0d3e0ec8f76ae2eec3a2e940f2b134fd93312ee7a682
x86_64
python3-requests-2.20.0-3.el8_8.noarch.rpm
SHA-256: 0398327f420834a4f3130b634efeaf4c57b0982f0467bc89910c4e17168307b7
Red Hat Enterprise Linux for ARM 64 8
SRPM
python-requests-2.20.0-3.el8_8.src.rpm
SHA-256: c0538a7dbfa1e6280b7c0d3e0ec8f76ae2eec3a2e940f2b134fd93312ee7a682
aarch64
python3-requests-2.20.0-3.el8_8.noarch.rpm
SHA-256: 0398327f420834a4f3130b634efeaf4c57b0982f0467bc89910c4e17168307b7
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8
SRPM
python-requests-2.20.0-3.el8_8.src.rpm
SHA-256: c0538a7dbfa1e6280b7c0d3e0ec8f76ae2eec3a2e940f2b134fd93312ee7a682
aarch64
python3-requests-2.20.0-3.el8_8.noarch.rpm
SHA-256: 0398327f420834a4f3130b634efeaf4c57b0982f0467bc89910c4e17168307b7
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8
SRPM
python-requests-2.20.0-3.el8_8.src.rpm
SHA-256: c0538a7dbfa1e6280b7c0d3e0ec8f76ae2eec3a2e940f2b134fd93312ee7a682
ppc64le
python3-requests-2.20.0-3.el8_8.noarch.rpm
SHA-256: 0398327f420834a4f3130b634efeaf4c57b0982f0467bc89910c4e17168307b7
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8
SRPM
python-requests-2.20.0-3.el8_8.src.rpm
SHA-256: c0538a7dbfa1e6280b7c0d3e0ec8f76ae2eec3a2e940f2b134fd93312ee7a682
x86_64
python3-requests-2.20.0-3.el8_8.noarch.rpm
SHA-256: 0398327f420834a4f3130b634efeaf4c57b0982f0467bc89910c4e17168307b7
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2024-0299-03 - An update for python-requests is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
A logic flaw exists in Ansible. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability.
Red Hat OpenShift Service Mesh Containers for 2.4.3 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-35942: A flaw was found in Envoy, where gRPC access loggers using the listener's global scope can cause a use-after-free crash when the listener is drained. This issue can be triggered by a listener discovery service (LDS) update with the same gRPC access log configuration.
Red Hat Security Advisory 2023-5029-01 - An update is now available for Red Hat OpenShift GitOps 1.9. Issues addressed include a denial of service vulnerability.
An update is now available for Red Hat OpenShift GitOps 1.9. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-40029: A flaw was found in the ArgoCD package, used by Red Hat GitOps, that allows cluster secrets to be managed declaratively using the `kubectl apply` functionality, resulting in the full secret body being stored in `kubectl.kubernetes.io/last-applied-configuration` annotation. Since ArgoCD has included the ability to manage cluster labels and annotations via i...
Red Hat Security Advisory 2023-4982-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.12.6 images.
A new image is available for Red Hat Single Sign-On 7.6.5, running on OpenShift Container Platform 3.10 and 3.11, and 4.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2023-1436: A flaw was found in Jettison. Infinite recursion is triggered in Jettison w...
Red Hat Security Advisory 2023-4875-01 - Red Hat Advanced Cluster Management for Kubernetes 2.8.1 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which provide security updates and fix several bugs. Issues addressed include bypass and privilege escalation vulnerabilities.
This is the multiarch release of the AMQ Broker 7.11.1 aligned Operator and associated container images on Red Hat Enterprise Linux 8 for the OpenShift Container Platform. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4065: No description is available for this CVE. * CVE-2023-4066: No description is available for this CVE.
Red Hat Security Advisory 2023-4693-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include a denial of service vulnerability.
An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-4380: No description is available for this CVE. * CVE-2023-23931: A vulnerability was found in python-cryptography. In affected versions, `Cipher.update_into` would accept Python objects which implement the buffer protocol but provide only immutable buffers. This issue allows immutable objects (such as `bytes`) to be mutated, thus violating the fundamen...
Red Hat Security Advisory 2023-4664-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.13.3 images. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4654-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.7 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat OpenShift Virtualization release 4.13.3 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests. * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Con...
Red Hat Security Advisory 2023-4650-01 - Multicluster Engine for Kubernetes 2.2.7 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy.
Multicluster Engine for Kubernetes 2.2.7 General Availability release images, which provide security updates and fix bugs. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated. * CVE-2023-37903: A flaw was found in the vm2 custom inspect function, which allows attackers to escape t...
Red Hat Security Advisory 2023-4456-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.8. Issues addressed include an add administrator vulnerability.
Red Hat Security Advisory 2023-4520-01 - The python-requests package contains a library designed to make HTTP requests easy for developers.
Red Hat OpenShift Container Platform release 4.13.8 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number...
An update for python-requests is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32681: A flaw was found in the Python-requests package, where it is vulnerable to potentially leaking Proxy-Authorization headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how rebuild_proxies is used to recompute and reattach the Proxy-Authorization header to requests when redirected. This beh...
IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 could allow an authenticated user send a specially crafted request that could cause a denial of service. IBM X-Force ID: 251704.
Ubuntu Security Notice 6155-2 - USN-6155-1 fixed a vulnerability in Requests. This update provides the corresponding update for Ubuntu 16.04 ESM and 18.04 ESM. Dennis Brinkrolf and Tobias Funke discovered that Requests incorrectly leaked Proxy-Authorization headers. A remote attacker could possibly use this issue to obtain sensitive information.
Ubuntu Security Notice 6155-1 - Dennis Brinkrolf and Tobias Funke discovered that Requests incorrectly leaked Proxy-Authorization headers. A remote attacker could possibly use this issue to obtain sensitive information.
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
### Impact Since Requests v2.3.0, Requests has been vulnerable to potentially leaking `Proxy-Authorization` headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how `rebuild_proxies` is used to recompute and [reattach the `Proxy-Authorization` header](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328) to requests when redirected. Note this behavior has _only_ been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. `https://username:password@proxy:8080`). **Current vulnerable behavior(s):** 1. HTTP → HTTPS: **leak** 2. HTTPS → HTTP: **no leak** 3. HTTPS → HTTPS: **leak** 4. HTTP → HTTP: **no leak** For HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` head...