Your message dated Tue, 19 Jul 2022 10:51:27 +0000
with message-id <[email protected]>
and subject line Bug#1008011: fixed in httpie 3.2.1-1
has caused the Debian Bug report #1008011,
regarding httpie: CVE-2022-24737
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1008011: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008011
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: httpie
Version: 2.6.0-1.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for httpie.
CVE-2022-24737[0]:
| HTTPie is a command-line HTTP client. HTTPie has the practical concept
| of sessions, which help users to persistently store some of the state
| that belongs to the outgoing requests and incoming responses on the
| disk for further usage. Before 3.1.0, HTTPie didn&#8216;t
| distinguish between cookies and hosts they belonged. This behavior
| resulted in the exposure of some cookies when there are redirects
| originating from the actual host to a third party website. Users are
| advised to upgrade. There are no known workarounds.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24737
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24737
[1] https://github.com/httpie/httpie/security/advisories/GHSA-9w4w-cpc8-h2fq
[2]
https://github.com/httpie/httpie/commit/65ab7d5caaaf2f95e61f9dd65441801c2ddee38b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: httpie
Source-Version: 3.2.1-1
Done: Bartosz Fenski <[email protected]>
We believe that the bug you reported is fixed in the latest version of
httpie, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bartosz Fenski <[email protected]> (supplier of updated httpie package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 19 Jul 2022 12:06:14 +0200
Source: httpie
Architecture: source
Version: 3.2.1-1
Distribution: unstable
Urgency: medium
Maintainer: Bartosz Fenski <[email protected]>
Changed-By: Bartosz Fenski <[email protected]>
Closes: 1006651 1008011 1014765
Changes:
httpie (3.2.1-1) unstable; urgency=medium
.
* New upstream version (Closes: #1006651)
- fixes two exposure of sensitive information vulnerabilities:
CVE-2022-0430 (Closes: #1014765)
CVE-2022-24737 (Closes: #1008011)
Checksums-Sha1:
8808d7feacf14e75ebe2be5c93aa696068dc8604 1845 httpie_3.2.1-1.dsc
5848930518fe6d39bb36fc5cba176f1484f4bf1c 1276550 httpie_3.2.1.orig.tar.gz
1291116a04fdd14cb6b961417e391b4475cba1c2 3988 httpie_3.2.1-1.debian.tar.xz
feb756d52974c304a7ca9869f079426eeae4d265 7294 httpie_3.2.1-1_source.buildinfo
Checksums-Sha256:
9ecd2d8c8ff5c97850eb36fc7d47cb6224e997aaba94f989bf4fa3c9de281b7d 1845
httpie_3.2.1-1.dsc
803e1624e005c2f7002802a77ebc687b05375aca76af42639f844405328633eb 1276550
httpie_3.2.1.orig.tar.gz
fbe46ae2d5136995a8ed2910dbfe194345b05dada702ba8c03f7627bfd35e59c 3988
httpie_3.2.1-1.debian.tar.xz
22fcb187f46e290dbd6f1c314e06d867040e1e1a9e556c12e86b4eb34b6a4f0b 7294
httpie_3.2.1-1_source.buildinfo
Files:
ef53c861e80fe050a190a8d00ab42d9c 1845 web optional httpie_3.2.1-1.dsc
148fa177c1e1beb692c78051aef83ba7 1276550 web optional httpie_3.2.1.orig.tar.gz
46698ab8a1c9d395c01a9cf4ad5ecdf8 3988 web optional httpie_3.2.1-1.debian.tar.xz
fbd17a67c6f3106aa6b2ca0aad49b4f5 7294 web optional
httpie_3.2.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEEK+x51vtJ+yJ4cpAbsNnUqDzTu8EFAmLWhtURHGZlbmlvQGRl
Ymlhbi5vcmcACgkQsNnUqDzTu8F0Tg//RPFErw07bnTgdXUDF0XczzGc6+MUIYNE
zvgIXOPcaU9exJyi1JgL5dKg+7oZ4zCiaWH/OKZh9yFh4CV7uDd2hGIW1gOEsIn5
hZJauBOq1CDDijbdQsUGBXz3VRAaqQsSpEruo2sGk8GXS7ef1XWSdZBVm5QDxTgO
XG7k9/8OLHquuZecnmr8VOf58dbk43DJQOUY+ewxXLBanlBZExB++1ma5G0u3V66
0QwbfKY0uoshUqT2eGJ8xkuKDyVklvHIeSr04EBKYwIPhzDhQNbht58alGyu0dP2
hlCDP5kNrl/bP8ZmguxUWuYLZiCUsq9mK/PZjn92Qhe4/74Q747hCyjNPawPI4fm
JToB3T4rVas2/WT0l6L/trODDk1mOpPw2K1q0JqwbiOS3cDgfVghuLVsKcYF4NiL
DnnpCKhKxIOtvu544VkkmZ6HzM9vSB4m/MYWcpp2ib4UcmkfC9KQ/F0jU1wFAdW6
cnE+drMOrBbBS/DivO+mS4ifL6I55t7GMfv281o6eORQsXJt0OTTlFeV9zgSy69V
FW28toPXvG1vhZTTOS0rsFVvJDV487GdjB6JOLFDBCi4xugjXt4H/zlpoW4nWvy0
lxceLfsD+oLMyDR+MArvJjkKVbD3bjv6ZD1J/rrm+VZpYmr+XizBTrUB2+oSuNhR
WekwhJmDGbU=
=77E+
-----END PGP SIGNATURE-----
--- End Message ---
