http://bugzilla.suse.com/show_bug.cgi?id=1095041 http://bugzilla.suse.com/show_bug.cgi?id=1095041#c2 --- Comment #2 from Martin Wilck --- So, in order to fix this problem, we could 1) switch back to vendor-supplied requests module, as I did in my OBS project, 2) Pull in the patches from comment 1 (not tested yet). 2) avoids the upgrade problem mentioned in comment 0, but requires pulling in a rather largeish patch set that hasn't been accepted upstream yet. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1095041 http://bugzilla.suse.com/show_bug.cgi?id=1095041#c3 Tomáš Chvátal changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tchvatal@suse.com Assignee|tchvatal@suse.com |rjschwei@suse.com --- Comment #3 from Tomáš Chvátal --- Bundling is not really good idea. I would really suggest to grab the upstream unbunding patch. If you look at it and ommit the removals it is pretty tiny patchset to get it rolling. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1095041 http://bugzilla.suse.com/show_bug.cgi?id=1095041#c5 --- Comment #5 from Tomáš Chvátal --- You plan to do the security audit and verification of those? Basically by default nothing that bundles stuff gets in factory and if it is included, mostly it happened by accident rather than by purpose. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1095041 http://bugzilla.suse.com/show_bug.cgi?id=1095041#c7 Robert Schweikert changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |CONFIRMED Assignee|rjschwei@suse.com |adrian.glaubitz@suse.com --- Comment #7 from Robert Schweikert --- The problem is that if a security issue is encountered in the bundled requests package then we are dependent on the maintainers of botocore to provide a patched requests implementation. Given that getting things into boto and botocore is a rather lengthy undertaking the question is really; would you be OK if we'd expose your AWS credentials via a bug in the bundled requests package that we cannot fix in a hurry? My guess is that the answer to that question is No and thus having requests separate as it is today is the right thing to do. We will pull the upstream patch to avoid the issue. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1095041 http://bugzilla.suse.com/show_bug.cgi?id=1095041#c10 --- Comment #10 from Martin Wilck --- Upstream has unvendored requests in 1.11.0. https://github.com/boto/botocore/issues/1258#issuecomment-415928768 So this issue could be solved by updating python-botocore to 1.11. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1095041 http://bugzilla.suse.com/show_bug.cgi?id=1095041#c14 --- Comment #14 from Martin Wilck ---

See: https://build.opensuse.org/request/show/631815

yeah, saw that already. Seriously: We are entering a dependency circle here. The problem described in this bug isn't relevant for SLE-12 and Leap 42, as we still ship python-requests 2.11 there. This is still true for SLE-12-SP4, AFAICS. So, at least as far as this problem here is concerned, we can stay with botocore 1.10 just fine in SLE-12 and Leap 42. OTOH, in factory, SLE15, and Leap15, we have the need to update botocore because it just doesn't work at all with the shipped python-requests (2.19 / 2.18, respectively). So from my point of view it'd make an awful lot of sense to accept botocore 1.11 into factory and SLE15, while going with 1.10 for SLE12. I'm having a bit of a hard time trying to understand why SLE12 needs to get this cutting-edge update at all. Stuff like this ought to go to 15 in my understanding. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1095041 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1095041 Maintenance Robot changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:planned:update |maint:planned:update |ibs:running:13893:moderate |ibs:running:14350:important | |ibs:running:13893:moderate -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1095041 http://bugzilla.suse.com/show_bug.cgi?id=1095041#c18 --- Comment #18 from Swamp Workflow Management --- SUSE-RU-2020:0775-1: An update that has 11 recommended fixes can now be installed. Category: recommended (important) Bug References: 1069697,1075263,1088310,1095041,1118021,1118024,1118027,1129696,1136184,1146853,1146854 CVE References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): python-botocore-1.13.33-28.20.1, python-futures-3.0.2-15.3.1 SUSE OpenStack Cloud 8 (src): python-botocore-1.13.33-28.20.1, python-futures-3.0.2-15.3.1 SUSE OpenStack Cloud 7 (src): python-futures-3.0.2-15.3.1 SUSE Manager Tools 12 (src): python-futures-3.0.2-15.3.1 SUSE Manager Server 3.2 (src): python-futures-3.0.2-15.3.1 SUSE Manager Proxy 3.2 (src): python-futures-3.0.2-15.3.1 SUSE Linux Enterprise Point of Sale 12-SP2 (src): python-futures-3.0.2-15.3.1 SUSE Linux Enterprise Module for Public Cloud 12 (src): python-boto3-1.10.33-14.14.1, python-botocore-1.13.33-28.20.1, python-futures-3.0.2-15.3.1, python-s3transfer-0.2.1-8.7.1 SUSE Linux Enterprise Module for Advanced Systems Management 12 (src): python-futures-3.0.2-15.3.1 SUSE Enterprise Storage 5 (src): python-futures-3.0.2-15.3.1 SUSE CaaS Platform 3.0 (src): python-futures-3.0.2-15.3.1 HPE Helion Openstack 8 (src): python-botocore-1.13.33-28.20.1, python-futures-3.0.2-15.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1095041 https://bugzilla.suse.com/show_bug.cgi?id=1095041#c19 John Paul Adrian Glaubitz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.wilck@suse.com Flags| |needinfo?(martin.wilck@suse | |.com) --- Comment #19 from John Paul Adrian Glaubitz --- I can no longer reproduce this problem in Tumbleweed. Can this issue be closed? -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1095041 https://bugzilla.suse.com/show_bug.cgi?id=1095041#c21 John Paul Adrian Glaubitz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #21 from John Paul Adrian Glaubitz --- Fixed with updated packages. -- You are receiving this mail because: You are on the CC list for the bug.