📖 ~4 min read • Source: SUSE advisory SUSE-CU-2021:236-1 (see also SUSE bugzilla)
Related CVEs: CVE-2020-11078 CVE-2021-21240
Upstream summary: In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
Table of contents
Symptom & Impact
On SLES 16 hosts that have python313-httplib2 installed, administrators report behaviour consistent with SUSE advisory SUSE-CU-2021:236-1: zypper patch-check lists open patches, services backed by python313-httplib2 fail or restart unexpectedly, SELinux denials (avc) appear in ausearch — and for security-rated advisories the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever python313-httplib2 sits on the serving path.
Environment & Reproduction
Reproduction targets SLES 16. Confirm release, registration, and installed package:
cat /etc/os-release
SUSEConnect --status-text
SUSEConnect --list-extensions 2>/dev/null | head -30
rpm -q python313-httplib2
zypper info python313-httplib2 | head -20Trigger the workflow that exposes python313-httplib2 — multiple vulnerabilities (2 CVEs) — patch and remediation guide while collecting:
sudo journalctl -u python313-httplib2 -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/zypp/history
sudo tail -200 /var/log/audit/audit.log
# For SUSE support, bundle evidence with supportconfig:
sudo supportconfig -R /var/tmp -B python313-httplib2Root Cause Analysis
Root cause is documented in SUSE advisory SUSE-CU-2021:236-1. SUSE security maintainers shipped fixes in the corresponding python313-httplib2 update for SLES 16; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate zypper history with system logs:
sudo zypper history | grep python313-httplib2
sudo zypper history --since='-7 days' | tail -40
sudo ausearch -m AVC,USER_AVC -ts today | tail -100
cat /proc/sys/kernel/tainted # non-zero = tainted kernel / out-of-tree modulesQuick Triage
Run these on SLES 16 to capture the current state of python313-httplib2:
rpm -q python313-httplib2 # installed NVR
rpm -V python313-httplib2 # verify shipped files
sudo zypper patch-check # open patches
sudo zypper lp -r SUSE-SLE-Server-16-* 2>/dev/null | head
systemctl --failed --no-pager
sudo firewall-cmd --list-all
getenforce # SELinux mode
# If python313-httplib2 ships a systemd unit (unit name may differ from pkg name, e.g.
# bind→named, postgresql-server→postgresql, php-fpm→php-fpm):
systemctl list-unit-files | grep -i python313 | headStep-by-Step Diagnosis
-
List failed systemd units.
systemctl --failed --no-pager -
Tail the journal for
python313-httplib2and the system bus.sudo journalctl -u python313-httplib2 -f --no-pager sudo journalctl -xe -f --no-pager -
Inspect firewall posture (firewalld is the default on SLES 15+).
sudo firewall-cmd --list-all-zones --permanent sudo nft list ruleset 2>/dev/null | head -50 -
Surface SELinux denials and author a local policy module if needed.
sudo ausearch -m AVC,USER_AVC -ts today sudo ausearch -m AVC -ts today | audit2allow -a -M /tmp/local-fix sudo semodule -i /tmp/local-fix.pp -
Verify
python313-httplib2integrity and reinstall if anything is altered.sudo rpm -V python313-httplib2 sudo zypper verify sudo zypper install --force python313-httplib2 -
Correlate findings with
/var/log/zypp/history,zypper history, and SUSE advisory SUSE-CU-2021:236-1 to pin the change that introduced python313-httplib2 — multiple vulnerabilities (2 CVEs) — patch and remediation guide.
Solution – Primary Fix
Apply the corrective zypper transaction referenced by SUSE advisory SUSE-CU-2021:236-1, then reload affected systemd units:
sudo zypper ref # refresh repos
sudo zypper -n patch # apply ALL open patches (recommended)
# Or target a single package:
sudo zypper -n update python313-httplib2
sudo systemctl daemon-reload
# Unit name may differ from pkg name; check first:
systemctl list-unit-files | grep -i python313 | head
sudo systemctl restart python313-httplib2
rpm -q python313-httplib2 # confirm new NVR
systemctl is-active python313-httplib2 2>/dev/null # confirm running (if a unit exists)For kernel / glibc / systemd / openssl advisories a reboot is required (or SLE Live Patching where licensed):
sudo zypper ps -s # services using deleted libs
sudo systemctl reboot # or: sudo shutdown -r now
# SUSE Live Patching (kgraft / klp) avoids reboot for kernel CVEs:
sudo zypper install -y kernel-livepatch-$(uname -r | tr - _)
klp -v patches # active livepatchesNeed help rolling this patch across a SUSE fleet? Our IT Solutions & Services team manages SUSE patch windows with SUSE Manager / RMT and Live Patching. Get in touch for a free consultation.
Solution – Alternative Approaches
If the primary patch is not viable, choose from these:
-
Roll back via Snapper (Btrfs snapshots taken automatically before zypper transactions on SLES 16):
sudo snapper list sudo snapper undochange <pre>..<post> # diff between two snapshot numbers sudo snapper rollback <pre> # boot the host into the chosen snapshot -
Lock the package so zypper cannot upgrade it:
sudo zypper al python313-httplib2 # add lock zypper ll | grep python313-httplib2 # list locks sudo zypper rl python313-httplib2 # remove lock -
Install an older NVR if a regression is suspected:
zypper se -s python313-httplib2 # show all available versions sudo zypper install --oldpackage python313-httplib2-<older-NVR> -
Switch SELinux to permissive briefly to confirm policy is the cause, then re-enforce:
sudo setenforce 0 # reproduce, capture denials, author a custom module: sudo ausearch -m AVC -ts recent | audit2allow -a -M mylocal sudo semodule -i mylocal.pp sudo setenforce 1 -
Where SLE Live Patching is licensed, apply kernel fixes without reboot:
klp -v patches # active livepatches sudo zypper install -y kernel-livepatch-$(uname -r | tr - _)
Verification & Acceptance Criteria
All of these should pass after the fix:
rpm -q python313-httplib2 # expected fixed NVR
sudo zypper patch-check # 0 critical patches outstanding
systemctl is-active python313-httplib2 2>/dev/null
sudo journalctl -u python313-httplib2 --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo firewall-cmd --list-services
getenforce
sudo zypper ps -s # any services still using deleted libsThe original reproduction for python313-httplib2 — multiple vulnerabilities (2 CVEs) — patch and remediation guide must not trigger across two consecutive runs.
Rollback Plan
Capture state before any change:
rpm -qa > /root/rpm-pre.txt
sudo zypper history list > /root/zypper-history-pre.txt
# Snapper takes pre/post snapshots automatically on Btrfs root.
sudo snapper create -d 'pre-patch-python313-httplib2' # explicit named snapshot
sudo snapper list | headTo revert if the patch is bad:
# Preferred on Btrfs root — boot the prior snapshot:
sudo snapper rollback <snapshot-id>
sudo systemctl reboot
# Or downgrade just the package:
sudo zypper install --oldpackage python313-httplib2-<older-NVR>
sudo systemctl daemon-reload
sudo systemctl restart python313-httplib2
# Custom security policy cleanup:
sudo semodule -r mylocalPrevention & Hardening
Reduce the chance of this recurring on SLES 16:
-
Enable automatic patch installation:
sudo zypper install -y zypper-automatic sudo systemctl enable --now zypper-automatic.timer # Or use YaST: yast2 online_update_configuration -
Subscribe to sle-security-updates and watch suse.com/support/update.
-
Mirror through SUSE Manager or RMT (Repository Mirroring Tool) for controlled rollouts:
sudo zypper install -y rmt-server rmt-cli sudo rmt-cli sync sudo rmt-cli products enable SLES/16/x86_64 -
Lock sensitive packages so they cannot be auto-upgraded:
sudo zypper al python313-httplib2 -
Ensure Snapper is enabled on the root subvolume and pre/post hooks run for every zypper transaction:
sudo snapper -c root get-config | head # Default zypper plugin: /usr/lib/zypp/plugins/commit/snapper.zypp-commit-plugin -
Monitor file integrity with AIDE:
sudo zypper install -y aide sudo aide --init && sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db sudo aide --check -
Subscribe to SUSE Live Patching so kernel CVEs can be remediated without reboot:
sudo SUSEConnect -p sle-module-live-patching/16.0/x86_64 sudo zypper install -y kernel-livepatch-$(uname -r | tr - _) klp -v patches -
SLES 16 ships with SELinux in enforcing mode by default; review and maintain custom modules in
/etc/selinux/targeted/rather than disabling enforcement. -
Apply CIS SUSE Linux Enterprise Server Benchmark hardening.
Related Errors & Cross-Refs
Issues that commonly surface alongside python313-httplib2 — multiple vulnerabilities (2 CVEs) — patch and remediation guide: zypper lock contention, systemd unit ordering cycles, SELinux AVC bursts, firewalld zone drift, and kernel taint flags. Useful triage:
sudo zypper ps -s
systemd-analyze critical-chain
sudo ausearch -m AVC -ts today | tail
sudo firewall-cmd --get-active-zones
cat /proc/sys/kernel/taintedView all sles-16 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Primary reference: SUSE advisory SUSE-CU-2021:236-1 (see also SUSE bugzilla). Manual pages useful on SLES 16:
man zypper
man zypper.conf
man systemctl
man journalctl
man firewall-cmd
man snapper
man semanage
man audit2allow
man SUSEConnect
man klpOther resources: SUSE Linux Enterprise Server 16 documentation, suse.com/security, SUSE security blog, and per-package notes in /usr/share/doc/packages/python313-httplib2/ for components implicated in python313-httplib2 — multiple vulnerabilities (2 CVEs) — patch and remediation guide.
