Univention Bugzilla – Bug 56743
python-urllib3: Multiple issues (5.0)
Last modified: 2023-10-18 16:20:35 CEST
New Debian python-urllib3 1.24.1-1+deb10u1 fixes: This update addresses the following issues: 1.24.1-1+deb10u1 (Sat, 07 Oct 2023 18:59:08 +0200) * Non-maintainer upload by the LTS Security Team. * Follow-up for CVE-2018-20060: Remove Authorization headers regardless of case on cross-origin redirects. * Fix CVE-2019-11236: An attacker controlling the request parameter can inject headers by injecting CR/LF characters. * Fix CVE-2019-11324: When verifying HTTPS connections when an SSLContext is passed to urllib3, system CA certificates will be loaded into the SSLContext by default in addition to any manually-specified CA certificates. This causes TLS handshakes that should fail given only the manually specified certs to succeed based on system CA certs. * Fix CVE-2020-26137: CRLF injection vulnerability when the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). * Fix CVE-2023-43804: Cookie request header isn't stripped during cross-origin redirects.
--- mirror/ftp/pool/main/p/python-urllib3/python-urllib3_1.24.1-1.dsc +++ apt/ucs_5.0-0-errata5.0-5/source/python-urllib3_1.24.1-1+deb10u1.dsc @@ -1,3 +1,22 @@ +1.24.1-1+deb10u1 [Sat, 07 Oct 2023 18:59:08 +0200] Guilhem Moulin <guilhem@debian.org>: + + * Non-maintainer upload by the LTS Security Team. + * Follow-up for CVE-2018-20060: Remove Authorization headers regardless of + case on cross-origin redirects. + * Fix CVE-2019-11236: An attacker controlling the request parameter can + inject headers by injecting CR/LF characters. (Closes: #927172) + * Fix CVE-2019-11324: When verifying HTTPS connections when an SSLContext is + passed to urllib3, system CA certificates will be loaded into the + SSLContext by default in addition to any manually-specified CA + certificates. This causes TLS handshakes that should fail given only the + manually specified certs to succeed based on system CA certs. + (Closes: #927412) + * Fix CVE-2020-26137: CRLF injection vulnerability when the attacker + controls the HTTP request method, as demonstrated by inserting CR and LF + control characters in the first argument of putrequest(). + * Fix CVE-2023-43804: Cookie request header isn't stripped during + cross-origin redirects. (Closes: #1053626) + 1.24.1-1 [Mon, 11 Feb 2019 02:14:53 +0100] Daniele Tricoli <eriol@debian.org>: * Upload to unstable. <http://piuparts.knut.univention.de/5.0-5/#5105019433685631641>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-5] ad582225f4 Bug #56743: python-urllib3 1.24.1-1+deb10u1 doc/errata/staging/python-urllib3.yaml | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) [5.0-5] 78ebbdb543 Bug #56743: python-urllib3 1.24.1-1+deb10u1 doc/errata/staging/python-urllib3.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x846>