Bug 56822 – python-urllib3: Multiple issues (5.0)

Bug 56822 - python-urllib3: Multiple issues (5.0)


Summary:	python-urllib3: Multiple issues (5.0)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 5.0
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 5.0-5-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-11-13 14:15 CET by Quality Assurance
Modified:	2023-11-15 21:08 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) NVD RedHat

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2023-11-13 14:15:02 CET

New Debian python-urllib3 1.24.1-1+deb10u2 fixes:
This update addresses the following issues:
1.24.1-1+deb10u2 (Wed, 08 Nov 2023 11:02:05 +0000)
[ Sean Whitton ]
* Non-maintainer upload by the LTS Security Team.
* CVE-2023-43803: Request body isn't stripped during cross-origin redirects.
[ Guilhem Moulin ]
* Use system 'six' in test/with_dummyserver/test_https.py too.
* Retroactively fix CVE-2018-25091.

Comment 1 Quality Assurance

2023-11-13 15:00:18 CET

--- mirror/ftp/pool/main/p/python-urllib3/python-urllib3_1.24.1-1+deb10u1.dsc
+++ apt/ucs_5.0-0-errata5.0-5/source/python-urllib3_1.24.1-1+deb10u2.dsc
@@ -1,8 +1,20 @@
+1.24.1-1+deb10u2 [Wed, 08 Nov 2023 11:02:05 +0000] Sean Whitton <spwhitton@spwhitton.name>:
+
+  [ Sean Whitton ]
+  * Non-maintainer upload by the LTS Security Team.
+  * CVE-2023-43803: Request body isn't stripped during cross-origin
+    redirects (Closes: #1054226).
+
+  [ Guilhem Moulin ]
+  * Use system 'six' in test/with_dummyserver/test_https.py too.
+  * Retroactively fix CVE-2018-25091.
+
 1.24.1-1+deb10u1 [Sat, 07 Oct 2023 18:59:08 +0200] Guilhem Moulin <guilhem@debian.org>:
 
   * Non-maintainer upload by the LTS Security Team.
-  * Follow-up for CVE-2018-20060: Remove Authorization headers regardless of
-    case on cross-origin redirects.
+  * CVE-2018-25091: urllib3 does not remove the ‘authorization’ HTTP header
+    when following a cross-origin redirect cross-origin redirects.  (This is
+    similar to CVE-2018-20060, but applies to non-titlecase header fields.)
   * Fix CVE-2019-11236: An attacker controlling the request parameter can
     inject headers by injecting CR/LF characters. (Closes: #927172)
   * Fix CVE-2019-11324: When verifying HTTPS connections when an SSLContext is

<http://piuparts.knut.univention.de/5.0-5/#4317155917176426301>

Comment 2 Philipp Hahn

2023-11-14 13:26:41 CET

OK: bug
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[5.0-5] 5923e915f1 Bug #56822: python-urllib3 1.24.1-1+deb10u2
 doc/errata/staging/python-urllib3.yaml | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

[5.0-5] 773c512436 Bug #56822: python-urllib3 1.24.1-1+deb10u2
 doc/errata/staging/python-urllib3.yaml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

Comment 3 Philipp Hahn

2023-11-15 21:08:49 CET

<https://errata.software-univention.de/#/?erratum=5.0x877>