Univention Bugzilla – Bug 56822
python-urllib3: Multiple issues (5.0)
Last modified: 2023-11-15 21:08:49 CET
New Debian python-urllib3 1.24.1-1+deb10u2 fixes: This update addresses the following issues: 1.24.1-1+deb10u2 (Wed, 08 Nov 2023 11:02:05 +0000) [ Sean Whitton ] * Non-maintainer upload by the LTS Security Team. * CVE-2023-43803: Request body isn't stripped during cross-origin redirects. [ Guilhem Moulin ] * Use system 'six' in test/with_dummyserver/test_https.py too. * Retroactively fix CVE-2018-25091.
--- mirror/ftp/pool/main/p/python-urllib3/python-urllib3_1.24.1-1+deb10u1.dsc +++ apt/ucs_5.0-0-errata5.0-5/source/python-urllib3_1.24.1-1+deb10u2.dsc @@ -1,8 +1,20 @@ +1.24.1-1+deb10u2 [Wed, 08 Nov 2023 11:02:05 +0000] Sean Whitton <spwhitton@spwhitton.name>: + + [ Sean Whitton ] + * Non-maintainer upload by the LTS Security Team. + * CVE-2023-43803: Request body isn't stripped during cross-origin + redirects (Closes: #1054226). + + [ Guilhem Moulin ] + * Use system 'six' in test/with_dummyserver/test_https.py too. + * Retroactively fix CVE-2018-25091. + 1.24.1-1+deb10u1 [Sat, 07 Oct 2023 18:59:08 +0200] Guilhem Moulin <guilhem@debian.org>: * Non-maintainer upload by the LTS Security Team. - * Follow-up for CVE-2018-20060: Remove Authorization headers regardless of - case on cross-origin redirects. + * CVE-2018-25091: urllib3 does not remove the ‘authorization’ HTTP header + when following a cross-origin redirect cross-origin redirects. (This is + similar to CVE-2018-20060, but applies to non-titlecase header fields.) * Fix CVE-2019-11236: An attacker controlling the request parameter can inject headers by injecting CR/LF characters. (Closes: #927172) * Fix CVE-2019-11324: When verifying HTTPS connections when an SSLContext is <http://piuparts.knut.univention.de/5.0-5/#4317155917176426301>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-5] 5923e915f1 Bug #56822: python-urllib3 1.24.1-1+deb10u2 doc/errata/staging/python-urllib3.yaml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) [5.0-5] 773c512436 Bug #56822: python-urllib3 1.24.1-1+deb10u2 doc/errata/staging/python-urllib3.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x877>