New Debian python-urllib3 1.26.12-1+deb12u1 fixes: This update addresses the following issues: * python-urllib3: Cookie request header isn't stripped during cross-origin redirects (CVE-2023-43804) * urllib3: Request body not stripped after redirect from 303 status changes request method to GET (CVE-2023-45803) * urllib3: proxy-authorization request header is not stripped during cross-origin redirects (CVE-2024-37891)
--- mirror/ftp/pool/main/p/python-urllib3/python-urllib3_1.26.12-1.dsc +++ apt/ucs_5.2-0-errata5.2-0/source/python-urllib3_1.26.12-1+deb12u1.dsc @@ -1,3 +1,17 @@ +1.26.12-1+deb12u1 [Sat, 21 Dec 2024 15:28:17 +0100] Guilhem Moulin <guilhem@debian.org>: + + * Non-maintainer upload. + * Fix CVE-2023-43804: Cookie request header isn't stripped during + cross-origin redirects. (Closes: #1053626) + * Fix CVE-2023-45803: Request body not stripped after redirect from 303 + status changes request method to GET. (Closes: #1054226) + * Fix CVE-2024-37891: Proxy-Authorization request header isn't stripped + during cross-origin redirects. (Closes: #1074149) + * Use system 'six' module in urllib3.util.ssltransport. (Closes: #1089507) + * Fix test/test_connectionpool.py (currently ignored). + * Adjust d/salsa-ci.yml for bookworm. + * Adjust d/gbp.conf for bookworm. + 1.26.12-1 [Thu, 22 Sep 2022 15:14:17 -0600] Anthony Fok <foka@debian.org>: * Team upload. <http://piuparts.knut.univention.de/5.2-0/#8930364679383977155>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.2-0] efb748687b Bug #57931: python-urllib3 1.26.12-1+deb12u1 doc/errata/staging/python-urllib3.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.2x15>