Your message dated Sat, 21 Oct 2023 15:37:01 +0000
with message-id <[email protected]>
and subject line Bug#1054226: fixed in python-urllib3 1.26.18-1
has caused the Debian Bug report #1054226,
regarding python-urllib3: CVE-2023-45803
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1054226: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054226
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-urllib3
Version: 1.26.17-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-urllib3.
CVE-2023-45803[0]:
| urllib3 is a user-friendly HTTP client library for Python. urllib3
| previously wouldn't remove the HTTP request body when an HTTP
| redirect response using status 301, 302, or 303 after the request
| had its method changed from one that could accept a request body
| (like `POST`) to `GET` as is required by HTTP RFCs. Although this
| behavior is not specified in the section for redirects, it can be
| inferred by piecing together information from different sections and
| we have observed the behavior in other major HTTP client
| implementations like curl and web browsers. Because the
| vulnerability requires a previously trusted service to become
| compromised in order to have an impact on confidentiality we believe
| the exploitability of this vulnerability is low. Additionally, many
| users aren't putting sensitive data in HTTP request bodies, if this
| is the case then this vulnerability isn't exploitable. Both of the
| following conditions must be true to be affected by this
| vulnerability: 1. Using urllib3 and submitting sensitive information
| in the HTTP request body (such as form data or JSON) and 2. The
| origin service is compromised and starts redirecting using 301, 302,
| or 303 to a malicious peer or the redirected-to service becomes
| compromised. This issue has been addressed in versions 1.26.18 and
| 2.0.7 and users are advised to update to resolve this issue. Users
| unable to update should disable redirects for services that aren't
| expecting to respond with redirects with `redirects=False` and
| disable automatic redirects with `redirects=False` and handle 301,
| 302, and 303 redirects manually by stripping the HTTP request body.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-45803
https://www.cve.org/CVERecord?id=CVE-2023-45803
[1] https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4
[2]
https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-urllib3
Source-Version: 1.26.18-1
Done: Stefano Rivera <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-urllib3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefano Rivera <[email protected]> (supplier of updated python-urllib3
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 21 Oct 2023 17:05:33 +0200
Source: python-urllib3
Architecture: source
Version: 1.26.18-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Stefano Rivera <[email protected]>
Closes: 1054212 1054226
Changes:
python-urllib3 (1.26.18-1) unstable; urgency=medium
.
* Team upload.
* New upstream release.
- Fix CVE-2023-45803 (Closes: #1054226)
* Drop patch 02_require-cert-verification.patch, no longer needed.
(Closes: #1054212)
* Refresh patches.
Checksums-Sha1:
cc39c351dbaf32c4cb56a11ae5e57f20c59ff495 1735 python-urllib3_1.26.18-1.dsc
84e2852d8da1655373f7ce5e7d5d3e256b62b4e4 305687
python-urllib3_1.26.18.orig.tar.gz
26a0d1a7f0bc9c54aa936fa1a7b43bc4cf3c4940 12516
python-urllib3_1.26.18-1.debian.tar.xz
0e97fd0538596e84a50c906f7818ad0c9fad267e 6611
python-urllib3_1.26.18-1_source.buildinfo
Checksums-Sha256:
5ad0a9868daf0452ca2dd0dbb045bace157a33eb3620f21d453a7e437d951a40 1735
python-urllib3_1.26.18-1.dsc
f8ecc1bba5667413457c529ab955bf8c67b45db799d159066261719e328580a0 305687
python-urllib3_1.26.18.orig.tar.gz
0810726b20e65b5c6f836f2f669892f63dd6b00f1a17042581b9a5e3991572f9 12516
python-urllib3_1.26.18-1.debian.tar.xz
ba4ffcb7f32bf78df7e7fdfa17df1461790e30704c3ab6155001563c9ab48be0 6611
python-urllib3_1.26.18-1_source.buildinfo
Files:
4c71f67774926d23b988ce61c47c8458 1735 python optional
python-urllib3_1.26.18-1.dsc
f986d8e9616d2a43389f678d5dad9893 305687 python optional
python-urllib3_1.26.18.orig.tar.gz
5de6b8aad0d3cd3bbffb468c9847c35d 12516 python optional
python-urllib3_1.26.18-1.debian.tar.xz
e1261cc3e7c7cbc1f7c7276f42da933e 6611 python optional
python-urllib3_1.26.18-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iIoEARYKADIWIQTumtb5BSD6EfafSCRHew2wJjpU2AUCZTPpVxQcc3RlZmFub3JA
ZGViaWFuLm9yZwAKCRBHew2wJjpU2PHLAQDsIAw9mSjVCgxMX11AV7EgoCJG5Mz5
cwEWQMl5hySc2AD+PhfG6G34mZK2zPKSiCC1PSxHl3fTQr+QLDhpsO3MBQM=
=HKyL
-----END PGP SIGNATURE-----
--- End Message ---
