-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2686-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA June 15, 2021 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : python-urllib3 Version : 1.19.1-1+deb9u1 CVE ID : CVE-2018-20060 CVE-2019-11236 CVE-2019-11324 CVE-2020-26137 Several vulnerabilities were discovered in python-urllib3, a HTTP client for Python. CVE-2018-20060 Urllib3 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext. CVE-2019-11236 CRLF injection is possible if the attacker controls the request parameter. CVE-2019-11324 Urllib3 mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument. CVE-2020-26137 Urllib3 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). For Debian 9 stretch, these problems have been fixed in version 1.19.1-1+deb9u1. We recommend that you upgrade your python-urllib3 packages. For the detailed security status of python-urllib3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-urllib3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmDI8sQACgkQhj1N8u2c KO/N/w/9G1Sckeyy2WO/mEmpMl8+q+0C61wErcxcD1ehdT26jLBQ52lrDFWAgXNO 1G/w4KRfvzW47sOMmTVpA4i5e3bizN1+70SEeqxHmRvy6QK9lmoD3Sx61qZ0bls6 wtuBWtCpFB3ijBTp7QQnZaZcSZpjhwHgfLf7yMZnn+ttWeumLwCMd1kEdNsTm/uf 2FhsD3IxVRgwD5q7XJ28DOuMaWlVvQzXxukmucALsrK3l0YseucXXNiXGwFmU4qi dZ4zCbLkFAjrMc9WFYvGbW7yQ8YKYj7nRdgePaLsSijzrMqTghHC0Qe7Ibd0P7T7 rIdfijPxCHD967+mpQlOSuqJh5UgKxO0IV1N2W2QOiuh8QnDG6VhEbhXOBWDofr7 it9SX99Y1vUAAPGGS7e78l6Z+ojrCDwid2t0Ne5ppQCxzvA3aJjzCRRtZrbXRcqE fKYaQDqV+riuytxzQc+qf74RLTxtMTVwpPHpfZNmBD/fU3h8Q7Q0rubR78Xxd9W0 MxhPGeVjLdmOnj8Mz1Kokt+YSCH3TOGtZNmR5rKF43fXnN4zyeisOkS5ZgycosuC VFebF58a5xFUf7+qCkbqTxTnj4Lwgn39fT0EEvIG8rpjfiWl3uSpxnt/OMXb6ZJn iliCSISVglUhFRamC/AuOUL6wmKCRf/OCV/m9FBn/GzeU3sA9P8= =8LQK -----END PGP SIGNATURE-----