MGASA-2019-0258

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2019-0258.html

Import Source

https://advisories.mageia.org/MGASA-2019-0258.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2019-0258

Related

Published

2019-09-06T21:09:08Z

Modified

2019-09-06T20:06:09Z

Summary

Updated python-urllib3 packages fix security vulnerability

Details

It was discovered that urllib3 incorrectly removed Authorization HTTP headers when handled cross-origin redirects. This could result in credentials being sent to unintended hosts (CVE-2018-20060).

It was discovered that urllib3 incorrectly stripped certain characters from requests. A remote attacker could use this issue to perform CRLF injection (CVE-2019-11236).

It was discovered that urllib3 incorrectly handled situations where a desired set of CA certificates were specified. This could result in certificates being accepted by the default CA certificates contrary to expectatons (CVE-2019-11324).

The python-urllib3 package has been updated to version 1.24.3 to fix these issues and other bugs. The python-requests package has been fixed to work with the updated python-urllib3

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:6 / python-requests

Package

Name: python-requests
Purl: pkg:rpm/mageia/python-requests?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.11.1-2.2.mga6

Ecosystem specific

{
    "section": "core"
}

Mageia:6 / python-urllib3

Package

Name: python-urllib3
Purl: pkg:rpm/mageia/python-urllib3?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.24.3-1.mga6

Ecosystem specific

{
    "section": "core"
}