-------------------------------------------------------------------------
Debian LTS Advisory DLA-3610-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
October 08, 2023                              https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : python-urllib3
Version        : 1.24.1-1+deb10u1
CVE ID         : CVE-2019-11236 CVE-2019-11324 CVE-2020-26137 CVE-2023-43804
Debian Bug     : 927172 927412 1053626

Security vulnerabilities were found in python-urllib3, an HTTP library
with thread-safe connection pooling for Python, which could lead to
information disclosure or authorization bypass.

CVE-2019-11236

    Hanno Böck discovered that an attacker controlling the request
    parameter can inject headers by injecting CR/LF chars.  The issue is
    similar to CPython's CVE-2019-9740.

CVE-2019-11324

    Christian Heimes discovered that when verifying HTTPS connections
    upon passing an SSLContext to urllib3, system CA certificates are
    loaded into the SSLContext by default in addition to any
    manually-specified CA certificates.
    This causes TLS handshakes that should fail given only the manually
    specified certs to succeed based on system CA certs.

CVE-2020-26137

    It was discovered that CRLF injection was possible if the attacker
    controls the HTTP request method, as demonstrated by inserting CR
    and LF control characters in the first argument of putrequest().
    The issue is similar to urllib's CVE-2020-26116.

CVE-2023-43804

    It was discovered that the Cookie request header isn't stripped
    during cross-origin redirects.  It is therefore possible for a user
    specifying a Cookie header to unknowingly leak information via HTTP
    redirects to a different origin (unless the user disables redirects
    explicitly).  The issue is similar to CVE-2018-20060, but for Cookie
    request header rather than Authorization.

    Moreover “authorization” request headers were not removed
    redirecting to cross-site.  Per RFC7230 sec. 3.2 header fields are
    to be treated case-insensitively.

For Debian 10 buster, these problems have been fixed in version
1.24.1-1+deb10u1.

We recommend that you upgrade your python-urllib3 packages.

For the detailed security status of python-urllib3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/python-urllib3

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3610-1: python-urllib3 security update

October 8, 2023
Security vulnerabilities were found in python-urllib3, an HTTP library with thread-safe connection pooling for Python, which could lead to information disclosure or authorization b...

Summary


Security vulnerabilities were found in python-urllib3, an HTTP library
with thread-safe connection pooling for Python, which could lead to
information disclosure or authorization bypass.

CVE-2019-11236

Hanno Böck discovered that an attacker controlling the request
parameter can inject headers by injecting CR/LF chars. The issue is
similar to CPython's CVE-2019-9740.

CVE-2019-11324

Christian Heimes discovered that when verifying HTTPS connections
upon passing an SSLContext to urllib3, system CA certificates are
loaded into the SSLContext by default in addition to any
manually-specified CA certificates.
This causes TLS handshakes that should fail given only the manually
specified certs to succeed based on system CA certs.

CVE-2020-26137

It was discovered that CRLF injection was possible if the attacker
controls the HTTP request method, as demonstrated by inserting CR
and LF control characters in the first argument of putrequest().
The issue is similar to urllib's CVE-2020-26116.

CVE-2023-43804

It was discovered that the Cookie request header isn't stripped
during cross-origin redirects. It is therefore possible for a user
specifying a Cookie header to unknowingly leak information via HTTP
redirects to a different origin (unless the user disables redirects
explicitly). The issue is similar to CVE-2018-20060, but for Cookie
request header rather than Authorization.

Moreover “authorization” request headers were not removed
redirecting to cross-site. Per RFC7230 sec. 3.2 header fields are
to be treated case-insensitively.

For Debian 10 buster, these problems have been fixed in version
1.24.1-1+deb10u1.

We recommend that you upgrade your python-urllib3 packages.

For the detailed security status of python-urllib3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/python-urllib3

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
Package : python-urllib3
Version : 1.24.1-1+deb10u1
CVE ID : CVE-2019-11236 CVE-2019-11324 CVE-2020-26137 CVE-2023-43804
Debian Bug : 927172 927412 1053626

Related News

19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved