Advisories ยป MGASA-2019-0258

Updated python-urllib3 packages fix security vulnerability

Publication date: 06 Sep 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-20060 , CVE-2019-11236 , CVE-2019-11324


It was discovered that urllib3 incorrectly removed Authorization HTTP
headers when handled cross-origin redirects. This could result in
credentials being sent to unintended hosts (CVE-2018-20060).

It was discovered that urllib3 incorrectly stripped certain characters
from requests. A remote attacker could use this issue to perform CRLF
injection (CVE-2019-11236).

It was discovered that urllib3 incorrectly handled situations where a
desired set of CA certificates were specified. This could result in
certificates being accepted by the default CA certificates contrary to
expectatons (CVE-2019-11324).

The python-urllib3 package has been updated to version 1.24.3 to fix these
issues and other bugs.  The python-requests package has been fixed to work
with the updated python-urllib3