Advisories » MGASA-2019-0258

Updated python-urllib3 packages fix security vulnerability

Publication date: 06 Sep 2019
Modification date: 06 Sep 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-20060 , CVE-2019-11236 , CVE-2019-11324

Description

It was discovered that urllib3 incorrectly removed Authorization HTTP
headers when handled cross-origin redirects. This could result in
credentials being sent to unintended hosts (CVE-2018-20060).

It was discovered that urllib3 incorrectly stripped certain characters
from requests. A remote attacker could use this issue to perform CRLF
injection (CVE-2019-11236).

It was discovered that urllib3 incorrectly handled situations where a
desired set of CA certificates were specified. This could result in
certificates being accepted by the default CA certificates contrary to
expectatons (CVE-2019-11324).

The python-urllib3 package has been updated to version 1.24.3 to fix these
issues and other bugs.  The python-requests package has been fixed to work
with the updated python-urllib3
                

References

• https://bugs.mageia.org/show_bug.cgi?id=23880
• https://usn.ubuntu.com/3990-1/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20060
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11236
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11324

SRPMS

6/core

• python-requests-2.11.1-2.2.mga6
• python-urllib3-1.24.3-1.mga6