Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2134
python-urllib3 security update
16 June 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python-urllib3
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-26137 CVE-2019-11324 CVE-2019-11236
CVE-2018-20060
Reference: ESB-2021.1866
ESB-2021.1820
ESB-2021.1734
ESB-2021.1730
Original Bulletin:
https://www.debian.org/lts/security/2021/dla-2686
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2686-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
June 15, 2021 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : python-urllib3
Version : 1.19.1-1+deb9u1
CVE ID : CVE-2018-20060 CVE-2019-11236 CVE-2019-11324 CVE-2020-26137
Several vulnerabilities were discovered in python-urllib3, a HTTP
client for Python.
CVE-2018-20060
Urllib3 does not remove the Authorization HTTP header when
following a cross-origin redirect (i.e., a redirect that differs
in host, port, or scheme). This can allow for credentials in the
Authorization header to be exposed to unintended hosts or
transmitted in cleartext.
CVE-2019-11236
CRLF injection is possible if the attacker controls the request
parameter.
CVE-2019-11324
Urllib3 mishandles certain cases where the desired set of CA
certificates is different from the OS store of CA certificates,
which results in SSL connections succeeding in situations where a
verification failure is the correct outcome. This is related to
use of the ssl_context, ca_certs, or ca_certs_dir argument.
CVE-2020-26137
Urllib3 allows CRLF injection if the attacker controls the HTTP
request method, as demonstrated by inserting CR and LF control
characters in the first argument of putrequest().
For Debian 9 stretch, these problems have been fixed in version
1.19.1-1+deb9u1.
We recommend that you upgrade your python-urllib3 packages.
For the detailed security status of python-urllib3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-urllib3
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmDI8sQACgkQhj1N8u2c
KO/N/w/9G1Sckeyy2WO/mEmpMl8+q+0C61wErcxcD1ehdT26jLBQ52lrDFWAgXNO
1G/w4KRfvzW47sOMmTVpA4i5e3bizN1+70SEeqxHmRvy6QK9lmoD3Sx61qZ0bls6
wtuBWtCpFB3ijBTp7QQnZaZcSZpjhwHgfLf7yMZnn+ttWeumLwCMd1kEdNsTm/uf
2FhsD3IxVRgwD5q7XJ28DOuMaWlVvQzXxukmucALsrK3l0YseucXXNiXGwFmU4qi
dZ4zCbLkFAjrMc9WFYvGbW7yQ8YKYj7nRdgePaLsSijzrMqTghHC0Qe7Ibd0P7T7
rIdfijPxCHD967+mpQlOSuqJh5UgKxO0IV1N2W2QOiuh8QnDG6VhEbhXOBWDofr7
it9SX99Y1vUAAPGGS7e78l6Z+ojrCDwid2t0Ne5ppQCxzvA3aJjzCRRtZrbXRcqE
fKYaQDqV+riuytxzQc+qf74RLTxtMTVwpPHpfZNmBD/fU3h8Q7Q0rubR78Xxd9W0
MxhPGeVjLdmOnj8Mz1Kokt+YSCH3TOGtZNmR5rKF43fXnN4zyeisOkS5ZgycosuC
VFebF58a5xFUf7+qCkbqTxTnj4Lwgn39fT0EEvIG8rpjfiWl3uSpxnt/OMXb6ZJn
iliCSISVglUhFRamC/AuOUL6wmKCRf/OCV/m9FBn/GzeU3sA9P8=
=8LQK
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYMlhH+NLKJtyKPYoAQhxcg/7Bt6yv0j4XyQSUyiZVXZesZRDPnamsCAy
fKSaCyZlrSlvA5dCSDfsDNa62k+R8RJIioqBcIv1CeoTmIY5K0LKl/FAJmep5t6r
TlP6WztO8hEHdpcMrkI1iQ1SXbG9nLB4OxjoofdJlqWOaNZXoA/4R4cgM3TGwoMS
wSQMODLTTrnWLsNJ0Ng2YZHreCcBkllol7D8jWgAGEamR1RSc2zJe/lA1XkQDY3c
y+HzILZyiu+WCq6JXB+oPySzkjNs0sdnijwkBird8/ZOpxX2fWOfngPiLUrph8S4
vPcycxA/ypA+7I15iyHGSsAuYXiXtfRkHVzzuu5ZJWY2sHcStqBnxgSnmiEgzN3n
qRgqCnozATogestZeZtUtIa1BSCd2ZjM7a6i6t8ITukm15HIpuTeg2+sFvh6Qfqn
2aMBvVK8YNHg+T8PCxgOS1n0b/N1dyDZHR9O1hwiZAdAlEdd/54uBpFZvxC0mdgW
j4uSYHdGODeo8nFPDAJvNAn27kioZgb7X2ljR6DJkeyRoaTGmhZqHZ072pfhisui
+w4lHpJGtaRXXcl78e4/ofHK3QCNCTyrjK+ldDI/8DuSGoOIdA6xT86xc5VtppnC
/An6OBKhSBcKFpysAI+Lk/bhpyjtClusS2BpSOrZtBOHUYQoxJNflUELsSvbvIuO
rNtxoUIRdZ8=
=hlbr
-----END PGP SIGNATURE-----