| Summary: | python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2018-20060, CVE-2019-11236, CVE-2019-11324) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, fri, geiger.david68210, herman.viaene, shlomif, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6TOO MGA6-64-OK | ||
| Source RPM: | python-urllib3-1.18.1-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-11-22 03:42:12 CET
1.24.2 fixes an additional security issue (CVE-2019-11324): https://www.openwall.com/lists/oss-security/2019/04/19/1 Whiteboard:
(none) =>
MGA6TOO python-urllib3-1.24.2-1.mga7 uploaded for Cauldron by David Geiger. Version:
Cauldron =>
6 Ubuntu has issued an advisory for this on May 21: https://usn.ubuntu.com/3990-1/ Severity:
normal =>
major Shlomi, I see you updated Mageia 6 to 1.24.3. Mageia 7 has 1.24.2, so you'll need to update that too. python-urllib3-1.24.3-1.mga6 python3-urllib3-1.24.3-1.mga6 Shlomi, I see you updated Mageia 6 to 1.24.3. Mageia 7 has 1.24.2, so you'll need to update that too. CC:
(none) =>
shlomif Shlomi, thanks for the Mageia 7 update. Cauldron also needs to be updated. python2-urllib3-1.24.3-1.mga7 python3-urllib3-1.24.3-1.mga7 from python-urllib3-1.24.3-1.mga7.src.rpm Advisories for when Cauldron update is done. 1.24.3 fixes CVE-2019-11236/CVE-2019-9740, so it's good Shlomi is updating to that version: https://github.com/urllib3/urllib3/blob/master/CHANGES.rst Advisory (Mageia 6): ======================== Updated python-urllib3 packages fix security vulnerabilities: It was discovered that urllib3 incorrectly removed Authorization HTTP headers when handled cross-origin redirects. This could result in credentials being sent to unintended hosts (CVE-2018-20060). It was discovered that urllib3 incorrectly stripped certain characters from requests. A remote attacker could use this issue to perform CRLF injection (CVE-2019-11236). It was discovered that urllib3 incorrectly handled situations where a desired set of CA certificates were specified. This could result in certificates being accepted by the default CA certificates contrary to expectatons (CVE-2019-11324). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20060 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11236 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11324 https://usn.ubuntu.com/3990-1/ ======================== Updated packages in core/updates_testing: ======================== python-urllib3-1.24.3-1.mga6 python3-urllib3-1.24.3-1.mga6 from python-urllib3-1.24.3-1.mga6.src.rpm Advisory (Mageia 7): ======================== Updated python-urllib3 packages fix security vulnerability: It was discovered that urllib3 incorrectly stripped certain characters from requests. A remote attacker could use this issue to perform CRLF injection (CVE-2019-11236). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11236 https://usn.ubuntu.com/3990-1/ ======================== Updated packages in core/updates_testing: ======================== python2-urllib3-1.24.3-1.mga7 python3-urllib3-1.24.3-1.mga7 from python-urllib3-1.24.3-1.mga7.src.rpm Summary:
python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2018-20060, CVE-2019-11236, CVE-2019-11324) =>
python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2018-20060, CVE-2019-9740, CVE-2019-11236, CVE-2019-11324)
David Walser
2019-08-12 21:51:59 CEST
Version:
6 =>
Cauldron Updated package uploaded for Cauldron. Assigning to QA. Advisories and package lists in Comment 7. Assignee:
python =>
qa-bugs On mga6-64 missing dependencies: Swedish: för att = because saknas = is missing otillräckliga = unsatisfied / too little Följande paket måste tas bort för att andra ska bli uppdaterade: blender-2.79b-1.1.mga6.x86_64 (för att pythonegg(3)(requests) saknas) chrome-gnome-shell-9-1.mga6.x86_64 (för att python3-requests saknas, för att gnome-shell saknas) gdm-3.24.3-1.mga6.x86_64 (för att gnome-shell saknas) gnome-classic-session-3.24.2-1.mga6.noarch (på grund av otillräckliga gnome-shell-extensions-places-menu == 3.24.2-1.mga6, på grund av otillräckliga gnome-shell-extensions-window-list == 3.24.2-1.mga6, på grund av otillräckliga gnome-shell-extensions-alternate-tab == 3.24.2-1.mga6, på grund av otillräckliga gnome-shell-extensions-apps-menu == 3.24.2-1.mga6, på grund av otillräckliga gnome-shell-extensions-overrides == 3.24.2-1.mga6, på grund av otillräckliga gnome-shell-extensions-launch-new-instance == 3.24.2-1.mga6) gnome-shell-3.24.3-1.mga6.x86_64 (för att chrome-gnome-shell saknas, för att gdm saknas) gnome-shell-extensions-alternate-tab-3.24.2-1.mga6.noarch (för att typelib(Shell) saknas, på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6) gnome-shell-extensions-apps-menu-3.24.2-1.mga6.noarch (för att typelib(Shell) saknas, på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6) gnome-shell-extensions-common-3.24.2-1.mga6.noarch (på grund av otillräckliga gnome-shell >= 3.24.2) gnome-shell-extensions-launch-new-instance-3.24.2-1.mga6.noarch (på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6) gnome-shell-extensions-overrides-3.24.2-1.mga6.noarch (på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6) gnome-shell-extensions-places-menu-3.24.2-1.mga6.noarch (för att typelib(Shell) saknas, på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6) gnome-shell-extensions-window-list-3.24.2-1.mga6.noarch (för att typelib(Shell) saknas, på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6) gnome-tweak-tool-3.24.0-1.mga6.noarch (för att gnome-shell saknas) python3-requests-2.11.1-2.1.mga6.noarch (på grund av otillräckliga pythonegg(3)(urllib3) == 1.18.1) system-config-printer-1.5.9-1.mga6.x86_64 (för att python3-requests saknas) task-gnome-3.24.2-1.mga6.noarch (för att task-gnome-minimal saknas) task-gnome-minimal-3.24.2-1.mga6.noarch (för att gnome-shell saknas, för att gnome-classic-session saknas) CC:
(none) =>
fri Problem on Mageia 6 x86_64 confirmed. The update does not meet the version specific requires in python-requests or python3-requests. [dave@x3 ~]$ rpm -q --requires python-requests|grep urllib pythonegg(2)(urllib3) = 1.18.1 [dave@x3 ~]$ rpm -q --requires python3-requests|grep urllib pythonegg(3)(urllib3) = 1.18.1 Keywords:
(none) =>
feedback Shlomi, can you fix python-requests? Assignee:
qa-bugs =>
shlomif Should be fixed with python-requests-2.11.1-2.2.mga6! Thanks David! Updated Mageia 6 advisory (Mageia 7 is in Comment 7): Advisory (Mageia 6): ======================== Updated python-urllib3 packages fix security vulnerabilities: It was discovered that urllib3 incorrectly removed Authorization HTTP headers when handled cross-origin redirects. This could result in credentials being sent to unintended hosts (CVE-2018-20060). It was discovered that urllib3 incorrectly stripped certain characters from requests. A remote attacker could use this issue to perform CRLF injection (CVE-2019-11236). It was discovered that urllib3 incorrectly handled situations where a desired set of CA certificates were specified. This could result in certificates being accepted by the default CA certificates contrary to expectatons (CVE-2019-11324). The python-urllib3 package has been updated to version 1.24.3 to fix these issues and other bugs. The python-requests package has been fixed to work with the updated python-urllib3. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20060 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11236 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11324 https://usn.ubuntu.com/3990-1/ ======================== Updated packages in core/updates_testing: ======================== python-requests-2.11.1-2.2.mga6 python3-requests-2.11.1-2.2.mga6 python-urllib3-1.24.3-1.mga6 python3-urllib3-1.24.3-1.mga6 from SRPMS: python-requests-2.11.1-2.2.mga6.src.rpm python-urllib3-1.24.3-1.mga6.src.rpm Keywords:
feedback =>
(none) (In reply to David GEIGER from comment #12) > Should be fixed with python-requests-2.11.1-2.2.mga6! Confirming installation dependency on mga6 is OK now :) MGA6-64 Plasma on Lenovo B50 No installation issues Followed example found in https://urllib3.readthedocs.io/en/latest/ Gott exactly the same responses, so OK for me. CC:
(none) =>
herman.viaene Advisories committed to svn. Validating the update. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0258.html Status:
NEW =>
RESOLVED An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0259.html |