Bug 23880 - python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2018-20060, CVE-2019-11236, CVE-2019-11324)
Summary: python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-201...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-22 03:42 CET by David Walser
Modified: 2019-08-13 20:40 CEST (History)
3 users (show)

See Also:
Source RPM: python-urllib3-1.18.1-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Comment 1 David Walser 2019-04-19 13:27:39 CEST
1.24.2 fixes an additional security issue (CVE-2019-11324):
https://www.openwall.com/lists/oss-security/2019/04/19/1

Whiteboard: (none) => MGA6TOO
Version: 6 => Cauldron
Summary: python-urllib3 new security issue fixed upstream in 1.23 => python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2019-11324)

Comment 2 David Walser 2019-04-19 14:19:26 CEST
python-urllib3-1.24.2-1.mga7 uploaded for Cauldron by David Geiger.

CC: (none) => geiger.david68210
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 3 David Walser 2019-08-11 21:36:04 CEST
Ubuntu has issued an advisory for this on May 21:
https://usn.ubuntu.com/3990-1/

Severity: normal => major
Summary: python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2019-11324) => python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2018-20060, CVE-2019-11236, CVE-2019-11324)

Comment 4 David Walser 2019-08-12 15:32:28 CEST
Shlomi, I see you updated Mageia 6 to 1.24.3.  Mageia 7 has 1.24.2, so you'll need to update that too.

python-urllib3-1.24.3-1.mga6
python3-urllib3-1.24.3-1.mga6
Comment 5 David Walser 2019-08-12 15:32:46 CEST
Shlomi, I see you updated Mageia 6 to 1.24.3.  Mageia 7 has 1.24.2, so you'll need to update that too.

CC: (none) => shlomif

Comment 6 David Walser 2019-08-12 21:33:32 CEST
Shlomi, thanks for the Mageia 7 update.  Cauldron also needs to be updated.

python2-urllib3-1.24.3-1.mga7
python3-urllib3-1.24.3-1.mga7

from python-urllib3-1.24.3-1.mga7.src.rpm
Comment 7 David Walser 2019-08-12 21:51:46 CEST
Advisories for when Cauldron update is done.

1.24.3 fixes CVE-2019-11236/CVE-2019-9740, so it's good Shlomi is updating to that version:
https://github.com/urllib3/urllib3/blob/master/CHANGES.rst

Advisory (Mageia 6):
========================

Updated python-urllib3 packages fix security vulnerabilities:

It was discovered that urllib3 incorrectly removed Authorization HTTP headers
when handled cross-origin redirects. This could result in credentials being
sent to unintended hosts (CVE-2018-20060).

It was discovered that urllib3 incorrectly stripped certain characters from
requests. A remote attacker could use this issue to perform CRLF injection
(CVE-2019-11236).

It was discovered that urllib3 incorrectly handled situations where a desired
set of CA certificates were specified. This could result in certificates being
accepted by the default CA certificates contrary to expectatons
(CVE-2019-11324).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20060
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11236
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11324
https://usn.ubuntu.com/3990-1/
========================

Updated packages in core/updates_testing:
========================
python-urllib3-1.24.3-1.mga6
python3-urllib3-1.24.3-1.mga6

from python-urllib3-1.24.3-1.mga6.src.rpm


Advisory (Mageia 7):
========================

Updated python-urllib3 packages fix security vulnerability:

It was discovered that urllib3 incorrectly stripped certain characters from
requests. A remote attacker could use this issue to perform CRLF injection
(CVE-2019-11236).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11236
https://usn.ubuntu.com/3990-1/
========================

Updated packages in core/updates_testing:
========================
python2-urllib3-1.24.3-1.mga7
python3-urllib3-1.24.3-1.mga7

from python-urllib3-1.24.3-1.mga7.src.rpm

Summary: python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2018-20060, CVE-2019-11236, CVE-2019-11324) => python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2018-20060, CVE-2019-9740, CVE-2019-11236, CVE-2019-11324)

David Walser 2019-08-12 21:51:59 CEST

Version: 6 => Cauldron
Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 8 David Walser 2019-08-13 00:42:32 CEST
Updated package uploaded for Cauldron.

Assigning to QA.  Advisories and package lists in Comment 7.

Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Summary: python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2018-20060, CVE-2019-9740, CVE-2019-11236, CVE-2019-11324) => python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2018-20060, CVE-2019-11236, CVE-2019-11324)
Assignee: python => qa-bugs
Version: Cauldron => 7

Comment 9 Morgan Leijström 2019-08-13 20:40:14 CEST
On mga6-64 missing dependencies:

Swedish:    
för att = because
saknas = is missing
otillräckliga = unsatisfied / too little

Följande paket måste tas bort för att andra ska bli uppdaterade:
blender-2.79b-1.1.mga6.x86_64
 (för att pythonegg(3)(requests) saknas)
chrome-gnome-shell-9-1.mga6.x86_64
 (för att python3-requests saknas,
  för att gnome-shell saknas)
gdm-3.24.3-1.mga6.x86_64
 (för att gnome-shell saknas)
gnome-classic-session-3.24.2-1.mga6.noarch
 (på grund av otillräckliga gnome-shell-extensions-places-menu == 3.24.2-1.mga6,
  på grund av otillräckliga gnome-shell-extensions-window-list == 3.24.2-1.mga6,
  på grund av otillräckliga gnome-shell-extensions-alternate-tab == 3.24.2-1.mga6,
  på grund av otillräckliga gnome-shell-extensions-apps-menu == 3.24.2-1.mga6,
  på grund av otillräckliga gnome-shell-extensions-overrides == 3.24.2-1.mga6,
  på grund av otillräckliga gnome-shell-extensions-launch-new-instance == 3.24.2-1.mga6)
gnome-shell-3.24.3-1.mga6.x86_64
 (för att chrome-gnome-shell saknas,
  för att gdm saknas)
gnome-shell-extensions-alternate-tab-3.24.2-1.mga6.noarch
 (för att typelib(Shell) saknas,
  på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6)
gnome-shell-extensions-apps-menu-3.24.2-1.mga6.noarch
 (för att typelib(Shell) saknas,
  på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6)
gnome-shell-extensions-common-3.24.2-1.mga6.noarch
 (på grund av otillräckliga gnome-shell >= 3.24.2)
gnome-shell-extensions-launch-new-instance-3.24.2-1.mga6.noarch
 (på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6)
gnome-shell-extensions-overrides-3.24.2-1.mga6.noarch
 (på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6)
gnome-shell-extensions-places-menu-3.24.2-1.mga6.noarch
 (för att typelib(Shell) saknas,
  på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6)
gnome-shell-extensions-window-list-3.24.2-1.mga6.noarch
 (för att typelib(Shell) saknas,
  på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6)
gnome-tweak-tool-3.24.0-1.mga6.noarch
 (för att gnome-shell saknas)
python3-requests-2.11.1-2.1.mga6.noarch
 (på grund av otillräckliga pythonegg(3)(urllib3) == 1.18.1)
system-config-printer-1.5.9-1.mga6.x86_64
 (för att python3-requests saknas)
task-gnome-3.24.2-1.mga6.noarch
 (för att task-gnome-minimal saknas)
task-gnome-minimal-3.24.2-1.mga6.noarch
 (för att gnome-shell saknas,
  för att gnome-classic-session saknas)

CC: (none) => fri


Note You need to log in before you can comment on or make changes to this bug.