Fedora has issued an advisory tomorrow (November 22): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DMPQDPCGO6ZDAODRVDBYQGTQRJX4QHRS/ They fixed this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1649153
1.24.2 fixes an additional security issue (CVE-2019-11324): https://www.openwall.com/lists/oss-security/2019/04/19/1
Whiteboard: (none) => MGA6TOOVersion: 6 => CauldronSummary: python-urllib3 new security issue fixed upstream in 1.23 => python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2019-11324)
python-urllib3-1.24.2-1.mga7 uploaded for Cauldron by David Geiger.
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)CC: (none) => geiger.david68210
Ubuntu has issued an advisory for this on May 21: https://usn.ubuntu.com/3990-1/
Severity: normal => majorSummary: python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2019-11324) => python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2018-20060, CVE-2019-11236, CVE-2019-11324)
Shlomi, I see you updated Mageia 6 to 1.24.3. Mageia 7 has 1.24.2, so you'll need to update that too. python-urllib3-1.24.3-1.mga6 python3-urllib3-1.24.3-1.mga6
Shlomi, I see you updated Mageia 6 to 1.24.3. Mageia 7 has 1.24.2, so you'll need to update that too.
CC: (none) => shlomif
Shlomi, thanks for the Mageia 7 update. Cauldron also needs to be updated. python2-urllib3-1.24.3-1.mga7 python3-urllib3-1.24.3-1.mga7 from python-urllib3-1.24.3-1.mga7.src.rpm
Advisories for when Cauldron update is done. 1.24.3 fixes CVE-2019-11236/CVE-2019-9740, so it's good Shlomi is updating to that version: https://github.com/urllib3/urllib3/blob/master/CHANGES.rst Advisory (Mageia 6): ======================== Updated python-urllib3 packages fix security vulnerabilities: It was discovered that urllib3 incorrectly removed Authorization HTTP headers when handled cross-origin redirects. This could result in credentials being sent to unintended hosts (CVE-2018-20060). It was discovered that urllib3 incorrectly stripped certain characters from requests. A remote attacker could use this issue to perform CRLF injection (CVE-2019-11236). It was discovered that urllib3 incorrectly handled situations where a desired set of CA certificates were specified. This could result in certificates being accepted by the default CA certificates contrary to expectatons (CVE-2019-11324). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20060 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11236 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11324 https://usn.ubuntu.com/3990-1/ ======================== Updated packages in core/updates_testing: ======================== python-urllib3-1.24.3-1.mga6 python3-urllib3-1.24.3-1.mga6 from python-urllib3-1.24.3-1.mga6.src.rpm Advisory (Mageia 7): ======================== Updated python-urllib3 packages fix security vulnerability: It was discovered that urllib3 incorrectly stripped certain characters from requests. A remote attacker could use this issue to perform CRLF injection (CVE-2019-11236). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11236 https://usn.ubuntu.com/3990-1/ ======================== Updated packages in core/updates_testing: ======================== python2-urllib3-1.24.3-1.mga7 python3-urllib3-1.24.3-1.mga7 from python-urllib3-1.24.3-1.mga7.src.rpm
Summary: python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2018-20060, CVE-2019-11236, CVE-2019-11324) => python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2018-20060, CVE-2019-9740, CVE-2019-11236, CVE-2019-11324)
Version: 6 => CauldronWhiteboard: (none) => MGA7TOO, MGA6TOO
Updated package uploaded for Cauldron. Assigning to QA. Advisories and package lists in Comment 7.
Assignee: python => qa-bugsVersion: Cauldron => 7Whiteboard: MGA7TOO, MGA6TOO => MGA6TOOSummary: python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2018-20060, CVE-2019-9740, CVE-2019-11236, CVE-2019-11324) => python-urllib3 new security issues fixed upstream in 1.23 and 1.24.2 (CVE-2018-20060, CVE-2019-11236, CVE-2019-11324)
On mga6-64 missing dependencies: Swedish: för att = because saknas = is missing otillräckliga = unsatisfied / too little Följande paket måste tas bort för att andra ska bli uppdaterade: blender-2.79b-1.1.mga6.x86_64 (för att pythonegg(3)(requests) saknas) chrome-gnome-shell-9-1.mga6.x86_64 (för att python3-requests saknas, för att gnome-shell saknas) gdm-3.24.3-1.mga6.x86_64 (för att gnome-shell saknas) gnome-classic-session-3.24.2-1.mga6.noarch (på grund av otillräckliga gnome-shell-extensions-places-menu == 3.24.2-1.mga6, på grund av otillräckliga gnome-shell-extensions-window-list == 3.24.2-1.mga6, på grund av otillräckliga gnome-shell-extensions-alternate-tab == 3.24.2-1.mga6, på grund av otillräckliga gnome-shell-extensions-apps-menu == 3.24.2-1.mga6, på grund av otillräckliga gnome-shell-extensions-overrides == 3.24.2-1.mga6, på grund av otillräckliga gnome-shell-extensions-launch-new-instance == 3.24.2-1.mga6) gnome-shell-3.24.3-1.mga6.x86_64 (för att chrome-gnome-shell saknas, för att gdm saknas) gnome-shell-extensions-alternate-tab-3.24.2-1.mga6.noarch (för att typelib(Shell) saknas, på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6) gnome-shell-extensions-apps-menu-3.24.2-1.mga6.noarch (för att typelib(Shell) saknas, på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6) gnome-shell-extensions-common-3.24.2-1.mga6.noarch (på grund av otillräckliga gnome-shell >= 3.24.2) gnome-shell-extensions-launch-new-instance-3.24.2-1.mga6.noarch (på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6) gnome-shell-extensions-overrides-3.24.2-1.mga6.noarch (på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6) gnome-shell-extensions-places-menu-3.24.2-1.mga6.noarch (för att typelib(Shell) saknas, på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6) gnome-shell-extensions-window-list-3.24.2-1.mga6.noarch (för att typelib(Shell) saknas, på grund av otillräckliga gnome-shell-extensions-common == 3.24.2-1.mga6) gnome-tweak-tool-3.24.0-1.mga6.noarch (för att gnome-shell saknas) python3-requests-2.11.1-2.1.mga6.noarch (på grund av otillräckliga pythonegg(3)(urllib3) == 1.18.1) system-config-printer-1.5.9-1.mga6.x86_64 (för att python3-requests saknas) task-gnome-3.24.2-1.mga6.noarch (för att task-gnome-minimal saknas) task-gnome-minimal-3.24.2-1.mga6.noarch (för att gnome-shell saknas, för att gnome-classic-session saknas)
CC: (none) => fri
Problem on Mageia 6 x86_64 confirmed. The update does not meet the version specific requires in python-requests or python3-requests. [dave@x3 ~]$ rpm -q --requires python-requests|grep urllib pythonegg(2)(urllib3) = 1.18.1 [dave@x3 ~]$ rpm -q --requires python3-requests|grep urllib pythonegg(3)(urllib3) = 1.18.1
Keywords: (none) => feedbackCC: (none) => davidwhodgins
Shlomi, can you fix python-requests?
Assignee: qa-bugs => shlomifCC: (none) => qa-bugs
Should be fixed with python-requests-2.11.1-2.2.mga6!
Thanks David! Updated Mageia 6 advisory (Mageia 7 is in Comment 7): Advisory (Mageia 6): ======================== Updated python-urllib3 packages fix security vulnerabilities: It was discovered that urllib3 incorrectly removed Authorization HTTP headers when handled cross-origin redirects. This could result in credentials being sent to unintended hosts (CVE-2018-20060). It was discovered that urllib3 incorrectly stripped certain characters from requests. A remote attacker could use this issue to perform CRLF injection (CVE-2019-11236). It was discovered that urllib3 incorrectly handled situations where a desired set of CA certificates were specified. This could result in certificates being accepted by the default CA certificates contrary to expectatons (CVE-2019-11324). The python-urllib3 package has been updated to version 1.24.3 to fix these issues and other bugs. The python-requests package has been fixed to work with the updated python-urllib3. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20060 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11236 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11324 https://usn.ubuntu.com/3990-1/ ======================== Updated packages in core/updates_testing: ======================== python-requests-2.11.1-2.2.mga6 python3-requests-2.11.1-2.2.mga6 python-urllib3-1.24.3-1.mga6 python3-urllib3-1.24.3-1.mga6 from SRPMS: python-requests-2.11.1-2.2.mga6.src.rpm python-urllib3-1.24.3-1.mga6.src.rpm
Keywords: feedback => (none)CC: qa-bugs => (none)Assignee: shlomif => qa-bugs
(In reply to David GEIGER from comment #12) > Should be fixed with python-requests-2.11.1-2.2.mga6! Confirming installation dependency on mga6 is OK now :)
MGA6-64 Plasma on Lenovo B50 No installation issues Followed example found in https://urllib3.readthedocs.io/en/latest/ Gott exactly the same responses, so OK for me.
CC: (none) => herman.viaeneWhiteboard: MGA6TOO => MGA6TOO MGA6-64-OK
Advisories committed to svn. Validating the update.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0258.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0259.html