Fedora has issued an advisory on May 24:
That is for python-pip (see Bug 29010), but it fixes an issue in python-urllib3, which is bundled in pip.
The issue is fixed upstream in 1.26.4.
Mageia 8 is also affected.
Fixed upstream in 1.26.4
SUSE has issued an advisory on June 18:
The issue is fixed upstream in 1.26.5:
Mageia 7 and Mageia 8 are also affected.
python-urllib3 new security issue CVE-2021-28363 =>
python-urllib3 new security issues CVE-2021-28363 and CVE-2021-33503Status comment:
Fixed upstream in 1.26.4 =>
Fixed upstream in 1.26.5Whiteboard:
Fedora has issued an advisory for CVE-2021-33503 on June 19:
pip 21.1 updates urllib3 to 1.26.4, but as of pip 21.1.2, urllib3 still hasn't been updated to 1.26.5 to address CVE-2021-33503. The python-urllib3 package itself has been updated to 1.26.5 in Cauldron.
The first part of the patch in this commit:
can be added to patch pip-21.1.2/src/pip/_vendor/urllib3
but I'm sure it'll be fixed upstream in pip before long.
For slightly older pips, Fedora's patch could be used as a starting point:
Removing Mageia 7 from whiteboard due to EOL:
MGA8TOO, MGA7TOO =>
Fedora has issued an advisory for this today (July 4):
openSUSE has issued an advisory for the second CVE on July 10:
python-pip in Cauldron has been patched to fix CVE-2021-33503.
Pushed python-urllib3-1.26.5-1.mga8 to core/udpates_testing.
Some more references:
Fixed upstream in 1.26.5 =>
Shows poc test. No poc file though (upstream - where is that?).
It appears that the poc is buried in the patch ->
The upstream quote shows over 4 minutes for a GET request before and a split second after the update. We shall have to take their word for it.
$ rpm -q python3-urllib3
>>> import urllib3
>>> http = urllib3.PoolManager()
>>> resp = http.request("GET", "http://httpbin.org/robots.txt")
b'User-agent: *\nDisallow: /deny\n'
Updated the package.
$ urpmq --whatrequires python3-urllib3 | sort -u
Installed buku, a browser bookmarks manager.
$ buku --ai
<Answered questions and picked Firefox browser. Bookmarks imported to database.>
$ strace -o buku.trace buku
a <open all results in browser>
1. The Extrasolar Planets Encyclopaedia 
2. systemic 
3. systemic - Downloadable Console 
4. HubbleSite - NewsCenter - 'Survivor' Planets: Astronomers Witness First Steps of Planet Growth - and Destruction (04/26/2001) - Introduction 
<and so on>
<That opened https://hubblesite.org/news/news-releases which contained the item required>
s mageia updates <returned 164 results>
0 6 <switched to Mageia identity management>
^D to exit.
That works as far as it went.
$ grep urllib3 buku.trace
<lots of entries>
openat(AT_FDCWD, "/usr/lib/python3.8/site-packages/urllib3/__pycache__/__init__.cpython-38.pyc", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/python3.8/site-packages/urllib3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
This will do.
subject: Updated python-urllib3 package fixes security vulnerabilities
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate
validation in some cases involving HTTPS to HTTPS proxies. The initial
connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config)
doesn't verify the hostname of the certificate. This means certificates for
different servers that still validate properly with the default urllib3
SSLContext will be silently accepted (CVE-2021-28363).
An issue was discovered in urllib3 before 1.26.5. When provided with a URL
containing many @ characters in the authority component, the authority regular
expression exhibits catastrophic backtracking, causing a denial of service if
a URL were passed as a parameter or redirected to via an HTTP redirect
An update for this issue has been pushed to the Mageia Updates repository.