Your message dated Mon, 11 Nov 2024 00:19:36 +0000
with message-id <[email protected]>
and subject line Bug#1074149: fixed in python-urllib3 2.2.3-1
has caused the Debian Bug report #1074149,
regarding python-urllib3: CVE-2024-37891
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1074149: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074149
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-urllib3
Version: 2.0.7-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.26.18-2
The following vulnerability was published for python-urllib3.
CVE-2024-37891[0]:
| urllib3 is a user-friendly HTTP client library for Python. When
| using urllib3's proxy support with `ProxyManager`, the `Proxy-
| Authorization` header is only sent to the configured proxy, as
| expected. However, when sending HTTP requests *without* using
| urllib3's proxy support, it's possible to accidentally configure the
| `Proxy-Authorization` header even though it won't have any effect as
| the request is not using a forwarding proxy or a tunneling proxy. In
| those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP
| header as one carrying authentication material and thus doesn't
| strip the header on cross-origin redirects. Because this is a highly
| unlikely scenario, we believe the severity of this vulnerability is
| low for almost all users. Out of an abundance of caution urllib3
| will automatically strip the `Proxy-Authorization` header during
| cross-origin redirects to avoid the small chance that users are
| doing this on accident. Users should use urllib3's proxy support or
| disable automatic redirects to achieve safe processing of the
| `Proxy-Authorization` header, but we still decided to strip the
| header by default in order to further protect users who aren't using
| the correct approach. We believe the number of usages affected by
| this advisory is low. It requires all of the following to be true to
| be exploited: 1. Setting the `Proxy-Authorization` header without
| using urllib3's built-in proxy support. 2. Not disabling HTTP
| redirects. 3. Either not using an HTTPS origin server or for the
| proxy or target origin to redirect to a malicious origin. Users are
| advised to update to either version 1.26.19 or version 2.2.2. Users
| unable to upgrade may use the `Proxy-Authorization` header with
| urllib3's `ProxyManager`, disable HTTP redirects using
| `redirects=False` when sending requests, or not user the `Proxy-
| Authorization` header as mitigations.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-37891
https://www.cve.org/CVERecord?id=CVE-2024-37891
[1] https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf
[2]
https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-urllib3
Source-Version: 2.2.3-1
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-urllib3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated python-urllib3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 10 Nov 2024 23:57:18 +0000
Source: python-urllib3
Architecture: source
Version: 2.2.3-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1074149 1082278 1086794
Changes:
python-urllib3 (2.2.3-1) experimental; urgency=medium
.
* Team upload.
* New upstream release:
- CVE-2024-37891: Added the Proxy-Authorization header to the list of
headers to strip from requests when redirecting to a different host
(closes: #1074149).
- Added support for Python 3.13 (closes: #1082278).
* Temporarily vendor hypercorn, since urllib3 needs a patched version for
its tests (commit d1719f8c1570cbd8e6a3719ffdb14a4d72880abb; see
https://github.com/urllib3/urllib3/issues/3334; closes: #1086794).
Checksums-Sha1:
b9ce0262580d5d747a19ea27ca0c0f186ca24faf 2869 python-urllib3_2.2.3-1.dsc
983588ea431951dd1e8ab1e6667c57b65f9d2892 300677
python-urllib3_2.2.3.orig.tar.gz
3270c098e9e23398e2c69721e6030b6123e8a23a 36988
python-urllib3_2.2.3-1.debian.tar.xz
Checksums-Sha256:
eddbb7e011ceece3a08d1cd83c6b733e06d6dae70ddff6ad8805d59ab799b4cc 2869
python-urllib3_2.2.3-1.dsc
e7d814a81dad81e6caf2ec9fdedb284ecc9c73076b62654547cc64ccdcae26e9 300677
python-urllib3_2.2.3.orig.tar.gz
1a326962490ddc52ce2f7e60efe97e44014192270814fb552ba4017de4fbcdff 36988
python-urllib3_2.2.3-1.debian.tar.xz
Files:
fa5850b36c21c0d06cdcaa797c5a2a20 2869 python optional
python-urllib3_2.2.3-1.dsc
d65de4f0effae2b52669246f0aab0a91 300677 python optional
python-urllib3_2.2.3.orig.tar.gz
eadc616453578ae1d14a4341a0d2d7ac 36988 python optional
python-urllib3_2.2.3-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmcxSMcACgkQOTWH2X2G
UAt02w//aomzt/1NevImQTjcYUAI4JSVJwF5Da4pcQp0z9rUI58FNexakQ67BCpi
uTiDSCN9rqu6+g0GvZj2G+8A3KCjcJ+3Kr5Tu6ARTfBlT/suk7C8qC48RZI64Gzp
9fuRNmQEY38zZfPQ53Fp4dLVocmY53s4AW66vluUt66qc92bjysgl4W6Ol6fqcdx
qrzM3yY5G/sskO4NWvENiIgQcBfOxVV6fcS8qy6qjf/Ph19UOwb5w5flGttfF+Gb
KMk6BOyY8Dan0PG+F/KmYywO71FBeI2BwP9+Gn16KV5vlC9Ci5+RWlhg3hMU6Wiv
eWBSBYjZED8ON8oIGxI9KYL0e90f9To4Jp1MxDE+d9K4wgEk3SfsNBMAQe8aqGa3
3WYpprZ2FNTl9turrO2mFoqH2TvGzZyxTPuAMo2t5aH8gKg7KJAouscVIYTkR5rx
u1EkO2VxfR+fKrROj+tHv95ld2M5ndNhpjIcxOckBvICJEyYBlmSQJ7sWl6JnNo7
N8Cb+JQh78rrrOB7F/XEAZI6ZV4GKBFiZojiV6Zc/h4d2hElC2LqDOJQx4WBAbGd
gG0PV7II1oUbFoGJWqMXlpTWRVWBhObO4WWjDeAmf6TxoGV3d3JQ7kP2gtnJgDhj
UgPKk31Qog3GqqqV30nlOGdKgA92tj2ql8jL3blzRSbksTlFFdQ=
=yimk
-----END PGP SIGNATURE-----
pgpSeEop3PEfb.pgp
Description: PGP signature
--- End Message ---
