Your message dated Fri, 29 Nov 2024 17:07:17 +0000
with message-id <[email protected]>
and subject line Bug#1074149: fixed in python-urllib3 2.2.3-3
has caused the Debian Bug report #1074149,
regarding python-urllib3: CVE-2024-37891
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1074149: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074149
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-urllib3
Version: 2.0.7-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.26.18-2
The following vulnerability was published for python-urllib3.
CVE-2024-37891[0]:
| urllib3 is a user-friendly HTTP client library for Python. When
| using urllib3's proxy support with `ProxyManager`, the `Proxy-
| Authorization` header is only sent to the configured proxy, as
| expected. However, when sending HTTP requests *without* using
| urllib3's proxy support, it's possible to accidentally configure the
| `Proxy-Authorization` header even though it won't have any effect as
| the request is not using a forwarding proxy or a tunneling proxy. In
| those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP
| header as one carrying authentication material and thus doesn't
| strip the header on cross-origin redirects. Because this is a highly
| unlikely scenario, we believe the severity of this vulnerability is
| low for almost all users. Out of an abundance of caution urllib3
| will automatically strip the `Proxy-Authorization` header during
| cross-origin redirects to avoid the small chance that users are
| doing this on accident. Users should use urllib3's proxy support or
| disable automatic redirects to achieve safe processing of the
| `Proxy-Authorization` header, but we still decided to strip the
| header by default in order to further protect users who aren't using
| the correct approach. We believe the number of usages affected by
| this advisory is low. It requires all of the following to be true to
| be exploited: 1. Setting the `Proxy-Authorization` header without
| using urllib3's built-in proxy support. 2. Not disabling HTTP
| redirects. 3. Either not using an HTTPS origin server or for the
| proxy or target origin to redirect to a malicious origin. Users are
| advised to update to either version 1.26.19 or version 2.2.2. Users
| unable to upgrade may use the `Proxy-Authorization` header with
| urllib3's `ProxyManager`, disable HTTP redirects using
| `redirects=False` when sending requests, or not user the `Proxy-
| Authorization` header as mitigations.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-37891
https://www.cve.org/CVERecord?id=CVE-2024-37891
[1] https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf
[2]
https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-urllib3
Source-Version: 2.2.3-3
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-urllib3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated python-urllib3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 29 Nov 2024 16:38:06 +0000
Source: python-urllib3
Architecture: source
Version: 2.2.3-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1074149 1082278 1086794
Changes:
python-urllib3 (2.2.3-3) unstable; urgency=medium
.
* Team upload.
* Upload to unstable.
.
python-urllib3 (2.2.3-2) experimental; urgency=medium
.
* Team upload.
* Mark test_http2_probe_blocked_per_thread with requires_network.
.
python-urllib3 (2.2.3-1) experimental; urgency=medium
.
* Team upload.
* New upstream release:
- CVE-2024-37891: Added the Proxy-Authorization header to the list of
headers to strip from requests when redirecting to a different host
(closes: #1074149).
- Added support for Python 3.13 (closes: #1082278).
* Temporarily vendor hypercorn, since urllib3 needs a patched version for
its tests (commit d1719f8c1570cbd8e6a3719ffdb14a4d72880abb; see
https://github.com/urllib3/urllib3/issues/3334; closes: #1086794).
Checksums-Sha1:
ed4b9db7e01c06e691a61500c0355488dee23f76 2869 python-urllib3_2.2.3-3.dsc
5815e77a71d696db2a955a33d21f853ec4cd2f3f 37388
python-urllib3_2.2.3-3.debian.tar.xz
Checksums-Sha256:
bd82dedbc21d4b5d67ce11770b01db879fa9a339a3092344ffd979db4cf76bd3 2869
python-urllib3_2.2.3-3.dsc
874ef120a213f19bb203768601e714bb4102d6cbe2eadcb8eb595081362c947f 37388
python-urllib3_2.2.3-3.debian.tar.xz
Files:
b1f0846c9989add5a05d5a4fc3ae4a50 2869 python optional
python-urllib3_2.2.3-3.dsc
32aecb9cec3f663fa6f41736e2f13a0b 37388 python optional
python-urllib3_2.2.3-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmdJ79cACgkQOTWH2X2G
UAv8oRAAo/QTi9dolfbfXDHAVFi0chG2s+c+Vd/XjPgasaXVuRY9AS7rJhWMyVXV
iI+D7E8GkcEDURfs2CO0wDz1YPX2WWK6371+4lkxDIY/cPZmY2TOrhwkGr1bLo+D
FSIGy+mNimLCwNf1bgxemduQGrfJNN+Al4cFRCo07B7DLtkVxM7x2343Zwd2Y0BC
20aeF7hnGIONKD65dhIfIslLtqG7nj+ml0snR5pNKyRo61PHWWi9btXaXSxZS+uc
nTFLkkiQczylW1KUryMKcdPmkwsl7StzyRm+ezaueZPn6gkJzggMm/+yCZPBucdo
UICPUb5yKlZnx5AmELqvfR4Y73DrSGgfD6mXOYle5exX5hB5CLoNY8ub2SXvdYKR
kN0Px7lm0F526yoSrty6yZbgaBdmk0KY6sYA0ftjyokcJo+61vdd4t5Kn64RN/gF
i5MLfxzTmIfNhrWz552IZ38HBqvjPmxH9X8qUDT9bsXn/I+is8SO/qep8r/DhBM4
4tO6nYfx6M3XcJ7bXtVSmqfkc7AgnDtO8mn9L1MLjsJCPFhkgCrIM66dNvJR87VF
T4+dYaCVWXHkM5ScnhixN7hjr8vpd2VBBygi2h4OGO5jl78VpvoVdxM7RUG+geBy
oLl8b91o53kBwKucCwbYR3cCndOfittOQ3ui5hNFZ/LMoa40ObU=
=USUc
-----END PGP SIGNATURE-----
pgp0XvrWehYJW.pgp
Description: PGP signature
--- End Message ---
