Your message dated Sun, 13 Jul 2025 12:34:25 +0000
with message-id <[email protected]>
and subject line Bug#1108076: fixed in python-urllib3 2.3.0-3
has caused the Debian Bug report #1108076,
regarding python-urllib3: CVE-2025-50181
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1108076: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108076
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-urllib3
Version: 2.3.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-urllib3.
CVE-2025-50181[0]:
| urllib3 is a user-friendly HTTP client library for Python. Prior to
| 2.5.0, it is possible to disable redirects for all requests by
| instantiating a PoolManager and specifying retries in a way that
| disable redirects. By default, requests and botocore users are not
| affected. An application attempting to mitigate SSRF or open
| redirect vulnerabilities by disabling redirects at the PoolManager
| level will remain vulnerable. This issue has been patched in version
| 2.5.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-50181
https://www.cve.org/CVERecord?id=CVE-2025-50181
[1] https://github.com/urllib3/urllib3/security/advisories/GHSA-pq67-6m6q-mj2v
[2]
https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-urllib3
Source-Version: 2.3.0-3
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-urllib3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated python-urllib3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 13 Jul 2025 14:09:35 +0200
Source: python-urllib3
Architecture: source
Version: 2.3.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1108076 1108077
Changes:
python-urllib3 (2.3.0-3) unstable; urgency=medium
.
* Team upload.
* CVE-2025-50181: Fix a security issue where restricting the maximum
number of followed redirects at the `urllib3.PoolManager` level via the
`retries` parameter did not work (closes: #1108076).
* CVE-2025-50182: Make the Node.js runtime respect redirect parameters
such as `retries` and `redirects` (closes: #1108077).
Checksums-Sha1:
e3a816239eb4cb1cbcf2ff15d30623bd9a8b00e7 2869 python-urllib3_2.3.0-3.dsc
0082e4638164ef16b06793248a987a7435255fad 41924
python-urllib3_2.3.0-3.debian.tar.xz
Checksums-Sha256:
382c19af6fa29a78d05c8ade1c6a2bd48a0d2561e9d53c4caf660971c22743e3 2869
python-urllib3_2.3.0-3.dsc
93837d926d242a6e0acc4f9f5860542f73b591add138d65254c7a0e9316be611 41924
python-urllib3_2.3.0-3.debian.tar.xz
Files:
be44260dfcf388e9837386e88d18a5a4 2869 python optional
python-urllib3_2.3.0-3.dsc
60ec38369075791d2688b45198e6f908 41924 python optional
python-urllib3_2.3.0-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmhzoiMACgkQOTWH2X2G
UAskjg/+KyTGZ8o+VpY6rKCtUU/2kOfh6XqdiL4CAYORPrIdaeQ0V6Unmu7EzkJR
YZzUre6TtXFRUltV2tI4xyjLerp1oYbG3zPksT/jQGf8kH5vMKkVG3jyD8+JLltV
5mCZ/OqifgTU2yrBHS8ZYMJ9muj1uMHFCMR8Fk+ZWigtDypI7As3NFLNeCAawbJA
gA9xGqr0gATI9QezyVtuUTp4XZW3gCvj0g1Hinj6Zw1cvgDty2gCzLxbf3UgpbLu
+MI0CPPQ5FxWkdUE64ZuftJkRG2/JME4Ll3Ta5vEaewDwzwUGdrq/4ULCV9XAd+y
KB1Md2g/aji+XHFBIIKpxFASi4AHJy/o32+SK1TArOI7uvbrsRB0/Rc9QOS+6Uxt
nFt95M0Yu1lsOBcptXRMtp4wvLVirTM0LOpBkNyS2E27cTFkaQYoNZpwoUXPFrSG
j1WAl7KHNEH7dOcHpkAzSyQJbrE5/hg9Qce4CVpHNWPhShFawSdd26u2GChRYq7M
HQ/OQMUiyOSsb1izgdvYQ43lt1e488xjzyF49XtbHJBPpLHpxe3CMtuHSTuygrS3
O3jnsH9b7xjAxf9WitmBi/ItolC3B/rCHceipofFxeHlVv6yGxAv/+ui/ltKEuKP
0RPjg6EmkQ7QDdNtzFaSY9mSbNSc281rKFmX4TUu0NlypJTMxCM=
=xgC8
-----END PGP SIGNATURE-----
pgpATHrMV1wJe.pgp
Description: PGP signature
--- End Message ---