Your message dated Thu, 25 Jun 2026 21:04:24 +0000
with message-id <[email protected]>
and subject line Bug#1136653: fixed in python-urllib3 2.3.0-3+deb13u2
has caused the Debian Bug report #1136653,
regarding python-urllib3: CVE-2026-44431
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1136653: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136653
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-urllib3
Version: 2.6.3-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for python-urllib3.

CVE-2026-44431[0]:
| urllib3 is an HTTP client library for Python. From 1.23 to before
| 2.7.0, cross-origin redirects followed from the low-level API via
| ProxyManager.connection_from_url().urlopen(...,
| assert_same_host=False) still forward these sensitive headers. This
| vulnerability is fixed in 2.7.0.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-44431
    https://www.cve.org/CVERecord?id=CVE-2026-44431
[1] https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: python-urllib3
Source-Version: 2.3.0-3+deb13u2
Done: Moritz Mühlenhoff <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python-urllib3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Mühlenhoff <[email protected]> (supplier of updated python-urllib3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 21 Jun 2026 18:46:48 +0200
Source: python-urllib3
Architecture: source
Version: 2.3.0-3+deb13u2
Distribution: trixie-security
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Moritz Mühlenhoff <[email protected]>
Closes: 1136653
Changes:
 python-urllib3 (2.3.0-3+deb13u2) trixie-security; urgency=medium
 .
   * CVE-2026-44431 (Closes: #1136653)
Checksums-Sha1:
 93028885d5ff8230dc65858c4f9c052758809717 2781 
python-urllib3_2.3.0-3+deb13u2.dsc
 d056ab93b3f3f09e483574542f8601cb486be103 44716 
python-urllib3_2.3.0-3+deb13u2.debian.tar.xz
 a0dcd2113753593512c198eb1ee6d8eb64ad7f53 8593 
python-urllib3_2.3.0-3+deb13u2_amd64.buildinfo
Checksums-Sha256:
 2643b0e2f7e687d48051c13479bfee3a40a1ed2a114d6e832de17c6b660348e7 2781 
python-urllib3_2.3.0-3+deb13u2.dsc
 6da9c5bf310b34fadee02edadba60d914a8fd0cf72429ef1ebee18f1f7f7b6e8 44716 
python-urllib3_2.3.0-3+deb13u2.debian.tar.xz
 94e6d4ab79c125a4182fd1ddf13573fdb26914452b76471b1351b83e0e3a3273 8593 
python-urllib3_2.3.0-3+deb13u2_amd64.buildinfo
Files:
 2563a44678e91b20ded5edde70187c3e 2781 python optional 
python-urllib3_2.3.0-3+deb13u2.dsc
 afa527b2e7951a635552415acabaae1a 44716 python optional 
python-urllib3_2.3.0-3+deb13u2.debian.tar.xz
 2fc5b29ba82ec27b839dfe981ad5d5b6 8593 python optional 
python-urllib3_2.3.0-3+deb13u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmo4Fi4ACgkQEMKTtsN8
TjYkGA/+Lo6jJ3konPotOMDs2S8ZV9zyZVc1uu/3zwknplbQUQFotyzv0LsLrJ1d
8QpD95S/DQYgJ/Q5CmzM8hO1FmwjCH9W9dvbMthwTeK/sJDbndPQGIl2opUp5Iky
woYnQP7by7DyfNRO3zC3H38UjLNWmi7juyvBivoEilG31SvUCxaDeJq0nSv6NuJu
F/hA13r91u8tJSbvm5ExkE9F4is71TZDvjKQRT9UWnZ9hPe7guqrZU+ZHWGO2jll
z801DQUEgB0B9WpUhXRqH8YoykK44h3uEL5JLDvAGuuU0jXURq4bvWNPSs/llgr/
BRct3amWwPLRz1kkzgpuy1xh5DhKwvh4+1kHaThYOC4kDOEcnVYS48/ouEVyNqed
sMw6YN6bx0U1zY6XIUJ4fhv7+f2nXGk1XZD41b/Zfsg4rMXElRdk6vR5skdVcn17
5GjhvicZOW29c9BklXHhanAkNioUdUPg4XBRY37yVLggAuPH/fgiBm0vI3aw7dBU
ocBhieQD0RTQrt1WUTXTEYuaD0iKoPcOBchJV2uc4C/NDigqNqjm2im/tcPlzxTt
2/Ag6ZP3lt5Wa0/O7JQD4op23ibXqKAdQugVxjXF4J5JGEjFpiEo6bigfvWUwCMm
MIQCPoBzJzo+6Wx78MBAqOVBmuebUjanrUFvyyyWg6yYoB0cbHU=
=EY5r
-----END PGP SIGNATURE-----

Attachment: pgpAok0hDFv2B.pgp
Description: PGP signature


--- End Message ---

Reply via email to