Your message dated Fri, 26 Jun 2026 23:47:19 +0000
with message-id <[email protected]>
and subject line Bug#1136653: fixed in python-urllib3 1.26.12-1+deb12u4
has caused the Debian Bug report #1136653,
regarding python-urllib3: CVE-2026-44431
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1136653: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136653
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-urllib3
Version: 2.6.3-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for python-urllib3.

CVE-2026-44431[0]:
| urllib3 is an HTTP client library for Python. From 1.23 to before
| 2.7.0, cross-origin redirects followed from the low-level API via
| ProxyManager.connection_from_url().urlopen(...,
| assert_same_host=False) still forward these sensitive headers. This
| vulnerability is fixed in 2.7.0.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-44431
    https://www.cve.org/CVERecord?id=CVE-2026-44431
[1] https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: python-urllib3
Source-Version: 1.26.12-1+deb12u4
Done: Guilhem Moulin <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python-urllib3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated python-urllib3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 26 Jun 2026 07:01:27 +0200
Source: python-urllib3
Architecture: source
Version: 1.26.12-1+deb12u4
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1136653
Changes:
 python-urllib3 (1.26.12-1+deb12u4) bookworm-security; urgency=high
 .
   * Non-maintainer upload by the LTS Team.
   * Fix CVE-2026-44431: Sensitive headers forwarded across origins in proxied
     low-level redirects. (Closes: #1136653)
Checksums-Sha1:
 345f115bc623058ead2d0a93cebc38f32215ac6b 2344 
python-urllib3_1.26.12-1+deb12u4.dsc
 7193c8fa7a0f2f551be0ef4293992ac9db88aebc 21004 
python-urllib3_1.26.12-1+deb12u4.debian.tar.xz
 4a28b32a26911f64045bcb432b0ac35a81cd61b1 7134 
python-urllib3_1.26.12-1+deb12u4_source.buildinfo
Checksums-Sha256:
 a5d6af5b8142af435741492f2d559d78c9f5f2949a71876609ae5d506a34b69b 2344 
python-urllib3_1.26.12-1+deb12u4.dsc
 573bde9b4476edf6e1059915625be136937987c8df192e6d18dc51efd19e3509 21004 
python-urllib3_1.26.12-1+deb12u4.debian.tar.xz
 fc369f0ec51e81fcc6f0b9cfafbbab31bc370bf3388d948308182c61e0e51f8e 7134 
python-urllib3_1.26.12-1+deb12u4_source.buildinfo
Files:
 323031678d2460d6e6e6ef99e420f043 2344 python optional 
python-urllib3_1.26.12-1+deb12u4.dsc
 250e69bad9a5b43900895e2395ac6980 21004 python optional 
python-urllib3_1.26.12-1+deb12u4.debian.tar.xz
 ac5c53b6f51bb7d6a8e82d38e673a437 7134 python optional 
python-urllib3_1.26.12-1+deb12u4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmo+MqIACgkQ05pJnDwh
pVK3vhAAwB9bOfMtL9b52Mrxzu58Ls1ch9X+8sdaWsrbClhvcVge9Bpl/hGFvc1Q
C3XVAiROIwMUrSZbMtkEcyvMMMnyNdF1HoUnlylChkZxRbnrkv4UNu/wJH2KCyxC
bjIz3GhliLSiweQjZPckWhXLWypWMPlXKEk6ZjeNwwzzpRR6WjdAFsuqnWcOw5kK
zr/HfNe+olvFsx8FUM2MKs5RgEtkXegpbCtS7A4/sex6vUXLvzKJ4/xPgh4QbEd3
kBcyLDr7cGmPprBqLQkZ3uYCTuCIbVoQECBAK5kXmB453N9+oJ79M5B3M+pvE+YV
bZqpZx33gGFDW6uHCoOZdaXK0liFfD9sAkRMYQgOO+MNaT/AxF8I5h0SNOU9bOiu
bnITaUrMht5lcjj3Z0zODY4vwMa79Qm574BGqjym+BO7veq8jIc/fpf2GrIobReO
1PspTCn/QhjlE5BQwMH53ak0iSuelTE4f8P8l+gs+vR11y9Iv7fJdkjouhZXnJjb
DGKAXGWVV6RzVH1MkYAweAmyO73TB2NgbfUwMe/Z0UpL+6W65CL2cIMquC3saiUV
hLI1dUU/6+0DPlkah9yMs87yM1cXuhRCzvtL1L4+ZhZ5/73Y26x2i6jEaZKnwkkE
6V8CDSpuncNqjC6bQKZ4U2W060qTxIwYOVJq29/zesKxoTRt3kA=
=Iipm
-----END PGP SIGNATURE-----

Attachment: pgpW_njDDEh1h.pgp
Description: PGP signature


--- End Message ---

Reply via email to