Source: python-urllib3 Version: 1.26.16-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for python-urllib3. CVE-2023-43804[0]: | urllib3 is a user-friendly HTTP client library for Python. urllib3 | doesn't treat the `Cookie` HTTP header special or provide any | helpers for managing cookies over HTTP, that is the responsibility | of the user. However, it is possible for a user to specify a | `Cookie` header and unknowingly leak information via HTTP redirects | to a different origin if that user doesn't disable redirects | explicitly. This issue has been patched in urllib3 version 1.26.17 | or 2.0.5. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-43804 https://www.cve.org/CVERecord?id=CVE-2023-43804 [1] https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f [2] https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb Please adjust the affected versions in the BTS as needed. Regards, Salvatore