Security update for python-urllib3 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2131-1 Final 1 1 2019-09-14T12:17:04Z current 2019-09-14T12:17:04Z 2019-09-14T12:17:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-urllib3 This update for python-urllib3 fixes the following issues: Security issues fixed: - CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071). - CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900). - CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663). - CVE-2018-20060: Remove Authorization header when redirecting cross-host (bsc#1119376). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2131 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KFMC4LRB2CXRSDWEXN4Z4QWZ7YZ6RC4V/#KFMC4LRB2CXRSDWEXN4Z4QWZ7YZ6RC4V E-Mail link for openSUSE-SU-2019:2131-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1119376 SUSE Bug 1119376 https://bugzilla.suse.com/1129071 SUSE Bug 1129071 https://bugzilla.suse.com/1132663 SUSE Bug 1132663 https://bugzilla.suse.com/1132900 SUSE Bug 1132900 https://www.suse.com/security/cve/CVE-2018-20060/ SUSE CVE CVE-2018-20060 page https://www.suse.com/security/cve/CVE-2019-11236/ SUSE CVE CVE-2019-11236 page https://www.suse.com/security/cve/CVE-2019-11324/ SUSE CVE CVE-2019-11324 page https://www.suse.com/security/cve/CVE-2019-9740/ SUSE CVE CVE-2019-9740 page openSUSE Leap 15.0 python2-urllib3-1.22-lp150.5.3.1 python3-urllib3-1.22-lp150.5.3.1 python2-urllib3-1.22-lp150.5.3.1 as a component of openSUSE Leap 15.0 python3-urllib3-1.22-lp150.5.3.1 as a component of openSUSE Leap 15.0 urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext. CVE-2018-20060 openSUSE Leap 15.0:python2-urllib3-1.22-lp150.5.3.1 openSUSE Leap 15.0:python3-urllib3-1.22-lp150.5.3.1 low 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KFMC4LRB2CXRSDWEXN4Z4QWZ7YZ6RC4V/#KFMC4LRB2CXRSDWEXN4Z4QWZ7YZ6RC4V https://www.suse.com/security/cve/CVE-2018-20060.html CVE-2018-20060 https://bugzilla.suse.com/1119376 SUSE Bug 1119376 https://bugzilla.suse.com/1216275 SUSE Bug 1216275 In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter. CVE-2019-11236 openSUSE Leap 15.0:python2-urllib3-1.22-lp150.5.3.1 openSUSE Leap 15.0:python3-urllib3-1.22-lp150.5.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KFMC4LRB2CXRSDWEXN4Z4QWZ7YZ6RC4V/#KFMC4LRB2CXRSDWEXN4Z4QWZ7YZ6RC4V https://www.suse.com/security/cve/CVE-2019-11236.html CVE-2019-11236 https://bugzilla.suse.com/1129071 SUSE Bug 1129071 https://bugzilla.suse.com/1132663 SUSE Bug 1132663 The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument. CVE-2019-11324 openSUSE Leap 15.0:python2-urllib3-1.22-lp150.5.3.1 openSUSE Leap 15.0:python3-urllib3-1.22-lp150.5.3.1 low 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KFMC4LRB2CXRSDWEXN4Z4QWZ7YZ6RC4V/#KFMC4LRB2CXRSDWEXN4Z4QWZ7YZ6RC4V https://www.suse.com/security/cve/CVE-2019-11324.html CVE-2019-11324 https://bugzilla.suse.com/1132900 SUSE Bug 1132900 An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9. CVE-2019-9740 openSUSE Leap 15.0:python2-urllib3-1.22-lp150.5.3.1 openSUSE Leap 15.0:python3-urllib3-1.22-lp150.5.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KFMC4LRB2CXRSDWEXN4Z4QWZ7YZ6RC4V/#KFMC4LRB2CXRSDWEXN4Z4QWZ7YZ6RC4V https://www.suse.com/security/cve/CVE-2019-9740.html CVE-2019-9740 https://bugzilla.suse.com/1129071 SUSE Bug 1129071 https://bugzilla.suse.com/1130840 SUSE Bug 1130840 https://bugzilla.suse.com/1132663 SUSE Bug 1132663