Security update for python-urllib3 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:2391-1 Final 1 1 2019-09-17T13:46:23Z current 2019-09-17T13:46:23Z 2019-09-17T13:46:23Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-urllib3 This update for python-urllib3 fixes the following issues: Security issues fixed: - CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071). - CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900). - CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-2391,SUSE-OpenStack-Cloud-9-2019-2391,SUSE-OpenStack-Cloud-Crowbar-9-2019-2391 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20192391-1/ Link for SUSE-SU-2019:2391-1 https://lists.suse.com/pipermail/sle-security-updates/2019-September/005927.html E-Mail link for SUSE-SU-2019:2391-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1129071 SUSE Bug 1129071 https://bugzilla.suse.com/1132663 SUSE Bug 1132663 https://bugzilla.suse.com/1132900 SUSE Bug 1132900 https://www.suse.com/security/cve/CVE-2019-11236/ SUSE CVE CVE-2019-11236 page https://www.suse.com/security/cve/CVE-2019-11324/ SUSE CVE CVE-2019-11324 page https://www.suse.com/security/cve/CVE-2019-9740/ SUSE CVE CVE-2019-9740 page SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 python-urllib3-1.23-3.6.1 python3-urllib3-1.23-3.6.1 python-urllib3-1.23-3.6.1 as a component of SUSE OpenStack Cloud 9 python-urllib3-1.23-3.6.1 as a component of SUSE OpenStack Cloud Crowbar 9 In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter. CVE-2019-11236 SUSE OpenStack Cloud 9:python-urllib3-1.23-3.6.1 SUSE OpenStack Cloud Crowbar 9:python-urllib3-1.23-3.6.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192391-1/ https://www.suse.com/security/cve/CVE-2019-11236.html CVE-2019-11236 https://bugzilla.suse.com/1129071 SUSE Bug 1129071 https://bugzilla.suse.com/1132663 SUSE Bug 1132663 The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument. CVE-2019-11324 SUSE OpenStack Cloud 9:python-urllib3-1.23-3.6.1 SUSE OpenStack Cloud Crowbar 9:python-urllib3-1.23-3.6.1 low 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192391-1/ https://www.suse.com/security/cve/CVE-2019-11324.html CVE-2019-11324 https://bugzilla.suse.com/1132900 SUSE Bug 1132900 An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9. CVE-2019-9740 SUSE OpenStack Cloud 9:python-urllib3-1.23-3.6.1 SUSE OpenStack Cloud Crowbar 9:python-urllib3-1.23-3.6.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20192391-1/ https://www.suse.com/security/cve/CVE-2019-9740.html CVE-2019-9740 https://bugzilla.suse.com/1129071 SUSE Bug 1129071 https://bugzilla.suse.com/1130840 SUSE Bug 1130840 https://bugzilla.suse.com/1132663 SUSE Bug 1132663