Описание
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| python-urllib3 | fixed | 1.26.4-1 | package | |
| python-urllib3 | not-affected | buster | package | |
| python-urllib3 | not-affected | stretch | package |
Примечания
https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r
Fixed by: https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0 (1.26.4)
Support for HTTPS request via HTTPS proxies only introduced in 1.26.0.
In Debian urllib3 does require SSL certificate validation by default (since 1.3-3)
with the 02_require-cert-verification.patch patch (Cf. #686872).
EPSS
Связанные уязвимости
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
Using default SSLContext for HTTPS requests in an HTTPS proxy doesn't verify certificate hostname for proxy connection
Уязвимость HTTP библиотеки Urllib3 языка программирования Python, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность
EPSS