Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2019:2133-1

Опубликовано: 14 сент. 2019
Источник: suse-cvrf

Описание

Security update for python-urllib3

This update for python-urllib3 fixes the following issues:

Security issues fixed:

  • CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071).
  • CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900).
  • CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663).

This update was imported from the SUSE:SLE-15-SP1:Update update project.

Список пакетов

openSUSE Leap 15.1
python2-urllib3-1.24-lp151.2.3.1
python2-urllib3-test-1.24-lp151.2.3.1
python3-urllib3-1.24-lp151.2.3.1
python3-urllib3-test-1.24-lp151.2.3.1

Ссылки

Описание

In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.

Затронутые продукты
openSUSE Leap 15.1:python2-urllib3-1.24-lp151.2.3.1
openSUSE Leap 15.1:python2-urllib3-test-1.24-lp151.2.3.1
openSUSE Leap 15.1:python3-urllib3-1.24-lp151.2.3.1
openSUSE Leap 15.1:python3-urllib3-test-1.24-lp151.2.3.1
Ссылки

Описание

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

Затронутые продукты
openSUSE Leap 15.1:python2-urllib3-1.24-lp151.2.3.1
openSUSE Leap 15.1:python2-urllib3-test-1.24-lp151.2.3.1
openSUSE Leap 15.1:python3-urllib3-1.24-lp151.2.3.1
openSUSE Leap 15.1:python3-urllib3-test-1.24-lp151.2.3.1
Ссылки

Описание

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Затронутые продукты
openSUSE Leap 15.1:python2-urllib3-1.24-lp151.2.3.1
openSUSE Leap 15.1:python2-urllib3-test-1.24-lp151.2.3.1
openSUSE Leap 15.1:python3-urllib3-1.24-lp151.2.3.1
openSUSE Leap 15.1:python3-urllib3-test-1.24-lp151.2.3.1
Ссылки
Уязвимость openSUSE-SU-2019:2133-1