ALT-PU-2019-1709-1
Package python-module-urllib3 updated to version 1.24.2-alt1 for branch sisyphus in task 227955.
Closed vulnerabilities
Published: 2019-04-18
BDU:2019-02105
Уязвимость модуля urllib3 интерпретатора языка программирования Python, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю установить SSL-соединение
Severity: HIGH (7.5)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References:
Published: 2019-04-19
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-11324
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
Severity: HIGH (7.5)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References:
- openSUSE-SU-2019:2131
- openSUSE-SU-2019:2131
- openSUSE-SU-2019:2133
- openSUSE-SU-2019:2133
- [oss-security] 20190418 Re: urllib3: adds system certificates to ssl_context
- [oss-security] 20190418 Re: urllib3: adds system certificates to ssl_context
- RHSA-2019:3335
- RHSA-2019:3335
- RHSA-2019:3590
- RHSA-2019:3590
- https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4
- https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4
- [debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update
- [debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update
- [debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update
- [debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update
- FEDORA-2020-6148c44137
- FEDORA-2020-6148c44137
- FEDORA-2020-d0d9ad17d8
- FEDORA-2020-d0d9ad17d8
- USN-3990-1
- USN-3990-1