python-urllib3-1.10.2-7.el7
エラータID: AXSA:2019-4182:01
The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities.
Security Fix(es):
* python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure (CVE-2018-20060)
* python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service (CVE-2019-11236)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2018-20060
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
CVE-2019-11236
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
Update packages.
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
N/A
SRPMS
- python-urllib3-1.10.2-7.el7.src.rpm
MD5: 1b1c3cb66defcf517f71f655a5ad0e80
SHA-256: 5291b614be579949d2f40a688f2c6a16816af59e43c337ee1556a5db36d652a3
Size: 146.45 kB
Asianux Server 7 for x86_64
- python-urllib3-1.10.2-7.el7.noarch.rpm
MD5: 5f30f2f7fabea0e2a121876dc5252f46
SHA-256: 107f01204cad6ea37bec29dd257243fd732e6aef1df20e4f14548fd09ed124c7
Size: 101.84 kB