AXSA:2019-4182:01

Release date: 
Wednesday, August 21, 2019 - 02:32
Subject: 
python-urllib3-1.10.2-7.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities.

Security Fix(es):

* python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure (CVE-2018-20060)

* python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service (CVE-2019-11236)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2018-20060
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
CVE-2019-11236
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. python-urllib3-1.10.2-7.el7.src.rpm
    MD5: 1b1c3cb66defcf517f71f655a5ad0e80
    SHA-256: 5291b614be579949d2f40a688f2c6a16816af59e43c337ee1556a5db36d652a3
    Size: 146.45 kB

Asianux Server 7 for x86_64
  1. python-urllib3-1.10.2-7.el7.noarch.rpm
    MD5: 5f30f2f7fabea0e2a121876dc5252f46
    SHA-256: 107f01204cad6ea37bec29dd257243fd732e6aef1df20e4f14548fd09ed124c7
    Size: 101.84 kB
Copyright© 2007-2015 Asianux. All rights reserved.