python3.11-urllib3-1.26.12-2.el8

エラータID: AXSA:2024-8336:02

Release date: 
Tuesday, June 18, 2024 - 10:52
Subject: 
python3.11-urllib3-1.26.12-2.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities.

Security Fix(es):

* python-urllib3: Cookie request header isn't stripped during cross-origin redirects (CVE-2023-43804)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 8.10 Release Notes linked from the References section.

CVE-2023-43804
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. python3.11-urllib3-1.26.12-2.el8.src.rpm
    MD5: 9d4f6137d52c3bc0e3a66b4ac1fe36de
    SHA-256: a7fc48469c2bf8c34a52cff136ecc51c5fa94bc9c2a78eaa9e5572d8116ca363
    Size: 276.25 kB

Asianux Server 8 for x86_64
  1. python3.11-urllib3-1.26.12-2.el8.noarch.rpm
    MD5: 8f72ab7e2989d086c0e2947f5f67cc99
    SHA-256: 8c2b66adda0c40ac1114b1a5061ab666a43011f675f39963775be9c192ec0d93
    Size: 238.64 kB