[Git][security-tracker-team/security-tracker][master] urllib3 in stretch seems vulnerable to CVE-2021-33503. Upstream changed
Abhijith PA (@abhijith)
abhijith at debian.org
Tue Jun 15 11:03:29 BST 2021
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c3235556 by Abhijith PA at 2021-06-15T15:32:37+05:30
urllib3 in stretch seems vulnerable to CVE-2021-33503. Upstream changed
URL parsing to RFC 3986 standards. Fixes are on top of this change.
Thus marking CVE-2021-33503 <ignored>.
Remove no-dsa tags for CVE-2018-20060 CVE-2019-11236 CVE-2019-11324
CVE-2020-26137.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -2651,6 +2651,7 @@ CVE-2021-33504
CVE-2021-33503 [Catastrophic backtracking in URL authority parser when passed URL containing many @ characters]
RESERVED
- python-urllib3 <unfixed> (bug #989848)
+ [stretch] - python-urllib3 <ignored> (Intrusive to backport)
NOTE: https://github.com/advisories/GHSA-q2q7-5pp4-w6pg
NOTE: https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec
CVE-2021-33502 (The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x befo ...)
@@ -50991,7 +50992,6 @@ CVE-2020-26138 (In SilverStripe through 4.6.0-rc1, a FormField with square brack
CVE-2020-26137 (urllib3 before 1.25.9 allows CRLF injection if the attacker controls t ...)
- python-urllib3 1.25.9-1
[buster] - python-urllib3 <no-dsa> (Minor issue)
- [stretch] - python-urllib3 <no-dsa> (Minor issue)
NOTE: https://bugs.python.org/issue39603
NOTE: https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b (1.25.9)
NOTE: https://github.com/urllib3/urllib3/pull/1800
@@ -140854,7 +140854,6 @@ CVE-2019-11323 (HAProxy before 1.9.7 mishandles a reload with rotated keys, whic
CVE-2019-11324 (The urllib3 library before 1.24.2 for Python mishandles certain cases ...)
- python-urllib3 1.25.6-4 (bug #927412)
[buster] - python-urllib3 <no-dsa> (Minor issue)
- [stretch] - python-urllib3 <no-dsa> (Minor issue)
[jessie] - python-urllib3 <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/urllib3/urllib3/commit/1efadf43dc63317cd9eaa3e0fdb9e05ab07254b1
NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/3
@@ -141083,7 +141082,6 @@ CVE-2019-11236 (In the urllib3 library through 1.24.1 for Python, CRLF injection
[experimental] - python-urllib3 1.25.6-1
- python-urllib3 1.25.6-4 (bug #927172)
[buster] - python-urllib3 <no-dsa> (Minor issue)
- [stretch] - python-urllib3 <no-dsa> (Minor issue)
NOTE: https://github.com/urllib3/urllib3/issues/1553
NOTE: https://github.com/urllib3/urllib3/commit/9b76785331243689a9d52cef3db05ef7462cb02d
NOTE: https://github.com/urllib3/urllib3/commit/efddd7e7bad26188c3b692d1090cba768afa9162
@@ -166635,7 +166633,6 @@ CVE-2018-20061 (A SQL injection issue was discovered in ERPNext 10.x and 11.x th
NOT-FOR-US: Frappe ERPNext
CVE-2018-20060 (urllib3 before version 1.23 does not remove the Authorization HTTP hea ...)
- python-urllib3 1.24-1
- [stretch] - python-urllib3 <no-dsa> (Minor issue)
[jessie] - python-urllib3 <ignored> (Minor issue)
NOTE: https://github.com/urllib3/urllib3/issues/1316
NOTE: https://github.com/urllib3/urllib3/pull/1346
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3235556f7da9bec3b5a87c6bf6c138d8e46b1eb
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3235556f7da9bec3b5a87c6bf6c138d8e46b1eb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210615/8551fddc/attachment.htm>
More information about the debian-security-tracker-commits
mailing list