[Git][security-tracker-team/security-tracker][master] DLA-3610-1: Also mark CVE-2018-25091/python-urllib3 as fixed.

Sun Oct 15 23:05:00 BST 2023


Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a6877d8d by Guilhem Moulin at 2023-10-16T00:04:34+02:00
DLA-3610-1: Also mark CVE-2018-25091/python-urllib3 as fixed.

MITRE just assigned that ID for the non-titlecase variant of
CVE-2018-20060.

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,7 +1,11 @@
 CVE-2023-38312 (A directory traversal vulnerability in Valve Counter-Strike 8684 allow ...)
 	TODO: check
 CVE-2018-25091 (urllib3 before 1.24.2 does not remove the authorization HTTP header wh ...)
-	TODO: check
+	{DLA-3610-1}
+	- python-urllib3 1.25.6-1
+	NOTE: https://github.com/urllib3/urllib3/issues/1510
+	NOTE: This issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).
+	NOTE: Fixed by https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc (1.24.2)
 CVE-2023-5586 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3.0 ...)
 	TODO: check
 CVE-2023-5585 (A vulnerability was found in SourceCodester Online Motorcycle Rental S ...)
@@ -335232,7 +335236,7 @@ CVE-2018-20060 (urllib3 before version 1.23 does not remove the Authorization HT
 	NOTE: https://github.com/urllib3/urllib3/commit/63948f3a607ed8e7a3ce9ac4e20782359896e27e
 	NOTE: https://github.com/urllib3/urllib3/commit/560bd227b90f74417ffaedebf5f8d05a8ee4f532
 	NOTE: Fixed upstream in 1.23
-	NOTE: https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc (follow-up for lowercase headers, 1.24.2)
+	NOTE: https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc (follow-up from 1.24.2 to avoid CVE-2018-25091)
 CVE-2018-20059 (jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE.)
 	NOT-FOR-US: Pippo
 CVE-2018-20058 (In Evernote before 7.6 on macOS, there is a local file path traversal  ...)


=====================================
data/DLA/list
=====================================
@@ -26,7 +26,7 @@
 	{CVE-2019-0053 CVE-2023-40303}
 	[buster] - inetutils 2:1.9.4-7+deb10u3
 [08 Oct 2023] DLA-3610-1 python-urllib3 - security update
-	{CVE-2019-11236 CVE-2019-11324 CVE-2020-26137 CVE-2023-43804}
+	{CVE-2018-25091 CVE-2019-11236 CVE-2019-11324 CVE-2020-26137 CVE-2023-43804}
 	[buster] - python-urllib3 1.24.1-1+deb10u1
 [08 Oct 2023] DLA-3609-1 prometheus-alertmanager - security update
 	{CVE-2023-40577}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6877d8dfeddaac6a04257d0d5ea12639459cd7c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6877d8dfeddaac6a04257d0d5ea12639459cd7c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231015/b1a04255/attachment.htm>
