diff -Nru python-urllib3-1.22/debian/changelog python-urllib3-1.22/debian/changelog --- python-urllib3-1.22/debian/changelog 2019-05-13 18:27:58.000000000 +0000 +++ python-urllib3-1.22/debian/changelog 2020-10-01 18:00:15.000000000 +0000 @@ -1,3 +1,13 @@ +python-urllib3 (1.22-1ubuntu0.18.04.2) bionic-security; urgency=medium + + * SECURITY UPDATE: CRLF injection via method parameter + - debian/patches/CVE-2020-26137.patch: raise ValueError if method + contains control characters in urllib3/connection.py, + test/with_dummyserver/test_connectionpool.py. + - CVE-2020-26137 + + -- Marc Deslauriers Thu, 01 Oct 2020 14:00:15 -0400 + python-urllib3 (1.22-1ubuntu0.18.04.1) bionic-security; urgency=medium * SECURITY UPDATE: credential disclosure via cross-origin redirect diff -Nru python-urllib3-1.22/debian/patches/CVE-2020-26137.patch python-urllib3-1.22/debian/patches/CVE-2020-26137.patch --- python-urllib3-1.22/debian/patches/CVE-2020-26137.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-urllib3-1.22/debian/patches/CVE-2020-26137.patch 2020-10-01 18:00:10.000000000 +0000 @@ -0,0 +1,82 @@ +Backport of: + +From 1dd69c5c5982fae7c87a620d487c2ebf7a6b436b Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson +Date: Mon, 17 Feb 2020 15:34:48 -0600 +Subject: [PATCH] Raise ValueError if method contains control characters + (#1800) + +--- + CHANGES.rst | 7 +++++++ + src/urllib3/connection.py | 14 ++++++++++++++ + test/with_dummyserver/test_connectionpool.py | 6 ++++++ + 3 files changed, 27 insertions(+) + +#diff --git a/CHANGES.rst b/CHANGES.rst +#index dbbf6949d..888b777ea 100644 +#--- a/CHANGES.rst +#+++ b/CHANGES.rst +#@@ -1,6 +1,13 @@ +# Changes +# ======= +# +#+master (dev) +#+------------ +#+ +#+* Raise ``ValueError`` if control characters are given in +#+ the ``method`` parameter of ``HTTPConnection.request()`` (Pull #1800) +#+ +#+ +# 1.25.8 (2020-01-20) +# ------------------- +# +--- a/urllib3/connection.py ++++ b/urllib3/connection.py +@@ -1,4 +1,5 @@ + from __future__ import absolute_import ++import re + import datetime + import logging + import os +@@ -61,6 +62,8 @@ port_by_scheme = { + # earlier than 6 months ago. + RECENT_DATE = datetime.date(2016, 1, 1) + ++_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]") ++ + + class DummyConnection(object): + """Used to detect a failed ConnectionCls import.""" +@@ -166,6 +169,17 @@ class HTTPConnection(_HTTPConnection, ob + conn = self._new_conn() + self._prepare_conn(conn) + ++ def putrequest(self, method, url, *args, **kwargs): ++ """Send a request to the server""" ++ match = _CONTAINS_CONTROL_CHAR_RE.search(method) ++ if match: ++ raise ValueError( ++ "Method cannot contain non-token characters %r (found at least %r)" ++ % (method, match.group()) ++ ) ++ ++ return _HTTPConnection.putrequest(self, method, url, *args, **kwargs) ++ + def request_chunked(self, method, url, body=None, headers=None): + """ + Alternative to the common request method, which sends the +--- a/test/with_dummyserver/test_connectionpool.py ++++ b/test/with_dummyserver/test_connectionpool.py +@@ -656,6 +656,12 @@ class TestConnectionPool(HTTPDummyServer + pool = HTTPConnectionPool('thishostdoesnotexist.invalid', self.port, timeout=0.001) + self.assertRaises(MaxRetryError, pool.request, 'GET', '/test', retries=2) + ++ @pytest.mark.parametrize("char", [" ", "\r", "\n", "\x00"]) ++ def test_invalid_method_not_allowed(self, char): ++ with pytest.raises(ValueError): ++ with HTTPConnectionPool(self.host, self.port) as pool: ++ pool.request("GET" + char, "/") ++ + def test_source_address(self): + for addr, is_ipv6 in VALID_SOURCE_ADDRESSES: + if is_ipv6 and not HAS_IPV6_AND_DNS: diff -Nru python-urllib3-1.22/debian/patches/series python-urllib3-1.22/debian/patches/series --- python-urllib3-1.22/debian/patches/series 2019-05-13 18:27:58.000000000 +0000 +++ python-urllib3-1.22/debian/patches/series 2020-10-01 17:58:30.000000000 +0000 @@ -17,3 +17,4 @@ CVE-2019-11236-3.patch CVE-2019-11324.patch fix_cert_error.patch +CVE-2020-26137.patch