Publishing details

Published on 2023-11-11

Changelog

python-urllib3 (1.25.11-1~20.04.sav1) focal; urgency=medium

  * SECURITY UPDATE: http cookie leakage via http redirect
    - debian/patches/CVE-2023-43804.patch: removes the cookie from the
      http request when it is redirected to a different origin.
    - CVE-2023-43804
  * SECURITY UPDATE: http body leakage via http redirect
    - debian/patches/CVE-2023-45803.patch: removes the body from the
      http request when it is redirected to a different origin and the
      http verb is changed to GET.
    - CVE-2023-45803
    [ thanks to Jorge Sancho Larraz <email address hidden> ]
  * SECURITY UPDATE: DoS via URL regex backtracking
    - debian/patches/CVE-2021-33503.patch: improve performance of
      sub-authority splitting in URL in src/urllib3/util/url.py,
      test/test_util.py.
    - CVE-2021-33503
    [ thanks to Marc Deslauriers <email address hidden> ]

 -- Rob Savoury <email address hidden>  Fri, 10 Nov 2023 16:13:57 -0800

Available diffs

diff from 1.25.11-1~20.04.sav0 to 1.25.11-1~20.04.sav1 (4.5 KiB)

Builds

amd64

Built packages

python3-urllib3 HTTP library with thread-safe connection pooling for Python3

Package files

python-urllib3_1.25.11-1~20.04.sav1.debian.tar.xz (14.9 KiB)
python-urllib3_1.25.11-1~20.04.sav1.dsc (2.2 KiB)
python-urllib3_1.25.11.orig.tar.gz (254.2 KiB)
python3-urllib3_1.25.11-1~20.04.sav1_all.deb (104.7 KiB)