moderate: python-urllib3 security update
moderate
An update for python-urllib3 is now available for NewStart CGSL MAIN 7.02.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
python-urllib3:
Security Fix(es):
python-urllib3: A flaw was found in urllib3, an HTTP client library for Python. In certain configurations, urllib3 does not treat the `Proxy-Authorization` HTTP header as one carrying authentication material. This issue results in not stripping the header on cross-origin redirects.(CVE-2024-37891)
python-urllib3: A flaw was found in urllib3, a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, which is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly.(CVE-2023-43804)
python-urllib3: A flaw was found in urllib3, an HTTP client library for Python. urllib3 doesn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303, after changing the method in a request from one that could accept a request body such as `POST` to `GET`, as is required by HTTP RFCs. This issue requires a previously trusted service to become compromised in order to have an impact on confidentiality, therefore, the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies; if this is the case, this vulnerability isn't exploitable.(CVE-2023-45803)
python-urllib3: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 7.02.03B8.