- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2686-1                [email protected]
https://www.debian.org/lts/security/                          Abhijith PA
June 15, 2021                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : python-urllib3
Version        : 1.19.1-1+deb9u1
CVE ID         : CVE-2018-20060 CVE-2019-11236 CVE-2019-11324 CVE-2020-26137

Several vulnerabilities were discovered in python-urllib3, a HTTP 
client for Python. 


    Urllib3 does not remove the Authorization HTTP header when 
    following a cross-origin redirect (i.e., a redirect that differs 
    in host, port, or scheme). This can allow for credentials in the 
    Authorization header to be exposed to unintended hosts or 
    transmitted in cleartext.


    CRLF injection is possible if the attacker controls the request 


    Urllib3 mishandles certain cases where the desired set of CA 
    certificates is different from the OS store of CA certificates, 
    which results in SSL connections succeeding in situations where a 
    verification failure is the correct outcome. This is related to 
    use of the ssl_context, ca_certs, or ca_certs_dir argument.


    Urllib3 allows CRLF injection if the attacker controls the HTTP 
    request method, as demonstrated by inserting CR and LF control 
    characters in the first argument of putrequest().

For Debian 9 stretch, these problems have been fixed in version

We recommend that you upgrade your python-urllib3 packages.

For the detailed security status of python-urllib3 please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS