-
python-urllib3 (1.25.8-2ubuntu0.3) focal-security; urgency=medium
* SECURITY UPDATE: http cookie leakage via http redirect
- debian/patches/CVE-2023-43804.patch: removes the cookie from the
http request when it is redirected to a different origin.
- CVE-2023-43804
* SECURITY UPDATE: http body leakage via http redirect
- debian/patches/CVE-2023-45803.patch: removes the body from the
http request when it is redirected to a different origin and the
http verb is changed to GET.
- CVE-2023-45803
-- Jorge Sancho Larraz <email address hidden> Tue, 24 Oct 2023 21:57:53 +0200
-
python-urllib3 (1.25.8-2ubuntu0.2) focal-security; urgency=medium
* SECURITY UPDATE: DoS via URL regex backtracking
- debian/patches/CVE-2021-33503.patch: improve performance of
sub-authority splitting in URL in src/urllib3/util/url.py,
test/test_util.py.
- CVE-2021-33503
-- Marc Deslauriers <email address hidden> Wed, 18 Jan 2023 10:50:06 -0500
-
python-urllib3 (1.25.8-2ubuntu0.1) focal-security; urgency=medium
* SECURITY UPDATE: CRLF injection via method parameter
- debian/patches/CVE-2020-26137.patch: raise ValueError if method
contains control characters in src/urllib3/connection.py,
test/with_dummyserver/test_connectionpool.py.
- CVE-2020-26137
-- Marc Deslauriers <email address hidden> Thu, 01 Oct 2020 13:56:51 -0400
-
python-urllib3 (1.25.8-2) unstable; urgency=medium
* Drop python2 support; Closes: #938244
* debian/control
- bump versioned b-d on six to >= 1.12.0 (the same version of the embedded
module); Closes: #950738
-- Sandro Tosi <email address hidden> Wed, 01 Apr 2020 11:35:50 -0400
-
python-urllib3 (1.25.8-1) unstable; urgency=medium
* Team upload.
[ Debian Janitor ]
* Use secure URI in Homepage field.
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
Repository-Browse.
[ Håvard Flaget Aasen ]
* New upstream version 1.25.8
* Rebase patches.
* Update Standards-Version to 4.5.0
* Remove python-nose and python3-nose from build-dependency.
* Add Rules-Requires-Root: no
* Remove test/conftest.py during build.
-- Håvard Flaget Aasen <email address hidden> Sat, 25 Jan 2020 15:56:27 +0100
-
python-urllib3 (1.24.1-1ubuntu2) focal; urgency=medium
* No-change rebuild to generate dependencies on python2.
-- Matthias Klose <email address hidden> Tue, 17 Dec 2019 12:44:45 +0000
-
python-urllib3 (1.24.1-1ubuntu1) eoan; urgency=medium
* SECURITY UPDATE: CRLF injection issue
- debian/patches/CVE-2019-11236-1.patch: check for control chars in URL
in src/urllib3/connection.py, src/urllib3/connectionpool.py,
src/urllib3/contrib/pyopenssl.py, src/urllib3/contrib/socks.py,
src/urllib3/poolmanager.py, src/urllib3/response.py,
src/urllib3/util/ssl_.py, src/urllib3/util/url.py,
test/__init__.py, test/test_util.py,
test/with_dummyserver/test_https.py,
test/with_dummyserver/test_socketlevel.py.
- debian/patches/CVE-2019-11236-2.patch: percent-encode invalid target
characters in src/urllib3/util/url.py, test/test_util.py.
- debian/patches/CVE-2019-11236-3.patch: don't use embedded python-six
in src/urllib3/util/url.py.
- CVE-2019-11236
* SECURITY UPDATE: CA cert mishandling
- debian/patches/CVE-2019-11324.patch: don't load system certificates
by default when any other CA cert parameters are specified in
src/urllib3/util/ssl_.py.
- CVE-2019-11324
-- Marc Deslauriers <email address hidden> Mon, 13 May 2019 13:16:33 -0400
