[ubuntu/eoan-proposed] python-urllib3 1.24.1-1ubuntu1 (Accepted)

Mon May 13 18:04:13 UTC 2019

python-urllib3 (1.24.1-1ubuntu1) eoan; urgency=medium

  * SECURITY UPDATE: CRLF injection issue
    - debian/patches/CVE-2019-11236-1.patch: check for control chars in URL
      in src/urllib3/connection.py, src/urllib3/connectionpool.py,
      src/urllib3/contrib/pyopenssl.py, src/urllib3/contrib/socks.py,
      src/urllib3/poolmanager.py, src/urllib3/response.py,
      src/urllib3/util/ssl_.py, src/urllib3/util/url.py,
      test/__init__.py, test/test_util.py,
      test/with_dummyserver/test_https.py,
      test/with_dummyserver/test_socketlevel.py.
    - debian/patches/CVE-2019-11236-2.patch: percent-encode invalid target
      characters in src/urllib3/util/url.py, test/test_util.py.
    - debian/patches/CVE-2019-11236-3.patch: don't use embedded python-six
      in src/urllib3/util/url.py.
    - CVE-2019-11236
  * SECURITY UPDATE: CA cert mishandling
    - debian/patches/CVE-2019-11324.patch: don't load system certificates
      by default when any other CA cert parameters are specified in
      src/urllib3/util/ssl_.py.
    - CVE-2019-11324

Date: Mon, 13 May 2019 13:16:33 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/python-urllib3/1.24.1-1ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 13 May 2019 13:16:33 -0400
Source: python-urllib3
Architecture: source
Version: 1.24.1-1ubuntu1
Distribution: eoan
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 python-urllib3 (1.24.1-1ubuntu1) eoan; urgency=medium
 .
   * SECURITY UPDATE: CRLF injection issue
     - debian/patches/CVE-2019-11236-1.patch: check for control chars in URL
       in src/urllib3/connection.py, src/urllib3/connectionpool.py,
       src/urllib3/contrib/pyopenssl.py, src/urllib3/contrib/socks.py,
       src/urllib3/poolmanager.py, src/urllib3/response.py,
       src/urllib3/util/ssl_.py, src/urllib3/util/url.py,
       test/__init__.py, test/test_util.py,
       test/with_dummyserver/test_https.py,
       test/with_dummyserver/test_socketlevel.py.
     - debian/patches/CVE-2019-11236-2.patch: percent-encode invalid target
       characters in src/urllib3/util/url.py, test/test_util.py.
     - debian/patches/CVE-2019-11236-3.patch: don't use embedded python-six
       in src/urllib3/util/url.py.
     - CVE-2019-11236
   * SECURITY UPDATE: CA cert mishandling
     - debian/patches/CVE-2019-11324.patch: don't load system certificates
       by default when any other CA cert parameters are specified in
       src/urllib3/util/ssl_.py.
     - CVE-2019-11324
Checksums-Sha1:
 15ab0a9959c06dd90bc3ce23afcdaa2766c82bf1 2582 python-urllib3_1.24.1-1ubuntu1.dsc
 3a6b18a4008c48ff28883de016c6bb8a461f1c4f 15000 python-urllib3_1.24.1-1ubuntu1.debian.tar.xz
 f65e27746a91f68e10087ff01cad3c114d0fbce2 7720 python-urllib3_1.24.1-1ubuntu1_source.buildinfo
Checksums-Sha256:
 c0047bf5d62968fc5a701fc282b9f14302a54ba8be75ba2027cb1a7c15bdec62 2582 python-urllib3_1.24.1-1ubuntu1.dsc
 9cb7348f80b40b4353c99f1b5afeca02c284e52332b9b826444f76876d7d20fe 15000 python-urllib3_1.24.1-1ubuntu1.debian.tar.xz
 faef05c049762337933fbb0f176d844e0f5edbd97f6eac057359aacd864e5e75 7720 python-urllib3_1.24.1-1ubuntu1_source.buildinfo
Files:
 72e15ac4ac092d72e93d0780d6db9c51 2582 python optional python-urllib3_1.24.1-1ubuntu1.dsc
 65c7a46da4b5108595f2692437cfe11a 15000 python optional python-urllib3_1.24.1-1ubuntu1.debian.tar.xz
 de669b24099592454310471e14072cfd 7720 python optional python-urllib3_1.24.1-1ubuntu1_source.buildinfo
Original-Maintainer: Debian Python Modules Team <python-modules-team at lists.alioth.debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlzZsK0ACgkQZWnYVadE
vpPJmw//Y1pfcNGZmG+CHa1AWvYzBIgHa5s/epJjJ8wCFdHgZejyF0s/gnrXZ4ES
vclUEcxOiBEFc2kmXCEeXbiIabzp1uRVzEKt0L2d6cJL1CakwdKGThIEL0gLJK4W
lE1U1bQmvWfRT7sjhqY3AQGJx1L0NmQJI0fJMySN4l5M/e1hiQ9a4uuTIq3/gTV0
21mhfHjW5Muwo41mcq+gmy3HqA7ti5kRG2X+hG5mCD8WL5OuXZLCCU2y27R8gwjj
sgmuGvst72H+IBDDSupvz/6b0qN7lKzHbXU6FafmAt8IlL+MKtGfUzs8q6ULt9nF
NRf4fCNT+ITMZEwTFh4Tviv+wtrkPcK0tBPmkOw0i6ea35CBbeBGl1AMktxDQMz5
NLZjMxG4ClHCuMrz3m4S5L6h4Ia4mKF7QcXdoQEdV8GKLJD0zhJVd5khFhEglCQ4
dvVAPM9NjhKFlMitlZfUAz8dWm9TsPbpOWFn3OL6ZffoVydzUS1D1UnZuizv8PTR
ZVbN6OGQDVapFMqH+5nffXMrYN/BzV9B6v7zE2Mm179TaH5/vb9q19/mG/LjtqPQ
dae6gqW/B9dn2imUa4cFwCjp/sMXSXh2Ntvbw6q5LhABrH1Arg6XhF+05SobkBlG
WpLcaV+LmGd3WudQHSFMhAJMzf/MXmjkw+8kSg//GNFmLrFdwgw=
=QP8p
-----END PGP SIGNATURE-----