[Bug 2138420] Re: backport of CVE-2026-21441 results in broken package
Launchpad Bug Tracker
2138420 at bugs.launchpad.net
Mon Jan 19 11:51:56 UTC 2026
This bug was fixed in the package python-urllib3 -
1.26.5-1~exp1ubuntu0.6
---------------
python-urllib3 (1.26.5-1~exp1ubuntu0.6) jammy-security; urgency=medium
* SECURITY REGRESSION: Missing _has_decoded_content from CVE-2026-21441
(LP: #2138420)
- debian/patches/CVE-2026-21441-fix1.patch: Implement _has_decoded_content
and decoded checks in src/urllib3/response.py. Add tests in
test/test_response.py.
-- Hlib Korzhynskyy <hlib.korzhynskyy at canonical.com> Fri, 16 Jan 2026
19:39:26 -0330
** Changed in: python-urllib3 (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-urllib3 in Ubuntu.
https://bugs.launchpad.net/bugs/2138420
Title:
backport of CVE-2026-21441 results in broken package
Status in python-urllib3 package in Ubuntu:
Fix Released
Bug description:
the backport to urllib3 1.26.5 is a copy and paste of code from
urllib3 2.x that makes no sense in urllib3 1.x
There is no tracking of decoded response data in urllib3 1.x
`HTTPResponse` class. Using the API from 2.x `BaseHTTPResponse` class
in 1.x `HTTPResponse` class does not make sense in this case.
As a result, accessing the `self._has_decoded_data` property which
only exists in 2.x new `BaseHTTPResponse` is not valid in 1.x
`HTTPResponse` and any code that uses response streaming in Jammy will
fail.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-urllib3/+bug/2138420/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list