diff options
| author | Kai Knoblich <kai@FreeBSD.org> | 2019-11-26 11:51:30 +0000 |
|---|---|---|
| committer | Kai Knoblich <kai@FreeBSD.org> | 2019-11-26 11:51:30 +0000 |
| commit | a3096331a8a4deed8d19b05bccd062d56ebaaf04 (patch) | |
| tree | a450f482ad8cc4140275c5cae9536907430ce17c | |
| parent | lang/racket and lang/racket-minimal: make FUTURES depend on JIT. (diff) | |
security/vuxml: Document net/py-urllib3 issues
PR: 229322
Security: CVE-2018-20060
CVE-2019-11236
CVE-2019-11324
Notes
Notes:
svn path=/head/; revision=518463
| -rw-r--r-- | security/vuxml/vuln.xml | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 2d5cd563146f..291b9218da45 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,41 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="87270ba5-03d3-11ea-b81f-3085a9a95629"> + <topic>urllib3 -- multiple vulnerabilities</topic> + <affects> + <package> + <name>py27-urllib3</name> + <name>py35-urllib3</name> + <name>py36-urllib3</name> + <name>py37-urllib3</name> + <name>py38-urllib3</name> + <range><lt>1.24.3,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>NIST reports: (by search in the range 2018/01/01 - 2019/11/10):</p> + <blockquote cite="https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=urllib3&search_type=all&pub_start_date=01%2F01%2F2018&pub_end_date=11%2F10%2F2019"> + <p>urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.</p> + <p>In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.</p> + <p>The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.</p> + </blockquote> + </body> + </description> + <references> + <url>https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=urllib3&search_type=all&pub_start_date=01%2F01%2F2018&pub_end_date=11%2F10%2F2019</url> + <cvename>CVE-2018-20060</cvename> + <cvename>CVE-2019-11236</cvename> + <cvename>CVE-2019-11324</cvename> + <freebsdpr>ports/229322</freebsdpr> + </references> + <dates> + <discovery>2018-12-11</discovery> + <entry>2019-11-26</entry> + </dates> + </vuln> + <vuln vid="fbe10a8a-05a1-11ea-9dfa-f8b156ac3ff9"> <topic>FreeBSD -- Intel CPU Microcode Update</topic> <affects> |