Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2942
python-urllib3 security update
7 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python-urllib3
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux WS/Desktop 7
Impact/Access: Provide Misleading Information -- Remote/Unauthenticated
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11236 CVE-2018-20060
Reference: ESB-2019.1820
Original Bulletin:
https://access.redhat.com/errata/RHSA-2019:2272
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: python-urllib3 security update
Advisory ID: RHSA-2019:2272-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2019:2272
Issue date: 2019-08-06
CVE Names: CVE-2018-20060 CVE-2019-11236
=====================================================================
1. Summary:
An update for python-urllib3 is now available for Red Hat Enterprise Linux
7.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - noarch
Red Hat Enterprise Linux ComputeNode (v. 7) - noarch
Red Hat Enterprise Linux Server (v. 7) - noarch
Red Hat Enterprise Linux Workstation (v. 7) - noarch
3. Description:
The python-urllib3 package provides the Python HTTP module with connection
pooling and file POST abilities.
Security Fix(es):
* python-urllib3: Cross-host redirect does not remove Authorization header
allow for credential exposure (CVE-2018-20060)
* python-urllib3: CRLF injection due to not encoding the '\r\n' sequence
leading to possible attack on internal service (CVE-2019-11236)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.7 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1649153 - CVE-2018-20060 python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure
1700824 - CVE-2019-11236 python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
python-urllib3-1.10.2-7.el7.src.rpm
noarch:
python-urllib3-1.10.2-7.el7.noarch.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
python-urllib3-1.10.2-7.el7.src.rpm
noarch:
python-urllib3-1.10.2-7.el7.noarch.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
python-urllib3-1.10.2-7.el7.src.rpm
noarch:
python-urllib3-1.10.2-7.el7.noarch.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
python-urllib3-1.10.2-7.el7.src.rpm
noarch:
python-urllib3-1.10.2-7.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2018-20060
https://access.redhat.com/security/cve/CVE-2019-11236
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.7_release_notes/index
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXUl2VdzjgjWX9erEAQiLlw//ZNZovtpAMCc+0N07n7Tvn5J7yD0xcT/w
ycbdQ+i8tJz+m7Q/23n32uvq5Xcs1atUpfHgy0NTDJxJKLebV483VyN7456edtCx
f2OUk3lJbdDxvj5vL9lYxwB7BwesFdYIRLxBy+a3JTpyDIZqP5jKeQu9sAjDN3VE
/DTHTjOJYiL0edUlwa3vymRNGmwMfIMyaGQazdNShbej6AHTWkwZExnDCZ5wthtL
pc1lMAQxTwX+X+G1D7MoAE1zQ/USYU7T9Zpf7Nv4nrI/yDjoBdRZTau3fuDC9wQv
xars7vRqiFrKJvvqpXuxIFYHJMXuOyhBNGicpezDwy8jOjjPVcqNI1emLQUyD1SJ
lOXS2tLu5Uj/HIne/Ji8qsFCRxLsvl1zsx40gJRufG8KRt3+H8he15s92ZJDvwII
JKGvf6xw3ecgRrAHQ0mi4IKmyUs5AF9Z28qCl5Qg1cdYy/YFsy4qNJj5fKSB0ufB
OhzLvqeZ0jAy/aMIcfqxXZztIXjlpZicKfxDjt1ppJ0PPnI4OHQTGDCqC2pYxf07
7pSzxcNXkMlmXw0UwUk/3z8fa36p/SSSKFTcL3epp4JTIVYJYAuTw+m6apoV1Cs5
jK7M88O8/0SMjQvl9G8wVSIxNT9tSnN12qEWYv9SUYStlHYUficEH9UXWKjHuLWP
MxQGtDB591Q=
=H+sF
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXUpIcmaOgq3Tt24GAQiDJA//TB5TgVeVZxOptIV4GIxBkL+kMTBR5dVr
qDKkY2H9lS08kfK6ku9ZNqou+ATSGZ0sTxrDO1qz9wi9rsWD0DhYC+dRIqnusom5
ktOnWdxmPZc2XPP1H3YLavpmXnhRh+T1d9tpqVpqmE5qaJxZZ0NjBaMQbV0TrcLN
xGPeXCu5dg7IAMA7jmKVulXcyo3o3rv2gpGat9TiVMm38X/+o9ucWZDeXDOtdo6o
soVnqwl/vqJSAX4yBkZPFqybTSZijIa7ojM/l1rFLEK7sWt/lzhrHlQ/PGrgNfVb
r1bt9skvIwRaUjuAcadsI1YxGG3N3ajHBm66JK7R19EbWO3lnWHsxmnmfwGzZKNm
r3yDJNnTq1EtsQ56m72iCkYelfdkmbQ4Su1M90seYHP6oJQtkMMirit85czHUn5B
Zwztbnjq2MJKr6SQ3pUhoGG/KOWb+IQT7rt1U/gmLwfo+yRE15/2kZZ/gUfrLuQs
7u6xJxnVbm2r7rkA+GBBXmTolYdTIF+jNci+kI40pb5QPd/1pNKwlj3uazQnkOEU
Id7PEInj5inoHriTZBpAjCdbwNEc2sc6Prl0FvRApDMFDpJDtrSlnM9+dvr2vOV8
Ht2wniX0KstkQDJEX7D/VmL0kCnUFj8JItVFJFTBU2exBQXc5I1Bc04xDiyBXQlA
sSD8em+lW1g=
=/nbz
-----END PGP SIGNATURE-----