Headline
Ubuntu Security Notice USN-7084-1
Ubuntu Security Notice 7084-1 - It was discovered that urllib3 didn’t strip HTTP Proxy-Authorization header on cross-origin redirects. A remote attacker could possibly use this issue to obtain sensitive information.
==========================================================================
Ubuntu Security Notice USN-7084-1
October 29, 2024
python-urllib3 vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
urllib3 could leak sensitive information.
Software Description:
- python-urllib3: HTTP library with thread-safe connection pooling
Details:
It was discovered that urllib3 didn’t strip HTTP Proxy-Authorization header
on cross-origin redirects. A remote attacker could possibly use this issue
to obtain sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
python3-urllib3 2.0.7-2ubuntu0.1
Ubuntu 24.04 LTS
python3-urllib3 2.0.7-1ubuntu0.1
Ubuntu 22.04 LTS
python3-urllib3 1.26.5-1~exp1ubuntu0.2
Ubuntu 20.04 LTS
python3-urllib3 1.25.8-2ubuntu0.4
Ubuntu 18.04 LTS
python-urllib3 1.22-1ubuntu0.18.04.2+esm2
Available with Ubuntu Pro
python3-urllib3 1.22-1ubuntu0.18.04.2+esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
python-urllib3 1.13.1-2ubuntu0.16.04.4+esm2
Available with Ubuntu Pro
python3-urllib3 1.13.1-2ubuntu0.16.04.4+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7084-1
CVE-2024-37891
Package Information:
https://launchpad.net/ubuntu/+source/python-urllib3/2.0.7-2ubuntu0.1
https://launchpad.net/ubuntu/+source/python-urllib3/2.0.7-1ubuntu0.1
https://launchpad.net/ubuntu/+source/python-urllib3/1.26.5-1~exp1ubuntu0.2
https://launchpad.net/ubuntu/+source/python-urllib3/1.25.8-2ubuntu0.4
Related news
Ubuntu Security Notice 7084-2 - USN-7084-1 fixed vulnerability in urllib3. This update provides the corresponding update for the urllib3 module bundled into pip. It was discovered that urllib3 didn't strip HTTP Proxy-Authorization header on cross-origin redirects. A remote attacker could possibly use this issue to obtain sensitive information.
Red Hat Security Advisory 2024-6358-03 - An update for python-urllib3 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.
Red Hat Security Advisory 2024-6311-03 - An update for resource-agents is now available for Red Hat Enterprise Linux 8. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-6310-03 - An update for resource-agents is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.
Red Hat Security Advisory 2024-6309-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 8. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-6162-03 - An update for python-urllib3 is now available for Red Hat Enterprise Linux 9.
Red Hat Security Advisory 2024-5309-03 - An update for python-urllib3 is now available for Red Hat Enterprise Linux 8.
Red Hat Security Advisory 2024-5041-03 - An update for python-urllib3 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.
Red Hat Security Advisory 2024-4746-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.
Red Hat Security Advisory 2024-4730-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.
Red Hat Security Advisory 2024-4422-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 9.