USN-3990-1: urllib3 vulnerabilities
First published: Tue May 21 2019(Updated: )
It was discovered that urllib3 incorrectly removed Authorization HTTP headers when handled cross-origin redirects. This could result in credentials being sent to unintended hosts. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-20060) It was discovered that urllib3 incorrectly stripped certain characters from requests. A remote attacker could use this issue to perform CRLF injection. (CVE-2019-11236) It was discovered that urllib3 incorrectly handled situations where a desired set of CA certificates were specified. This could result in certificates being accepted by the default CA certificates contrary to expectations. This issue only affected Ubuntu 18.04 LTS, Ubuntu 18.10, and Ubuntu 19.04. (CVE-2019-11324)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/python-urllib3 | <1.24.1-1ubuntu0.1 | 1.24.1-1ubuntu0.1 |
| =19.04 | ||
| All of | ||
| ubuntu/python3-urllib3 | <1.24.1-1ubuntu0.1 | 1.24.1-1ubuntu0.1 |
| =19.04 | ||
| All of | ||
| ubuntu/python-urllib3 | <1.22-1ubuntu0.18.10.1 | 1.22-1ubuntu0.18.10.1 |
| =18.10 | ||
| All of | ||
| ubuntu/python3-urllib3 | <1.22-1ubuntu0.18.10.1 | 1.22-1ubuntu0.18.10.1 |
| =18.10 | ||
| All of | ||
| ubuntu/python-urllib3 | <1.22-1ubuntu0.18.04.1 | 1.22-1ubuntu0.18.04.1 |
| =18.04 | ||
| All of | ||
| ubuntu/python3-urllib3 | <1.22-1ubuntu0.18.04.1 | 1.22-1ubuntu0.18.04.1 |
| =18.04 | ||
| All of | ||
| ubuntu/python-urllib3 | <1.13.1-2ubuntu0.16.04.3 | 1.13.1-2ubuntu0.16.04.3 |
| =16.04 | ||
| All of | ||
| ubuntu/python3-urllib3 | <1.13.1-2ubuntu0.16.04.3 | 1.13.1-2ubuntu0.16.04.3 |
| =16.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ubuntu.com/security/CVE-2018-20060
- https://ubuntu.com/security/CVE-2019-11236
- https://ubuntu.com/security/CVE-2019-11324
- https://ubuntu.com/security/notices/USN-3990-2
- https://launchpad.net/ubuntu/+source/python-urllib3/1.24.1-1ubuntu0.1
- https://launchpad.net/ubuntu/+source/python-urllib3/1.22-1ubuntu0.18.10.1
- https://launchpad.net/ubuntu/+source/python-urllib3/1.22-1ubuntu0.18.04.1
- https://launchpad.net/ubuntu/+source/python-urllib3/1.13.1-2ubuntu0.16.04.3
- https://ubuntu.com/security/notices/USN-3990-1 (Advisory)
Child vulnerabilities
(Contains the following vulnerabilities)
Frequently Asked Questions
What is the vulnerability ID of this advisory?
The vulnerability ID of this advisory is USN-3990-1.
What is the severity of USN-3990-1?
The severity of USN-3990-1 is not specified in the provided information.
Which versions of Ubuntu are affected by USN-3990-1?
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 18.10, and Ubuntu 19.04 are affected by USN-3990-1.
How can I fix USN-3990-1?
To fix USN-3990-1, you should update the python-urllib3 and python3-urllib3 packages to the specified versions provided in the advisory.
Where can I find more information about USN-3990-1?
You can find more information about USN-3990-1 on the Ubuntu Security website.
- agent/severity
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/title
- agent/references
- agent/weakness
- agent/tags
- agent/description
- agent/event
- collector/usn
- source/Ubuntu
- anchor-related/USN-3990-2
- agent/software-canonical-lookup
- agent/trending
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu ubuntu
- version/ubuntu ubuntu/19.04
- version/ubuntu ubuntu/18.10
- version/ubuntu ubuntu/18.04
- version/ubuntu ubuntu/16.04