Bug 2292788 (CVE-2024-37891)
| Summary: | CVE-2024-37891 urllib3: proxy-authorization request header is not stripped during cross-origin redirects | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Robb Gatica <rgatica> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abarbaro, adudiak, agarcial, agilmore2, ahanwate, ahrabovs, aoconnor, apevec, aprice, asegurap, aucunnin, bbuckingham, bdettelb, brking, caswilli, cdaley, cstratak, ctejagigamon, davidn, dfreiber, dkuc, doconnor, dranck, drow, eddie.rowe, eglynn, ehelms, epacific, fjansen, gcovolo, ggainey, gtanzill, haoli, harsh_si, hhorak, hkataria, it.server, jajackso, jburrell, jcammara, jchui, jdobes, jforrest, jhardy, jhe, jjoyce, jkoehler, jmitchel, jneedle, jobarker, jorton, jsamir, jschluet, jsherril, jtanner, juwatts, jwong, kavirajmku27, kaycoth, kegrant, kholdawa, koliveir, kshier, ktsao, kyoshida, lbalhar, lcouzens, lhh, lphiri, lsvaty, mabashia, mburns, mcascell, mgarciac, mhroncok, mhulan, mpierce, mskarbek, mstoklus, nboldt, nmoumoul, oezr, omaciel, orabin, pbraun, pcreech, pete.perfetti, pgrist, prodsec-ir-bot, psegedy, psrna, python-maint, rbobbitt, rchan, relrod, rhos-maint, risantam, rtaniwa, shvarugh, simaishi, smallamp, smcdonal, stcannon, sthirugn, sujagtap, teagle, tfister, thavo, tkral, torsava, vkrizan, vkumar, xiaoxwan, yguenane, zsadeh, zzhou |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | Flags: | eddie.rowe:
needinfo?
(harsh_si) |
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | urllib3 1.26.19, urllib3 2.2.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in urllib3, an HTTP client library for Python. In certain configurations, urllib3 does not treat the `Proxy-Authorization` HTTP header as one carrying authentication material. This issue results in not stripping the header on cross-origin redirects.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2293152, 2293153, 2293154, 2293155, 2293157, 2293158, 2293159, 2293160, 2293163, 2293167, 2293169, 2293173, 2293180, 2293181, 2293183, 2293188, 2293189, 2293190, 2292790, 2292791, 2292792, 2292793, 2292794, 2292795, 2293156, 2293161, 2293162, 2293164, 2293165, 2293166, 2293168, 2293170, 2293171, 2293172, 2293174, 2293175, 2293176, 2293177, 2293178, 2293179, 2293182, 2293184, 2293185, 2293186, 2293187 | ||
| Bug Blocks: | 2292796 | ||
|
Description
Robb Gatica
2024-06-17 22:33:14 UTC
Created mingw-python-urllib3 tracking bugs for this issue: Affects: fedora-all [bug 2292791] Created python-urllib3 tracking bugs for this issue: Affects: fedora-all [bug 2292790] Created cascadia-code-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293160] Created cura tracking bugs for this issue: Affects: fedora-all [bug 2293161] Created docker-compose tracking bugs for this issue: Affects: epel-all [bug 2293152] Affects: fedora-all [bug 2293162] Created duplicity tracking bugs for this issue: Affects: fedora-all [bug 2293163] Created google-roboto-mono-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293164] Created mote tracking bugs for this issue: Affects: epel-all [bug 2293153] Created mrsw-biz-udgothic-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293165] Created mrsw-biz-udmincho-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293166] Created ndiscover-exo-2-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293167] Created oci-cli tracking bugs for this issue: Affects: fedora-all [bug 2293168] Created offlineimap tracking bugs for this issue: Affects: fedora-all [bug 2293169] Created pipenv tracking bugs for this issue: Affects: fedora-all [bug 2293170] Created pypy tracking bugs for this issue: Affects: fedora-all [bug 2293171] Created python-WSGIProxy2 tracking bugs for this issue: Affects: fedora-all [bug 2293172] Created python-ansible-compat tracking bugs for this issue: Affects: fedora-all [bug 2293173] Created python-commoncode tracking bugs for this issue: Affects: fedora-all [bug 2293174] Created python-container-inspector tracking bugs for this issue: Affects: fedora-all [bug 2293175] Created python-dbus-next tracking bugs for this issue: Affects: fedora-all [bug 2293176] Created python-debian-inspector tracking bugs for this issue: Affects: fedora-all [bug 2293177] Created python-docker tracking bugs for this issue: Affects: epel-all [bug 2293154] Created python-extractcode tracking bugs for this issue: Affects: fedora-all [bug 2293178] Created python-ffmpeg-python tracking bugs for this issue: Affects: fedora-all [bug 2293179] Created python-flake8-builtins tracking bugs for this issue: Affects: fedora-all [bug 2293180] Created python-hvac tracking bugs for this issue: Affects: epel-all [bug 2293155] Created python-mercantile tracking bugs for this issue: Affects: fedora-all [bug 2293181] Created python-pip tracking bugs for this issue: Affects: fedora-all [bug 2293182] Created python-pip-epel tracking bugs for this issue: Affects: epel-all [bug 2293156] Created python-play-scraper tracking bugs for this issue: Affects: fedora-all [bug 2293183] Created python-plugincode tracking bugs for this issue: Affects: fedora-all [bug 2293184] Created python-pygments-better-html tracking bugs for this issue: Affects: fedora-all [bug 2293185] Created python-smart-gardena tracking bugs for this issue: Affects: epel-all [bug 2293157] Created python-tornado tracking bugs for this issue: Affects: fedora-all [bug 2293186] Created python-typecode tracking bugs for this issue: Affects: fedora-all [bug 2293187] Created python38-hvac tracking bugs for this issue: Affects: epel-all [bug 2293158] Created rst2pdf tracking bugs for this issue: Affects: fedora-all [bug 2293188] Created sorkintype-merriweather-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293189] Created sorkintype-merriweather-sans-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293190] Created transifex-client tracking bugs for this issue: Affects: epel-all [bug 2293159] Why did you open bugzillas for so many unrelated Fedora and EPEL packages? There is no tracker for python-urllib3 in RHEL 8. This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:4422 https://access.redhat.com/errata/RHSA-2024:4422 There is no tracker for python-urllib3 in RHEL 8 also there is no update on RHEL 8 , Can any one confirm / Update on this? This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:5041 https://access.redhat.com/errata/RHSA-2024:5041 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5309 https://access.redhat.com/errata/RHSA-2024:5309 what will be the resolution for this CVE-2024-37891, is there any package available for update in red hat 9.4. as my system is on red hat 9.4 but when I tried to update python3-urllib3 it didn't me any updates and currently it's on version 1.26.5-5. kindly suggest me the resolution in steps possible. This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:5526 https://access.redhat.com/errata/RHSA-2024:5526 (In reply to errata-xmlrpc from comment #23) > This issue has been addressed in the following products: > > Red Hat Enterprise Linux 8.8 Extended Update Support > > Via RHSA-2024:5526 https://access.redhat.com/errata/RHSA-2024:5526 But I'm getting this vulnerability in my red hat enterprise Linux 9.4 system for that is there any solution available at the moment.... As if is there any update marked for this package in rhel 9.4 or how can I remidate this vulnerability particularly in rhel 9.4..... (In reply to Harsh singh from comment #24) > (In reply to errata-xmlrpc from comment #23) > > This issue has been addressed in the following products: > > > > Red Hat Enterprise Linux 8.8 Extended Update Support > > > > Via RHSA-2024:5526 https://access.redhat.com/errata/RHSA-2024:5526 > > But I'm getting this vulnerability in my red hat enterprise Linux 9.4 system > for that is there any solution available at the moment.... > As if is there any update marked for this package in rhel 9.4 or how can I > remidate this vulnerability particularly in rhel 9.4..... Hi, I recommend contacting Red Hat support to get a specific answer for RHEL 9.4. I can say that we are committed to fixing this issue in the upcoming RHEL 9.5, I'm not able to comment on RHEL 9.4 at this point. This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:5627 https://access.redhat.com/errata/RHSA-2024:5627 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:5622 https://access.redhat.com/errata/RHSA-2024:5622 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:5633 https://access.redhat.com/errata/RHSA-2024:5633 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:6162 https://access.redhat.com/errata/RHSA-2024:6162 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Telecommunications Update Service Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:6239 https://access.redhat.com/errata/RHSA-2024:6239 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:6240 https://access.redhat.com/errata/RHSA-2024:6240 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:6310 https://access.redhat.com/errata/RHSA-2024:6310 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6311 https://access.redhat.com/errata/RHSA-2024:6311 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6309 https://access.redhat.com/errata/RHSA-2024:6309 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:6358 https://access.redhat.com/errata/RHSA-2024:6358 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:6765 https://access.redhat.com/errata/RHSA-2024:6765 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:7312 https://access.redhat.com/errata/RHSA-2024:7312 Will the RHEL 8 Python 2.7 AppStream version of this library see a patch? Getting a detection from CVE-2024-37891 on python2-urllib3-1.24.2-4.module+el8.10.0+20444+3bf7fee4.noarch.rpm (In reply to agilmore2 from comment #42) > Will the RHEL 8 Python 2.7 AppStream version of this library see a patch? > > Getting a detection from CVE-2024-37891 on > python2-urllib3-1.24.2-4.module+el8.10.0+20444+3bf7fee4.noarch.rpm Python 2.7 application stream in RHEL 8 is not supported anymore since June 2024. (In reply to Lumír Balhar from comment #43) > > Python 2.7 application stream in RHEL 8 is not supported anymore since June > 2024. Thanks for the information! RHEL 8 LEAPP package depends on python2-requests, which depends on this python2-urllib3 package. I wouldn't expect LEAPP to be deprecated? (In reply to agilmore2 from comment #45) > > (In reply to Lumír Balhar from comment #43) > > > > Python 2.7 application stream in RHEL 8 is not supported anymore since June > > 2024. > > Thanks for the information! > > RHEL 8 LEAPP package depends on python2-requests, which depends on this > python2-urllib3 package. > > I wouldn't expect LEAPP to be deprecated? I don't know the details here but I see in the sources that leapp is built for Python 3 in RHEL 8 and the latest build does not produce python2- subpackage. What version of RHEL and leapp do you use? @harsh_si It looks like RedHat failed to post the info about the update for RHEL 9.4 here for some reason. If you run the command below you will see the CVE in the change log for RHEL 9.4. $ yum changelog python3-urllib3.noarch ... Listing all changelogs Changelogs for python3-urllib3-1.26.5-5.el9_4.1.noarch * Tue Jun 18 12:00:00 AM 2024 Tomáš Hrnčiar <thrnciar> - 1.26.5-5.1 - Security fix for CVE-2024-37891 - Backport upstream patch to fix TypeError for http connection if the PoolManager - is instantiated with server_hostname Resolves: RHEL-49853 (In reply to eddie.rowe from comment #47) > @harsh_si It looks like RedHat failed to post the info about the > update for RHEL 9.4 here for some reason. If you run the command below you > will see the CVE in the change log for RHEL 9.4. > > $ yum changelog python3-urllib3.noarch > ... > Listing all changelogs > Changelogs for python3-urllib3-1.26.5-5.el9_4.1.noarch > * Tue Jun 18 12:00:00 AM 2024 Tomáš Hrnčiar <thrnciar> - > 1.26.5-5.1 > - Security fix for CVE-2024-37891 > - Backport upstream patch to fix TypeError for http connection if the > PoolManager > - is instantiated with server_hostname > Resolves: RHEL-49853 What do you mean by "failed to post the info about the update for RHEL 9.4"? The issue for 9.4 is closed, and the advisory is publicly available: https://access.redhat.com/errata/RHSA-2024:6162 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:8035 https://access.redhat.com/errata/RHSA-2024:8035 (In reply to Lumír Balhar from comment #46) > (In reply to agilmore2 from comment #45) > > > > (In reply to Lumír Balhar from comment #43) > > > > > > Python 2.7 application stream in RHEL 8 is not supported anymore since June > > > 2024. > > > > Thanks for the information! > > > > RHEL 8 LEAPP package depends on python2-requests, which depends on this > > python2-urllib3 package. > > > > I wouldn't expect LEAPP to be deprecated? > > I don't know the details here but I see in the sources that leapp is built > for Python 3 in RHEL 8 and the latest build does not produce python2- > subpackage. What version of RHEL and leapp do you use? Ah, this is the RHEL7->8 LEAPP tooling. Since the specific instance has completed the upgrade to RHEL8, they can remove it. Is LEAPP RHEL7->8 still supported? How about with active ELS? (In reply to Lumír Balhar from comment #48) > (In reply to eddie.rowe from comment #47) > > @harsh_si It looks like RedHat failed to post the info about the > > update for RHEL 9.4 here for some reason. If you run the command below you > > will see the CVE in the change log for RHEL 9.4. > > > > $ yum changelog python3-urllib3.noarch > > ... > > Listing all changelogs > > Changelogs for python3-urllib3-1.26.5-5.el9_4.1.noarch > > * Tue Jun 18 12:00:00 AM 2024 Tomáš Hrnčiar <thrnciar> - > > 1.26.5-5.1 > > - Security fix for CVE-2024-37891 > > - Backport upstream patch to fix TypeError for http connection if the > > PoolManager > > - is instantiated with server_hostname > > Resolves: RHEL-49853 > > What do you mean by "failed to post the info about the update for RHEL 9.4"? > The issue for 9.4 is closed, and the advisory is publicly available: > https://access.redhat.com/errata/RHSA-2024:6162 Hi, We could not see the fix available for RHEL 9.4. Currently we have installed python3-urllib3.noarch - 1.26.5-5.el9_4.1 and it's reported as vulnerable. Thanks. (In reply to Kaviraj Thangaraj from comment #51) > (In reply to Lumír Balhar from comment #48) > > (In reply to eddie.rowe from comment #47) > > > @harsh_si It looks like RedHat failed to post the info about the > > > update for RHEL 9.4 here for some reason. If you run the command below you > > > will see the CVE in the change log for RHEL 9.4. > > > > > > $ yum changelog python3-urllib3.noarch > > > ... > > > Listing all changelogs > > > Changelogs for python3-urllib3-1.26.5-5.el9_4.1.noarch > > > * Tue Jun 18 12:00:00 AM 2024 Tomáš Hrnčiar <thrnciar> - > > > 1.26.5-5.1 > > > - Security fix for CVE-2024-37891 > > > - Backport upstream patch to fix TypeError for http connection if the > > > PoolManager > > > - is instantiated with server_hostname > > > Resolves: RHEL-49853 > > > > What do you mean by "failed to post the info about the update for RHEL 9.4"? > > The issue for 9.4 is closed, and the advisory is publicly available: > > https://access.redhat.com/errata/RHSA-2024:6162 > > Hi, > > We could not see the fix available for RHEL 9.4. > > Currently we have installed python3-urllib3.noarch - 1.26.5-5.el9_4.1 and > it's reported as vulnerable. > > Thanks. Where is the build reported as vulnerable? The Red Hat page about this CVE correctly reports this vulnerability to be fixed in 1.26.5-5.el9_4.1 via advisory RHSA-2024:6162, see: https://access.redhat.com/security/cve/CVE-2024-37891 (In reply to agilmore2 from comment #50) > (In reply to Lumír Balhar from comment #46) > > (In reply to agilmore2 from comment #45) > > > > > > (In reply to Lumír Balhar from comment #43) > > > > > > > > Python 2.7 application stream in RHEL 8 is not supported anymore since June > > > > 2024. > > > > > > Thanks for the information! > > > > > > RHEL 8 LEAPP package depends on python2-requests, which depends on this > > > python2-urllib3 package. > > > > > > I wouldn't expect LEAPP to be deprecated? > > > > I don't know the details here but I see in the sources that leapp is built > > for Python 3 in RHEL 8 and the latest build does not produce python2- > > subpackage. What version of RHEL and leapp do you use? > > Ah, this is the RHEL7->8 LEAPP tooling. Since the specific instance has > completed the upgrade to RHEL8, they can remove it. Is LEAPP RHEL7->8 still > supported? How about with active ELS? Answering those questions is out of my scope. Please get in touch with your customer service. > What do you mean by "failed to post the info about the update for RHEL 9.4"?
> The issue for 9.4 is closed, and the advisory is publicly available:
> https://access.redhat.com/errata/RHSA-2024:6162
The security advisory indicates the issue was addressed, but many of us would be alerted that our systems were vulnerable due to how Red Hat back ports updates to help us keep stable systems where the version number does not match what the package maintainer may have updated. So after learning that our systems may still be vulnerable we visited THIS Bugzilla page to try to see if there was additional info that might shed light on things. In this case there is no mention that the issue was corrected for RHEL 9.4 anywhere. (Keep in mind that some persons might have just reviewed Bugzilla info and noticed the omission.)
In my case I worked through this when told I failed to patch the server for this issue. I shared the yum command that I used to confirm the CVE(s) were corrected by the update despite there being no mention of the issue being fixed in this entry on Buzilla. If someone/something is going to post to Bugzilla that an issue has been corrected, it really needs to mention every version of RHEL that is updated or it risks confusing people.
(In reply to eddie.rowe from comment #54) > > What do you mean by "failed to post the info about the update for RHEL 9.4"? > > The issue for 9.4 is closed, and the advisory is publicly available: > > https://access.redhat.com/errata/RHSA-2024:6162 > > The security advisory indicates the issue was addressed, but many of us > would be alerted that our systems were vulnerable due to how Red Hat back > ports updates to help us keep stable systems where the version number does > not match what the package maintainer may have updated. So after learning > that our systems may still be vulnerable we visited THIS Bugzilla page to > try to see if there was additional info that might shed light on things. In > this case there is no mention that the issue was corrected for RHEL 9.4 > anywhere. (Keep in mind that some persons might have just reviewed Bugzilla > info and noticed the omission.) > > In my case I worked through this when told I failed to patch the server for > this issue. I shared the yum command that I used to confirm the CVE(s) were > corrected by the update despite there being no mention of the issue being > fixed in this entry on Buzilla. If someone/something is going to post to > Bugzilla that an issue has been corrected, it really needs to mention every > version of RHEL that is updated or it risks confusing people. I understand your point of view but this Bugzilla is for tracking purposes only and should not be used as a source of truth for what was fixed and where. We have release notes, advisories, and CVE pages for that. If you need more assistance, please contact our customer support. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:8843 https://access.redhat.com/errata/RHSA-2024:8843 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:8842 https://access.redhat.com/errata/RHSA-2024:8842 This issue has been addressed in the following products: Red Hat Satellite 6.16 for RHEL 8 Red Hat Satellite 6.16 for RHEL 9 Via RHSA-2024:8906 https://access.redhat.com/errata/RHSA-2024:8906 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9457 https://access.redhat.com/errata/RHSA-2024:9457 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9458 https://access.redhat.com/errata/RHSA-2024:9458 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2024:9923 https://access.redhat.com/errata/RHSA-2024:9923 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2024:9922 https://access.redhat.com/errata/RHSA-2024:9922 This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 for RHEL 8 Via RHSA-2024:9985 https://access.redhat.com/errata/RHSA-2024:9985 |