Bug 2292788 (CVE-2024-37891)
| Summary: | CVE-2024-37891 urllib3: proxy-authorization request header is not stripped during cross-origin redirects | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Robb Gatica <rgatica> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adudiak, agarcial, ahanwate, aoconnor, apevec, aprice, asegurap, bbuckingham, bdettelb, brking, caswilli, cdaley, cstratak, ctejagigamon, davidn, dfreiber, dkuc, doconnor, drow, eglynn, ehelms, epacific, fjansen, gcovolo, ggainey, gtanzill, haoli, harsh_si, hhorak, hkataria, it.server, jburrell, jcammara, jchui, jhardy, jjoyce, jkoehler, jmitchel, jneedle, jobarker, jorton, jsamir, jschluet, jsherril, jtanner, juwatts, jwong, kaycoth, kholdawa, kshier, ktsao, kyoshida, lbalhar, lhh, lsvaty, mabashia, mburns, mcascell, mgarciac, mhroncok, mhulan, mpierce, nboldt, nmoumoul, oezr, omaciel, orabin, osapryki, pbraun, pcreech, pete.perfetti, pgrist, prodsec-ir-bot, psegedy, python-maint, rbobbitt, rchan, rhos-maint, risantam, rtaniwa, simaishi, smcdonal, stcannon, sthirugn, sujagtap, teagle, tfister, thavo, tkral, torsava, vkrizan, vkumar, xiaoxwan, yguenane, zsadeh, zzhou |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | urllib3 1.26.19, urllib3 2.2.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in urllib3, an HTTP client library for Python. In certain configurations, urllib3 does not treat the `Proxy-Authorization` HTTP header as one carrying authentication material. This issue results in not stripping the header on cross-origin redirects.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2292792, 2292794, 2293152, 2293153, 2293154, 2293155, 2293157, 2293158, 2293159, 2293160, 2293163, 2293164, 2293167, 2293169, 2293173, 2293180, 2293181, 2293183, 2293188, 2293189, 2293190, 2292790, 2292791, 2292793, 2292795, 2293156, 2293161, 2293162, 2293165, 2293166, 2293168, 2293170, 2293171, 2293172, 2293174, 2293175, 2293176, 2293177, 2293178, 2293179, 2293182, 2293184, 2293185, 2293186, 2293187 | ||
| Bug Blocks: | 2292796 | ||
|
Description
Robb Gatica
2024-06-17 22:33:14 UTC
Created mingw-python-urllib3 tracking bugs for this issue: Affects: fedora-all [bug 2292791] Created python-urllib3 tracking bugs for this issue: Affects: fedora-all [bug 2292790] Created cascadia-code-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293160] Created cura tracking bugs for this issue: Affects: fedora-all [bug 2293161] Created docker-compose tracking bugs for this issue: Affects: epel-all [bug 2293152] Affects: fedora-all [bug 2293162] Created duplicity tracking bugs for this issue: Affects: fedora-all [bug 2293163] Created google-roboto-mono-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293164] Created mote tracking bugs for this issue: Affects: epel-all [bug 2293153] Created mrsw-biz-udgothic-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293165] Created mrsw-biz-udmincho-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293166] Created ndiscover-exo-2-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293167] Created oci-cli tracking bugs for this issue: Affects: fedora-all [bug 2293168] Created offlineimap tracking bugs for this issue: Affects: fedora-all [bug 2293169] Created pipenv tracking bugs for this issue: Affects: fedora-all [bug 2293170] Created pypy tracking bugs for this issue: Affects: fedora-all [bug 2293171] Created python-WSGIProxy2 tracking bugs for this issue: Affects: fedora-all [bug 2293172] Created python-ansible-compat tracking bugs for this issue: Affects: fedora-all [bug 2293173] Created python-commoncode tracking bugs for this issue: Affects: fedora-all [bug 2293174] Created python-container-inspector tracking bugs for this issue: Affects: fedora-all [bug 2293175] Created python-dbus-next tracking bugs for this issue: Affects: fedora-all [bug 2293176] Created python-debian-inspector tracking bugs for this issue: Affects: fedora-all [bug 2293177] Created python-docker tracking bugs for this issue: Affects: epel-all [bug 2293154] Created python-extractcode tracking bugs for this issue: Affects: fedora-all [bug 2293178] Created python-ffmpeg-python tracking bugs for this issue: Affects: fedora-all [bug 2293179] Created python-flake8-builtins tracking bugs for this issue: Affects: fedora-all [bug 2293180] Created python-hvac tracking bugs for this issue: Affects: epel-all [bug 2293155] Created python-mercantile tracking bugs for this issue: Affects: fedora-all [bug 2293181] Created python-pip tracking bugs for this issue: Affects: fedora-all [bug 2293182] Created python-pip-epel tracking bugs for this issue: Affects: epel-all [bug 2293156] Created python-play-scraper tracking bugs for this issue: Affects: fedora-all [bug 2293183] Created python-plugincode tracking bugs for this issue: Affects: fedora-all [bug 2293184] Created python-pygments-better-html tracking bugs for this issue: Affects: fedora-all [bug 2293185] Created python-smart-gardena tracking bugs for this issue: Affects: epel-all [bug 2293157] Created python-tornado tracking bugs for this issue: Affects: fedora-all [bug 2293186] Created python-typecode tracking bugs for this issue: Affects: fedora-all [bug 2293187] Created python38-hvac tracking bugs for this issue: Affects: epel-all [bug 2293158] Created rst2pdf tracking bugs for this issue: Affects: fedora-all [bug 2293188] Created sorkintype-merriweather-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293189] Created sorkintype-merriweather-sans-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293190] Created transifex-client tracking bugs for this issue: Affects: epel-all [bug 2293159] Why did you open bugzillas for so many unrelated Fedora and EPEL packages? There is no tracker for python-urllib3 in RHEL 8. This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:4422 https://access.redhat.com/errata/RHSA-2024:4422 There is no tracker for python-urllib3 in RHEL 8 also there is no update on RHEL 8 , Can any one confirm / Update on this? This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:5041 https://access.redhat.com/errata/RHSA-2024:5041 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5309 https://access.redhat.com/errata/RHSA-2024:5309 what will be the resolution for this CVE-2024-37891, is there any package available for update in red hat 9.4. as my system is on red hat 9.4 but when I tried to update python3-urllib3 it didn't me any updates and currently it's on version 1.26.5-5. kindly suggest me the resolution in steps possible. This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:5526 https://access.redhat.com/errata/RHSA-2024:5526 (In reply to errata-xmlrpc from comment #23) > This issue has been addressed in the following products: > > Red Hat Enterprise Linux 8.8 Extended Update Support > > Via RHSA-2024:5526 https://access.redhat.com/errata/RHSA-2024:5526 But I'm getting this vulnerability in my red hat enterprise Linux 9.4 system for that is there any solution available at the moment.... As if is there any update marked for this package in rhel 9.4 or how can I remidate this vulnerability particularly in rhel 9.4..... (In reply to Harsh singh from comment #24) > (In reply to errata-xmlrpc from comment #23) > > This issue has been addressed in the following products: > > > > Red Hat Enterprise Linux 8.8 Extended Update Support > > > > Via RHSA-2024:5526 https://access.redhat.com/errata/RHSA-2024:5526 > > But I'm getting this vulnerability in my red hat enterprise Linux 9.4 system > for that is there any solution available at the moment.... > As if is there any update marked for this package in rhel 9.4 or how can I > remidate this vulnerability particularly in rhel 9.4..... Hi, I recommend contacting Red Hat support to get a specific answer for RHEL 9.4. I can say that we are committed to fixing this issue in the upcoming RHEL 9.5, I'm not able to comment on RHEL 9.4 at this point. This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:5627 https://access.redhat.com/errata/RHSA-2024:5627 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:5622 https://access.redhat.com/errata/RHSA-2024:5622 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:5633 https://access.redhat.com/errata/RHSA-2024:5633 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:6162 https://access.redhat.com/errata/RHSA-2024:6162 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Telecommunications Update Service Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:6239 https://access.redhat.com/errata/RHSA-2024:6239 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:6240 https://access.redhat.com/errata/RHSA-2024:6240 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:6310 https://access.redhat.com/errata/RHSA-2024:6310 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6311 https://access.redhat.com/errata/RHSA-2024:6311 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6309 https://access.redhat.com/errata/RHSA-2024:6309 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:6358 https://access.redhat.com/errata/RHSA-2024:6358 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:6765 https://access.redhat.com/errata/RHSA-2024:6765 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:7312 https://access.redhat.com/errata/RHSA-2024:7312 |