Bug 1702473 (CVE-2019-11324) - CVE-2019-11324 python-urllib3: Certification mishandle when error should be thrown
Summary: CVE-2019-11324 python-urllib3: Certification mishandle when error should be t...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11324
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1707999 1708000 1708002 1724438 1774601 1774602 1774603 1805085 1702474 1702475 1706026 1706765 1708001 1708113 1724437 1774595 1778099 1805084
Blocks: 1702476
TreeView+ depends on / blocked
 
Reported: 2019-04-23 21:20 UTC by Pedro Sampaio
Modified: 2020-03-18 04:36 UTC (History)
75 users (show)

Fixed In Version: urllib3 1.24.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-06 00:52:34 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3335 None None None 2019-11-05 20:38:18 UTC
Red Hat Product Errata RHSA-2019:3590 None None None 2019-11-05 21:16:23 UTC
Red Hat Product Errata RHSA-2020:0850 None None None 2020-03-17 16:18:33 UTC

Description Pedro Sampaio 2019-04-23 21:20:29 UTC
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

Upstream patch:

https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4

References:

https://www.openwall.com/lists/oss-security/2019/04/17/3

Comment 1 Pedro Sampaio 2019-04-23 21:20:48 UTC
Created python-urllib3 tracking bugs for this issue:

Affects: fedora-all [bug 1702474]


Created python3-urllib3 tracking bugs for this issue:

Affects: epel-all [bug 1702475]

Comment 11 Nick Tait 2019-05-08 22:56:27 UTC
Created python-urllib3 tracking bugs for this issue:

Affects: openstack-rdo [bug 1707999]

Comment 15 Hardik Vyas 2019-05-09 07:33:04 UTC
External References:

https://www.openwall.com/lists/oss-security/2019/04/17/3

Comment 17 Doran Moppert 2019-06-27 06:18:44 UTC
Statement:

This issue did not affect the versions of python-urllib3 as shipped with Red Hat Enterprise Linux 6, and 7 as the older code shipped there did not load the system certificates.

Red Hat Satellite 6.2 is on Maintenance Support 2 phase, hence only selected Critical and Important issues will be fixed. Please refer to Red Hat Satellite Product Life Cycle page for more information.

Comment 18 Doran Moppert 2019-06-27 06:19:37 UTC
Created python-urllib3 tracking bugs for this issue:

Affects: fedora-all [bug 1724437]

Comment 20 errata-xmlrpc 2019-11-05 20:38:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3335 https://access.redhat.com/errata/RHSA-2019:3335

Comment 21 errata-xmlrpc 2019-11-05 21:16:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3590 https://access.redhat.com/errata/RHSA-2019:3590

Comment 22 Product Security DevOps Team 2019-11-06 00:52:34 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11324

Comment 23 Tomas Hoger 2019-11-20 14:09:21 UTC
The automatic unconditional loading of system CA certificates was added in version 1.17 via this commit:

https://github.com/urllib3/urllib3/commit/0d06f4e9a320e9d39fbedc4e9ff0d1cf8622a965

The upstream patch linked in comment 0 also includes change other than the fix for this issue.  The part relevant to this CVE is:

https://github.com/urllib3/urllib3/commit/1efadf43dc63317cd9eaa3e0fdb9e05ab07254b1#diff-7c9a38cd64066636d0e73a2449a28640L330

Comment 24 Tomas Hoger 2019-11-20 14:20:29 UTC
Created python-pip tracking bugs for this issue:

Affects: fedora-all [bug 1774595]

Comment 26 Tomas Hoger 2019-11-29 10:23:40 UTC
Created python-virtualenv tracking bugs for this issue:

Affects: fedora-30 [bug 1778099]

Comment 27 errata-xmlrpc 2020-03-17 16:18:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0850 https://access.redhat.com/errata/RHSA-2020:0850


Note You need to log in before you can comment on or make changes to this bug.