urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive). https://github.com/urllib3/urllib3/compare/1.24.1...1.24.2 https://github.com/urllib3/urllib3/issues/1510 https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc
Created ansible-lint tracking bugs for this issue: Affects: fedora-all [bug 2246497] Created cura tracking bugs for this issue: Affects: fedora-all [bug 2246498] Created docker-compose tracking bugs for this issue: Affects: epel-all [bug 2246490] Created duplicity tracking bugs for this issue: Affects: epel-all [bug 2246491] Created mingw-python-urllib3 tracking bugs for this issue: Affects: fedora-all [bug 2246520] Created mote tracking bugs for this issue: Affects: epel-all [bug 2246492] Created ndiscover-exo-2-fonts tracking bugs for this issue: Affects: fedora-all [bug 2246500] Created oci-cli tracking bugs for this issue: Affects: fedora-all [bug 2246501] Created offlineimap tracking bugs for this issue: Affects: fedora-all [bug 2246502] Created pipenv tracking bugs for this issue: Affects: fedora-all [bug 2246503] Created pypy tracking bugs for this issue: Affects: fedora-all [bug 2246504] Created python-WSGIProxy2 tracking bugs for this issue: Affects: fedora-all [bug 2246505] Created python-ansible-compat tracking bugs for this issue: Affects: fedora-all [bug 2246506] Created python-dbus-next tracking bugs for this issue: Affects: fedora-all [bug 2246507] Created python-docker tracking bugs for this issue: Affects: epel-all [bug 2246493] Affects: openstack-rdo [bug 2246519] Created python-ffmpeg-python tracking bugs for this issue: Affects: fedora-all [bug 2246508] Created python-flake8-builtins tracking bugs for this issue: Affects: fedora-all [bug 2246509] Created python-hvac tracking bugs for this issue: Affects: epel-all [bug 2246494] Affects: fedora-all [bug 2246510] Created python-molecule tracking bugs for this issue: Affects: fedora-all [bug 2246511] Created python-pip tracking bugs for this issue: Affects: fedora-all [bug 2246513] Created python-play-scraper tracking bugs for this issue: Affects: fedora-all [bug 2246514] Created python-pygments-better-html tracking bugs for this issue: Affects: fedora-all [bug 2246515] Created python-smart-gardena tracking bugs for this issue: Affects: epel-all [bug 2246495] Created python-urllib3 tracking bugs for this issue: Affects: fedora-all [bug 2246489] Affects: openstack-rdo [bug 2246521] Created python-zuul-client tracking bugs for this issue: Affects: fedora-all [bug 2246516] Created python38-hvac tracking bugs for this issue: Affects: epel-all [bug 2246496] Created sorkintype-merriweather-fonts tracking bugs for this issue: Affects: fedora-all [bug 2246517] Created sorkintype-merriweather-sans-fonts tracking bugs for this issue: Affects: fedora-all [bug 2246518]
Why open a tracking bug for such an old urllib3 version? Only python2-urllib3 in RHEL7 is old enough to be potentially affected. Fedora moved on long ago. And what’s the logic behind the additional packages that had bugs filed? I can’t seem to find a pattern. As far as I can tell, they don’t all bundle urllib3, or even all seem to depend on it.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2988 https://access.redhat.com/errata/RHSA-2024:2988