The current implementation of python-urllib3 does not encode the ‘\r\n’ sequence in the query string, which allowed the attacker to manipulate a HTTP header with the ‘\r\n’ sequence in it, so the attacker could insert arbitrary content to the new line of the HTTP header. External References: https://bugs.python.org/issue36276
Created python-urllib3 tracking bugs for this issue: Affects: fedora-all [bug 1700825]
Additional references: https://github.com/urllib3/urllib3/issues/1553 https://github.com/urllib3/urllib3/commit/0aa3e24fcd75f1bb59ab159e9f8adb44055b2271
This issue is reproducible on Red Hat Gluster Storage 3, successfully injected the HTTP header. If an attacker manages to place a CRLF then he could exploit this vulnerability.
All supported versions of Red Hat OpenStack Platform are affected by this flaw.
Created python-urllib3 tracking bugs for this issue: Affects: openstack-rdo [bug 1707088]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2272 https://access.redhat.com/errata/RHSA-2019:2272
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11236
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3335 https://access.redhat.com/errata/RHSA-2019:3335
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3590 https://access.redhat.com/errata/RHSA-2019:3590
Upstream patch for 1.24 versions: https://github.com/urllib3/urllib3/commit/efddd7e7bad26188c3b692d1090cba768afa9162
There are actually 2 related patches for 1.24: https://github.com/urllib3/urllib3/commit/9b76785331243689a9d52cef3db05ef7462cb02d https://github.com/urllib3/urllib3/commit/efddd7e7bad26188c3b692d1090cba768afa9162 The second one is the one linked from comment 22 above, and it needs to be applied on top of the first one. Both patches mention CVE-2019-9740 in the commit message, which is the CVE for similar problem in urllib/urllib2 that is part of Python standard library.
Created python-pip tracking bugs for this issue: Affects: epel-6 [bug 1775364] Affects: fedora-all [bug 1775363] Created python-pip-epel tracking bugs for this issue: Affects: epel-7 [bug 1775365]
Created python-virtualenv tracking bugs for this issue: Affects: epel-6 [bug 1778101] Affects: fedora-30 [bug 1778100] Created python3-virtualenv tracking bugs for this issue: Affects: epel-7 [bug 1778103]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0850 https://access.redhat.com/errata/RHSA-2020:0850
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0851 https://access.redhat.com/errata/RHSA-2020:0851
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1605 https://access.redhat.com/errata/RHSA-2020:1605
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1916 https://access.redhat.com/errata/RHSA-2020:1916
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:2068 https://access.redhat.com/errata/RHSA-2020:2068
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:2081 https://access.redhat.com/errata/RHSA-2020:2081
Statement: This issue affects the version of python-urllib3 shipped with Red Hat Gluster Storage 3, as it is vulnerable to CRLF injection. Red Hat Satellite 6.2 is on Maintenance Support 2 phase, hence only selected critical and important issues will be fixed. Please refer to Red Hat Satellite Product Life Cycle page for more information. In Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-urllib3 package.