urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations. https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf
Created mingw-python-urllib3 tracking bugs for this issue: Affects: fedora-all [bug 2292791] Created python-urllib3 tracking bugs for this issue: Affects: fedora-all [bug 2292790]
Created cascadia-code-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293160] Created cura tracking bugs for this issue: Affects: fedora-all [bug 2293161] Created docker-compose tracking bugs for this issue: Affects: epel-all [bug 2293152] Affects: fedora-all [bug 2293162] Created duplicity tracking bugs for this issue: Affects: fedora-all [bug 2293163] Created google-roboto-mono-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293164] Created mote tracking bugs for this issue: Affects: epel-all [bug 2293153] Created mrsw-biz-udgothic-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293165] Created mrsw-biz-udmincho-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293166] Created ndiscover-exo-2-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293167] Created oci-cli tracking bugs for this issue: Affects: fedora-all [bug 2293168] Created offlineimap tracking bugs for this issue: Affects: fedora-all [bug 2293169] Created pipenv tracking bugs for this issue: Affects: fedora-all [bug 2293170] Created pypy tracking bugs for this issue: Affects: fedora-all [bug 2293171] Created python-WSGIProxy2 tracking bugs for this issue: Affects: fedora-all [bug 2293172] Created python-ansible-compat tracking bugs for this issue: Affects: fedora-all [bug 2293173] Created python-commoncode tracking bugs for this issue: Affects: fedora-all [bug 2293174] Created python-container-inspector tracking bugs for this issue: Affects: fedora-all [bug 2293175] Created python-dbus-next tracking bugs for this issue: Affects: fedora-all [bug 2293176] Created python-debian-inspector tracking bugs for this issue: Affects: fedora-all [bug 2293177] Created python-docker tracking bugs for this issue: Affects: epel-all [bug 2293154] Created python-extractcode tracking bugs for this issue: Affects: fedora-all [bug 2293178] Created python-ffmpeg-python tracking bugs for this issue: Affects: fedora-all [bug 2293179] Created python-flake8-builtins tracking bugs for this issue: Affects: fedora-all [bug 2293180] Created python-hvac tracking bugs for this issue: Affects: epel-all [bug 2293155] Created python-mercantile tracking bugs for this issue: Affects: fedora-all [bug 2293181] Created python-pip tracking bugs for this issue: Affects: fedora-all [bug 2293182] Created python-pip-epel tracking bugs for this issue: Affects: epel-all [bug 2293156] Created python-play-scraper tracking bugs for this issue: Affects: fedora-all [bug 2293183] Created python-plugincode tracking bugs for this issue: Affects: fedora-all [bug 2293184] Created python-pygments-better-html tracking bugs for this issue: Affects: fedora-all [bug 2293185] Created python-smart-gardena tracking bugs for this issue: Affects: epel-all [bug 2293157] Created python-tornado tracking bugs for this issue: Affects: fedora-all [bug 2293186] Created python-typecode tracking bugs for this issue: Affects: fedora-all [bug 2293187] Created python38-hvac tracking bugs for this issue: Affects: epel-all [bug 2293158] Created rst2pdf tracking bugs for this issue: Affects: fedora-all [bug 2293188] Created sorkintype-merriweather-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293189] Created sorkintype-merriweather-sans-fonts tracking bugs for this issue: Affects: fedora-all [bug 2293190] Created transifex-client tracking bugs for this issue: Affects: epel-all [bug 2293159]
Why did you open bugzillas for so many unrelated Fedora and EPEL packages?
There is no tracker for python-urllib3 in RHEL 8.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:4422 https://access.redhat.com/errata/RHSA-2024:4422
There is no tracker for python-urllib3 in RHEL 8 also there is no update on RHEL 8 , Can any one confirm / Update on this?
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:5041 https://access.redhat.com/errata/RHSA-2024:5041
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5309 https://access.redhat.com/errata/RHSA-2024:5309
what will be the resolution for this CVE-2024-37891, is there any package available for update in red hat 9.4. as my system is on red hat 9.4 but when I tried to update python3-urllib3 it didn't me any updates and currently it's on version 1.26.5-5. kindly suggest me the resolution in steps possible.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:5526 https://access.redhat.com/errata/RHSA-2024:5526
(In reply to errata-xmlrpc from comment #23) > This issue has been addressed in the following products: > > Red Hat Enterprise Linux 8.8 Extended Update Support > > Via RHSA-2024:5526 https://access.redhat.com/errata/RHSA-2024:5526 But I'm getting this vulnerability in my red hat enterprise Linux 9.4 system for that is there any solution available at the moment.... As if is there any update marked for this package in rhel 9.4 or how can I remidate this vulnerability particularly in rhel 9.4.....
(In reply to Harsh singh from comment #24) > (In reply to errata-xmlrpc from comment #23) > > This issue has been addressed in the following products: > > > > Red Hat Enterprise Linux 8.8 Extended Update Support > > > > Via RHSA-2024:5526 https://access.redhat.com/errata/RHSA-2024:5526 > > But I'm getting this vulnerability in my red hat enterprise Linux 9.4 system > for that is there any solution available at the moment.... > As if is there any update marked for this package in rhel 9.4 or how can I > remidate this vulnerability particularly in rhel 9.4..... Hi, I recommend contacting Red Hat support to get a specific answer for RHEL 9.4. I can say that we are committed to fixing this issue in the upcoming RHEL 9.5, I'm not able to comment on RHEL 9.4 at this point.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:5627 https://access.redhat.com/errata/RHSA-2024:5627
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:5622 https://access.redhat.com/errata/RHSA-2024:5622
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:5633 https://access.redhat.com/errata/RHSA-2024:5633
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:6162 https://access.redhat.com/errata/RHSA-2024:6162
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Telecommunications Update Service Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:6239 https://access.redhat.com/errata/RHSA-2024:6239
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:6240 https://access.redhat.com/errata/RHSA-2024:6240
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:6310 https://access.redhat.com/errata/RHSA-2024:6310
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6311 https://access.redhat.com/errata/RHSA-2024:6311
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6309 https://access.redhat.com/errata/RHSA-2024:6309
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:6358 https://access.redhat.com/errata/RHSA-2024:6358
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:6765 https://access.redhat.com/errata/RHSA-2024:6765
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:7312 https://access.redhat.com/errata/RHSA-2024:7312
Will the RHEL 8 Python 2.7 AppStream version of this library see a patch? Getting a detection from CVE-2024-37891 on python2-urllib3-1.24.2-4.module+el8.10.0+20444+3bf7fee4.noarch.rpm
(In reply to agilmore2 from comment #42) > Will the RHEL 8 Python 2.7 AppStream version of this library see a patch? > > Getting a detection from CVE-2024-37891 on > python2-urllib3-1.24.2-4.module+el8.10.0+20444+3bf7fee4.noarch.rpm Python 2.7 application stream in RHEL 8 is not supported anymore since June 2024.
(In reply to Lumír Balhar from comment #43) > > Python 2.7 application stream in RHEL 8 is not supported anymore since June > 2024. Thanks for the information! RHEL 8 LEAPP package depends on python2-requests, which depends on this python2-urllib3 package. I wouldn't expect LEAPP to be deprecated?
(In reply to agilmore2 from comment #45) > > (In reply to Lumír Balhar from comment #43) > > > > Python 2.7 application stream in RHEL 8 is not supported anymore since June > > 2024. > > Thanks for the information! > > RHEL 8 LEAPP package depends on python2-requests, which depends on this > python2-urllib3 package. > > I wouldn't expect LEAPP to be deprecated? I don't know the details here but I see in the sources that leapp is built for Python 3 in RHEL 8 and the latest build does not produce python2- subpackage. What version of RHEL and leapp do you use?
@harsh_si It looks like RedHat failed to post the info about the update for RHEL 9.4 here for some reason. If you run the command below you will see the CVE in the change log for RHEL 9.4. $ yum changelog python3-urllib3.noarch ... Listing all changelogs Changelogs for python3-urllib3-1.26.5-5.el9_4.1.noarch * Tue Jun 18 12:00:00 AM 2024 Tomáš Hrnčiar <thrnciar> - 1.26.5-5.1 - Security fix for CVE-2024-37891 - Backport upstream patch to fix TypeError for http connection if the PoolManager - is instantiated with server_hostname Resolves: RHEL-49853
(In reply to eddie.rowe from comment #47) > @harsh_si It looks like RedHat failed to post the info about the > update for RHEL 9.4 here for some reason. If you run the command below you > will see the CVE in the change log for RHEL 9.4. > > $ yum changelog python3-urllib3.noarch > ... > Listing all changelogs > Changelogs for python3-urllib3-1.26.5-5.el9_4.1.noarch > * Tue Jun 18 12:00:00 AM 2024 Tomáš Hrnčiar <thrnciar> - > 1.26.5-5.1 > - Security fix for CVE-2024-37891 > - Backport upstream patch to fix TypeError for http connection if the > PoolManager > - is instantiated with server_hostname > Resolves: RHEL-49853 What do you mean by "failed to post the info about the update for RHEL 9.4"? The issue for 9.4 is closed, and the advisory is publicly available: https://access.redhat.com/errata/RHSA-2024:6162
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:8035 https://access.redhat.com/errata/RHSA-2024:8035
(In reply to Lumír Balhar from comment #46) > (In reply to agilmore2 from comment #45) > > > > (In reply to Lumír Balhar from comment #43) > > > > > > Python 2.7 application stream in RHEL 8 is not supported anymore since June > > > 2024. > > > > Thanks for the information! > > > > RHEL 8 LEAPP package depends on python2-requests, which depends on this > > python2-urllib3 package. > > > > I wouldn't expect LEAPP to be deprecated? > > I don't know the details here but I see in the sources that leapp is built > for Python 3 in RHEL 8 and the latest build does not produce python2- > subpackage. What version of RHEL and leapp do you use? Ah, this is the RHEL7->8 LEAPP tooling. Since the specific instance has completed the upgrade to RHEL8, they can remove it. Is LEAPP RHEL7->8 still supported? How about with active ELS?
(In reply to Lumír Balhar from comment #48) > (In reply to eddie.rowe from comment #47) > > @harsh_si It looks like RedHat failed to post the info about the > > update for RHEL 9.4 here for some reason. If you run the command below you > > will see the CVE in the change log for RHEL 9.4. > > > > $ yum changelog python3-urllib3.noarch > > ... > > Listing all changelogs > > Changelogs for python3-urllib3-1.26.5-5.el9_4.1.noarch > > * Tue Jun 18 12:00:00 AM 2024 Tomáš Hrnčiar <thrnciar> - > > 1.26.5-5.1 > > - Security fix for CVE-2024-37891 > > - Backport upstream patch to fix TypeError for http connection if the > > PoolManager > > - is instantiated with server_hostname > > Resolves: RHEL-49853 > > What do you mean by "failed to post the info about the update for RHEL 9.4"? > The issue for 9.4 is closed, and the advisory is publicly available: > https://access.redhat.com/errata/RHSA-2024:6162 Hi, We could not see the fix available for RHEL 9.4. Currently we have installed python3-urllib3.noarch - 1.26.5-5.el9_4.1 and it's reported as vulnerable. Thanks.
(In reply to Kaviraj Thangaraj from comment #51) > (In reply to Lumír Balhar from comment #48) > > (In reply to eddie.rowe from comment #47) > > > @harsh_si It looks like RedHat failed to post the info about the > > > update for RHEL 9.4 here for some reason. If you run the command below you > > > will see the CVE in the change log for RHEL 9.4. > > > > > > $ yum changelog python3-urllib3.noarch > > > ... > > > Listing all changelogs > > > Changelogs for python3-urllib3-1.26.5-5.el9_4.1.noarch > > > * Tue Jun 18 12:00:00 AM 2024 Tomáš Hrnčiar <thrnciar> - > > > 1.26.5-5.1 > > > - Security fix for CVE-2024-37891 > > > - Backport upstream patch to fix TypeError for http connection if the > > > PoolManager > > > - is instantiated with server_hostname > > > Resolves: RHEL-49853 > > > > What do you mean by "failed to post the info about the update for RHEL 9.4"? > > The issue for 9.4 is closed, and the advisory is publicly available: > > https://access.redhat.com/errata/RHSA-2024:6162 > > Hi, > > We could not see the fix available for RHEL 9.4. > > Currently we have installed python3-urllib3.noarch - 1.26.5-5.el9_4.1 and > it's reported as vulnerable. > > Thanks. Where is the build reported as vulnerable? The Red Hat page about this CVE correctly reports this vulnerability to be fixed in 1.26.5-5.el9_4.1 via advisory RHSA-2024:6162, see: https://access.redhat.com/security/cve/CVE-2024-37891
(In reply to agilmore2 from comment #50) > (In reply to Lumír Balhar from comment #46) > > (In reply to agilmore2 from comment #45) > > > > > > (In reply to Lumír Balhar from comment #43) > > > > > > > > Python 2.7 application stream in RHEL 8 is not supported anymore since June > > > > 2024. > > > > > > Thanks for the information! > > > > > > RHEL 8 LEAPP package depends on python2-requests, which depends on this > > > python2-urllib3 package. > > > > > > I wouldn't expect LEAPP to be deprecated? > > > > I don't know the details here but I see in the sources that leapp is built > > for Python 3 in RHEL 8 and the latest build does not produce python2- > > subpackage. What version of RHEL and leapp do you use? > > Ah, this is the RHEL7->8 LEAPP tooling. Since the specific instance has > completed the upgrade to RHEL8, they can remove it. Is LEAPP RHEL7->8 still > supported? How about with active ELS? Answering those questions is out of my scope. Please get in touch with your customer service.
> What do you mean by "failed to post the info about the update for RHEL 9.4"? > The issue for 9.4 is closed, and the advisory is publicly available: > https://access.redhat.com/errata/RHSA-2024:6162 The security advisory indicates the issue was addressed, but many of us would be alerted that our systems were vulnerable due to how Red Hat back ports updates to help us keep stable systems where the version number does not match what the package maintainer may have updated. So after learning that our systems may still be vulnerable we visited THIS Bugzilla page to try to see if there was additional info that might shed light on things. In this case there is no mention that the issue was corrected for RHEL 9.4 anywhere. (Keep in mind that some persons might have just reviewed Bugzilla info and noticed the omission.) In my case I worked through this when told I failed to patch the server for this issue. I shared the yum command that I used to confirm the CVE(s) were corrected by the update despite there being no mention of the issue being fixed in this entry on Buzilla. If someone/something is going to post to Bugzilla that an issue has been corrected, it really needs to mention every version of RHEL that is updated or it risks confusing people.
(In reply to eddie.rowe from comment #54) > > What do you mean by "failed to post the info about the update for RHEL 9.4"? > > The issue for 9.4 is closed, and the advisory is publicly available: > > https://access.redhat.com/errata/RHSA-2024:6162 > > The security advisory indicates the issue was addressed, but many of us > would be alerted that our systems were vulnerable due to how Red Hat back > ports updates to help us keep stable systems where the version number does > not match what the package maintainer may have updated. So after learning > that our systems may still be vulnerable we visited THIS Bugzilla page to > try to see if there was additional info that might shed light on things. In > this case there is no mention that the issue was corrected for RHEL 9.4 > anywhere. (Keep in mind that some persons might have just reviewed Bugzilla > info and noticed the omission.) > > In my case I worked through this when told I failed to patch the server for > this issue. I shared the yum command that I used to confirm the CVE(s) were > corrected by the update despite there being no mention of the issue being > fixed in this entry on Buzilla. If someone/something is going to post to > Bugzilla that an issue has been corrected, it really needs to mention every > version of RHEL that is updated or it risks confusing people. I understand your point of view but this Bugzilla is for tracking purposes only and should not be used as a source of truth for what was fixed and where. We have release notes, advisories, and CVE pages for that. If you need more assistance, please contact our customer support.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:8843 https://access.redhat.com/errata/RHSA-2024:8843
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:8842 https://access.redhat.com/errata/RHSA-2024:8842
This issue has been addressed in the following products: Red Hat Satellite 6.16 for RHEL 8 Red Hat Satellite 6.16 for RHEL 9 Via RHSA-2024:8906 https://access.redhat.com/errata/RHSA-2024:8906
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9457 https://access.redhat.com/errata/RHSA-2024:9457
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9458 https://access.redhat.com/errata/RHSA-2024:9458
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2024:9923 https://access.redhat.com/errata/RHSA-2024:9923
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2024:9922 https://access.redhat.com/errata/RHSA-2024:9922
This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 for RHEL 8 Via RHSA-2024:9985 https://access.redhat.com/errata/RHSA-2024:9985