Date: Tue, 26 Nov 2019 11:51:30 +0000 (UTC) From: Kai Knoblich <kai@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r518463 - head/security/vuxml Message-ID: <201911261151.xAQBpUO9054446@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kai Date: Tue Nov 26 11:51:30 2019 New Revision: 518463 URL: https://svnweb.freebsd.org/changeset/ports/518463 Log: security/vuxml: Document net/py-urllib3 issues PR: 229322 Security: CVE-2018-20060 CVE-2019-11236 CVE-2019-11324 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Nov 26 11:21:23 2019 (r518462) +++ head/security/vuxml/vuln.xml Tue Nov 26 11:51:30 2019 (r518463) @@ -58,6 +58,41 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="87270ba5-03d3-11ea-b81f-3085a9a95629"> + <topic>urllib3 -- multiple vulnerabilities</topic> + <affects> + <package> + <name>py27-urllib3</name> + <name>py35-urllib3</name> + <name>py36-urllib3</name> + <name>py37-urllib3</name> + <name>py38-urllib3</name> + <range><lt>1.24.3,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>NIST reports: (by search in the range 2018/01/01 - 2019/11/10):</p> + <blockquote cite="https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=urllib3&search_type=all&pub_start_date=01%2F01%2F2018&pub_end_date=11%2F10%2F2019">; + <p>urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.</p> + <p>In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.</p> + <p>The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.</p> + </blockquote> + </body> + </description> + <references> + <url>https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=urllib3&search_type=all&pub_start_date=01%2F01%2F2018&pub_end_date=11%2F10%2F2019</url>; + <cvename>CVE-2018-20060</cvename> + <cvename>CVE-2019-11236</cvename> + <cvename>CVE-2019-11324</cvename> + <freebsdpr>ports/229322</freebsdpr> + </references> + <dates> + <discovery>2018-12-11</discovery> + <entry>2019-11-26</entry> + </dates> + </vuln> + <vuln vid="fbe10a8a-05a1-11ea-9dfa-f8b156ac3ff9"> <topic>FreeBSD -- Intel CPU Microcode Update</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201911261151.xAQBpUO9054446>