svn commit: r518463 - head/security/vuxml
Kai Knoblich
kai at FreeBSD.org
Tue Nov 26 11:51:31 UTC 2019
Author: kai
Date: Tue Nov 26 11:51:30 2019
New Revision: 518463
URL: https://svnweb.freebsd.org/changeset/ports/518463
Log:
security/vuxml: Document net/py-urllib3 issues
PR: 229322
Security: CVE-2018-20060
CVE-2019-11236
CVE-2019-11324
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Tue Nov 26 11:21:23 2019 (r518462)
+++ head/security/vuxml/vuln.xml Tue Nov 26 11:51:30 2019 (r518463)
@@ -58,6 +58,41 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="87270ba5-03d3-11ea-b81f-3085a9a95629">
+ <topic>urllib3 -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>py27-urllib3</name>
+ <name>py35-urllib3</name>
+ <name>py36-urllib3</name>
+ <name>py37-urllib3</name>
+ <name>py38-urllib3</name>
+ <range><lt>1.24.3,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>NIST reports: (by search in the range 2018/01/01 - 2019/11/10):</p>
+ <blockquote cite="https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=urllib3&search_type=all&pub_start_date=01%2F01%2F2018&pub_end_date=11%2F10%2F2019">
+ <p>urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.</p>
+ <p>In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.</p>
+ <p>The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=urllib3&search_type=all&pub_start_date=01%2F01%2F2018&pub_end_date=11%2F10%2F2019</url>
+ <cvename>CVE-2018-20060</cvename>
+ <cvename>CVE-2019-11236</cvename>
+ <cvename>CVE-2019-11324</cvename>
+ <freebsdpr>ports/229322</freebsdpr>
+ </references>
+ <dates>
+ <discovery>2018-12-11</discovery>
+ <entry>2019-11-26</entry>
+ </dates>
+ </vuln>
+
<vuln vid="fbe10a8a-05a1-11ea-9dfa-f8b156ac3ff9">
<topic>FreeBSD -- Intel CPU Microcode Update</topic>
<affects>
More information about the svn-ports-head
mailing list