CVE-2020-26137

Published: 30 September 2020

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Priority

Medium

CVSS 3 base score: 6.5

Status

Package Release Status
python-pip
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(20.1.1-2)
Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist

python-urllib3
Launchpad, Ubuntu, Debian
Upstream
Released (1.25.9-1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(1.25.9-1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1.25.8-2ubuntu0.1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1.22-1ubuntu0.18.04.2)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1.13.1-2ubuntu0.16.04.4)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist

Patches:
Upstream: https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b (1.25.9)

Notes

AuthorNote
mdeslaur the python-pip package bundles python-urllib3 binaries when built. After updating python-urllib3, a no-change rebuild of python-pip is required.

References

Bugs