USN-6473-1: urllib3 vulnerabilities

Releases

• Ubuntu 23.10
• Ubuntu 23.04
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM
• Ubuntu 16.04 ESM

Packages

• python-urllib3 - HTTP library with thread-safe connection pooling

Details

It was discovered that urllib3 didn't strip HTTP Authorization header
on cross-origin redirects. A remote attacker could possibly use this
issue to obtain sensitive information. This issue only affected
Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-25091)

It was discovered that urllib3 didn't strip HTTP Cookie header on
cross-origin redirects. A remote attacker could possibly use this
issue to obtain sensitive information. (CVE-2023-43804)

It was discovered that urllib3 didn't strip HTTP body on status code
303 redirects under certain circumstances. A remote attacker could
possibly use this issue to obtain sensitive information. (CVE-2023-45803)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 23.10

• python3-urllib3 - 1.26.16-1ubuntu0.1

Ubuntu 23.04

• python3-urllib3 - 1.26.12-1ubuntu0.1

Ubuntu 22.04

• python3-urllib3 - 1.26.5-1~exp1ubuntu0.1

Ubuntu 20.04

• python3-urllib3 - 1.25.8-2ubuntu0.3

Ubuntu 18.04

• python-urllib3 - 1.22-1ubuntu0.18.04.2+esm1
  Available with Ubuntu Pro
• python3-urllib3 - 1.22-1ubuntu0.18.04.2+esm1
  Available with Ubuntu Pro

Ubuntu 16.04

• python-urllib3 - 1.13.1-2ubuntu0.16.04.4+esm1
  Available with Ubuntu Pro
• python3-urllib3 - 1.13.1-2ubuntu0.16.04.4+esm1
  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References

• CVE-2023-45803
• CVE-2023-43804
• CVE-2018-25091

Related notices

• USN-6473-2: python3-pip, python3-pip-whl, python-pip, python-pip-whl