Ubuntu Security Notice 6473-1 - It was discovered that urllib3 didn't strip HTTP Authorization header on cross-origin redirects. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that urllib3 didn't strip HTTP Cookie header on cross-origin redirects. A remote attacker could possibly use this issue to obtain sensitive information.
01c8788f56d352f691cc6e76bb162b2e9e247c8c99c3c08204defa5099ea0fa8
==========================================================================
Ubuntu Security Notice USN-6473-1
November 07, 2023
python-urllib3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 23.04
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in urllib3.
Software Description:
- python-urllib3: HTTP library with thread-safe connection pooling
Details:
It was discovered that urllib3 didn't strip HTTP Authorization header
on cross-origin redirects. A remote attacker could possibly use this
issue to obtain sensitive information. This issue only affected
Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-25091)
It was discovered that urllib3 didn't strip HTTP Cookie header on
cross-origin redirects. A remote attacker could possibly use this
issue to obtain sensitive information. (CVE-2023-43804)
It was discovered that urllib3 didn't strip HTTP body on status code
303 redirects under certain circumstances. A remote attacker could
possibly use this issue to obtain sensitive information. (CVE-2023-45803)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
python3-urllib3 1.26.16-1ubuntu0.1
Ubuntu 23.04:
python3-urllib3 1.26.12-1ubuntu0.1
Ubuntu 22.04 LTS:
python3-urllib3 1.26.5-1~exp1ubuntu0.1
Ubuntu 20.04 LTS:
python3-urllib3 1.25.8-2ubuntu0.3
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
python-urllib3 1.22-1ubuntu0.18.04.2+esm1
python3-urllib3 1.22-1ubuntu0.18.04.2+esm1
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
python-urllib3 1.13.1-2ubuntu0.16.04.4+esm1
python3-urllib3 1.13.1-2ubuntu0.16.04.4+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6473-1
CVE-2018-25091, CVE-2023-43804, CVE-2023-45803
Package Information:
https://launchpad.net/ubuntu/+source/python-urllib3/1.26.16-1ubuntu0.1
https://launchpad.net/ubuntu/+source/python-urllib3/1.26.12-1ubuntu0.1
https://launchpad.net/ubuntu/+source/python-urllib3/1.26.5-1~exp1ubuntu0.1
https://launchpad.net/ubuntu/+source/python-urllib3/1.25.8-2ubuntu0.3