Bugzilla – Bug 1215968
VUL-0: CVE-2023-43804: python-urllib3: cookie request header isn't stripped during cross-origin redirects
Last modified: 2024-06-13 15:52:37 UTC
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-43804
Current versions: openSUSE:Factory 2.0.4 openSUSE:Factory python-urllib_1-1.26.16 SUSE:ALP:Source:Standard:1.0 1.26.15 SUSE:SLE-12-SP1:Update 1.25.10 SUSE:SLE-12-SP3:Update:Products:Cloud8:Update 1.25.10 SUSE:SLE-12-SP3:Update:Products:Teradata:Update 1.12 SUSE:SLE-12-SP4:Update:Products:Cloud9:Update 1.23 SUSE:SLE-15-SP1:Update 1.25.10 SUSE:SLE-15-SP3:Update 1.25.10 I've just updated the devel project version for python-urllib3 and python-urllib3_1 and sent the request for Factory and ALP. Is there any other version or codestream that I should take care of?
This is an autogenerated message for OBS integration: This bug (1215968) was mentioned in https://build.opensuse.org/request/show/1115891 Factory / python-urllib3_1 https://build.opensuse.org/request/show/1115892 Factory / python-urllib3
SUSE-SU-2023:4064-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1215968 CVE References: CVE-2023-43804 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): python-urllib3-1.25.10-3.34.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python-urllib3-1.25.10-3.34.1 SUSE Linux Enterprise Server 12 SP5 (src): python-urllib3-1.25.10-3.34.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python-urllib3-1.25.10-3.34.1 SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src): python-urllib3-1.25.10-3.34.1 Public Cloud Module 12 (src): python-urllib3-1.25.10-3.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4108-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1215968 CVE References: CVE-2023-43804 Sources used: SUSE Manager Retail Branch Server 4.2 (src): python-urllib3-1.25.10-150300.4.6.1 SUSE Manager Server 4.2 (src): python-urllib3-1.25.10-150300.4.6.1 SUSE Linux Enterprise Micro 5.1 (src): python-urllib3-1.25.10-150300.4.6.1 SUSE Linux Enterprise Micro 5.2 (src): python-urllib3-1.25.10-150300.4.6.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): python-urllib3-1.25.10-150300.4.6.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): python-urllib3-1.25.10-150300.4.6.1 SUSE Linux Enterprise Micro 5.3 (src): python-urllib3-1.25.10-150300.4.6.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): python-urllib3-1.25.10-150300.4.6.1 SUSE Linux Enterprise Micro 5.4 (src): python-urllib3-1.25.10-150300.4.6.1 SUSE Linux Enterprise Micro 5.5 (src): python-urllib3-1.25.10-150300.4.6.1 Basesystem Module 15-SP4 (src): python-urllib3-1.25.10-150300.4.6.1 Basesystem Module 15-SP5 (src): python-urllib3-1.25.10-150300.4.6.1 SUSE Manager Proxy 4.2 (src): python-urllib3-1.25.10-150300.4.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4157-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1215968 CVE References: CVE-2023-43804 Sources used: SUSE OpenStack Cloud 8 (src): python-urllib3-1.25.10-5.22.1 SUSE OpenStack Cloud Crowbar 8 (src): python-urllib3-1.25.10-5.22.1 HPE Helion OpenStack 8 (src): python-urllib3-1.25.10-5.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4352-1: An update that solves three vulnerabilities can now be installed. Category: security (moderate) Bug References: 1215968, 1216275, 1216377 CVE References: CVE-2018-25091, CVE-2023-43804, CVE-2023-45803 Sources used: SUSE OpenStack Cloud 9 (src): python-urllib3-1.23-3.25.1 SUSE OpenStack Cloud Crowbar 9 (src): python-urllib3-1.23-3.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.