{"id":"MGASA-2021-0377","summary":"Updated python-urllib3 package fixes security vulnerabilities","details":"The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate\nvalidation in some cases involving HTTPS to HTTPS proxies. The initial\nconnection to the HTTPS proxy (if an SSLContext isn't given via proxy_config)\ndoesn't verify the hostname of the certificate. This means certificates for\ndifferent servers that still validate properly with the default urllib3\nSSLContext will be silently accepted (CVE-2021-28363).\n\nAn issue was discovered in urllib3 before 1.26.5. When provided with a URL\ncontaining many @ characters in the authority component, the authority regular\nexpression exhibits catastrophic backtracking, causing a denial of service if\na URL were passed as a parameter or redirected to via an HTTP redirect\n(CVE-2021-33503).\n","modified":"2026-02-02T06:36:08.406403Z","published":"2021-07-27T20:21:53Z","related":["CVE-2021-28363","CVE-2021-33503"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0377.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29041"},{"type":"REPORT","url":"https://github.com/urllib3/urllib3/releases/tag/1.26.3"},{"type":"REPORT","url":"https://github.com/urllib3/urllib3/releases/tag/1.26.4"},{"type":"REPORT","url":"https://github.com/urllib3/urllib3/releases/tag/1.26.5"},{"type":"REPORT","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NYARUF6IH56FOIKBV7PTO7AXODL5GKNT/"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JWEE334W43EIJUKSMQSEH6ML7VU57K5B/"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4S65ZQVZ2ODGB52IC7VJDBUK4M5INCXL/"}],"affected":[{"package":{"name":"python-urllib3","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/python-urllib3?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.26.5-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0377.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}