Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 683890 (CVE-2019-11324) - <dev-python/urllib3-1.24.2 - adds system certificates to ssl_context
Summary: <dev-python/urllib3-1.24.2 - adds system certificates to ssl_context
Status: RESOLVED FIXED
Alias: CVE-2019-11324
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: B3 [noglsa cve]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2019-04-20 10:10 UTC by Jeroen Roovers (RETIRED)
Modified: 2019-10-26 22:40 UTC (History)
2 users (show)

See Also:
Package list:
=dev-python/urllib3-1.24.2
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2019-04-20 10:10:18 UTC 
"""
A vulnerability has been discovered in the urllib3 Python library.

When verifying HTTPS connections when an SSLContext is passed to
urllib3, system CA certificates will be loaded into the SSLContext
by default in addition to any manually-specified CA certificates.
This causes TLS handshakes that should fail given only the
manually specified certs to succeed based on system CA certs.

This affects urllib3 1.24.1 and below. The fix has been released
in version 1.24.2.

The vulnerability was reported by Christian Heimes.

A CVE ID has been requested, will follow up with it when we have it.

Best
Havoc / on behalf of Tidelift security team & urllib3 team
"""
Comment 1 Anthony Basile gentoo-dev 2019-04-23 18:45:06 UTC 
I just added 1.24.2 to the tree and I'm testing to see if its ready for stabilization.
Comment 2 Anthony Basile gentoo-dev 2019-04-23 19:19:56 UTC 
This is good for rapid stabilization:

KEYWORDS="alpha amd64 arm arm64 hppa ia64 ppc ppc64 s390 sparc x86

I'll take care of amd64.
Comment 3 Anthony Basile gentoo-dev 2019-04-23 19:32:11 UTC 
stable on ~amd64
Comment 4 Rolf Eike Beer archtester 2019-04-24 18:46:49 UTC 
sparc stable
Comment 5 Markus Meier gentoo-dev 2019-05-02 05:02:19 UTC 
arm stable
Comment 6 Larry the Git Cow gentoo-dev 2019-05-07 18:03:34 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=62abf42734d0afff1cc59c54035763f202644367

commit 62abf42734d0afff1cc59c54035763f202644367
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-05-07 18:03:15 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-05-07 18:03:23 +0000

    dev-python/urllib3-1.24.2-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/683890
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-python/urllib3/urllib3-1.24.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 7 Anthony Basile gentoo-dev 2019-05-08 00:41:53 UTC 
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-06-04 13:17:49 UTC 
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-06-04 18:53:35 UTC 
s390 stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-06-05 07:12:53 UTC 
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-06-05 07:30:08 UTC 
ia64 stable
Comment 12 Rolf Eike Beer archtester 2019-06-09 20:48:02 UTC 
hppa done, all arches done
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2019-08-15 12:31:43 UTC 
@python, please drop vulnerable.
Comment 14 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-08-16 02:25:14 UTC 
Cleanup is blocked by elasticsearch-py.
Comment 15 Larry the Git Cow gentoo-dev 2019-08-16 13:50:23 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfd9b99758aa243e6d0f3e950f6ee8cf6fb1f76e

commit dfd9b99758aa243e6d0f3e950f6ee8cf6fb1f76e
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-08-15 19:50:29 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-08-16 13:40:33 +0000

    dev-python/urllib3: Clean old up
    
    Bug: https://bugs.gentoo.org/683890
    Signed-off-by: Michał Górny <mgorny@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/12719
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/urllib3/Manifest                        |  3 -
 .../urllib3/files/urllib3-1.23-tornado5.patch      | 72 ----------------------
 dev-python/urllib3/urllib3-1.22.ebuild             | 63 -------------------
 dev-python/urllib3/urllib3-1.23.ebuild             | 72 ----------------------
 dev-python/urllib3/urllib3-1.24.1.ebuild           | 67 --------------------
 5 files changed, 277 deletions(-)
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 22:40:26 UTC 
Repository is clean, all done!