1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109582: unblock: python-urllib3/2.3.0-3

    From Colin Watson@21:1/5 to All on Sun Jul 20 14:40:01 2025
    XPost: linux.debian.devel.release

    Package: release.debian.org
    Severity: normal
    User: [email protected]
    Usertags: unblock
    X-Debbugs-Cc: [email protected]
    Control: affects -1 + src:python-urllib3

    [ Reason ]
    Fix CVE-2025-50181 and CVE-2025-50182.

    [ Impact ]
    According to the CVEs (lightly edited):

    * It was possible to disable redirects for all requests by
    instantiating a PoolManager and specifying retries in a way that
    disable redirects. By default, requests and botocore users were not
    affected. An application attempting to mitigate SSRF or open
    redirect vulnerabilities by disabling redirects at the PoolManager
    level will remain vulnerable.

    * urllib3 did not control redirects in browsers and Node.js. urllib3
    supports being used in a Pyodide runtime utilizing the JavaScript
    Fetch API or falling back on XMLHttpRequest. This means Python
    libraries can be used to make HTTP requests from a browser or
    Node.js. Additionally, urllib3 provides a mechanism to control
    redirects, but the retries and redirect parameters are ignored with
    Pyodide; the runtime itself determines redirect behavior.

    [ Tests ]
    There are unit test changes for each of the CVE fixes.

    [ Risks ]
    I just backported the changes from upstream. I'd say the code is of
    medium complexity, but if I ignore the test changes then the changes are
    quite short and easy enough to read.

    [ Checklist ]
    [x] all changes are documented in the d/changelog
    [x] I reviewed all changes and I approve them
    [x] attach debdiff against the package in testing

    unblock python-urllib3/2.3.0-3

    Thanks,

    --
    Colin Watson (he/him) [[email protected]]

    diff -Nru python-urllib3-2.3.0/debian/changelog python-urllib3-2.3.0/debian/changelog
    --- python-urllib3-2.3.0/debian/changelog 2025-03-12 12:20:41.000000000 +0100
    +++ python-urllib3-2.3.0/debian/changelog 2025-07-13 14:09:35.000000000 +0200
    @@ -1,3 +1,14 @@
    +python-urllib3 (2.3.0-3) unstable; urgency=medium
    +
    + * Team upload.
    + * CVE-2025-50181: Fix a security issue where restricting the maximum
    + number of followed redirects at the `urllib3.PoolManager` level via the
    + `retries` parameter did not work (closes: #1108076).
    + * CVE-2025-50182: Make the Node.js runtime respect redirect parameters
    + such as `retries` and `redirects` (closes: #1108077).
    +
    + -- Colin Watson <[email protected]> Sun, 13 Jul 2025 14:09:35 +0200
    +
    python-urllib3 (2.3.0-2) unstable; urgency=medium

    * Team upload.
    diff -Nru python-urllib3-2.3.0/debian/patches/CVE-2025-50181.patch python-urllib3-2.3.0/debian/patches/CVE-2025-50181.patch
    --- python-urllib3-2.3.0/debian/patches/CVE-2025-50181.patch 1970-01-01 01:00:00.000000000 +0100
    +++ python-urllib3-2.3.0/debian/patches/CVE-2025-5018