FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-24 18:35:25 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
87270ba5-03d3-11ea-b81f-3085a9a95629	urllib3 -- multiple vulnerabilities NIST reports: (by search in the range 2018/01/01 - 2019/11/10): urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext. In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter. The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument. Discovery 2018-12-11 Entry 2019-11-26 py27-urllib3 py35-urllib3 py36-urllib3 py37-urllib3 py38-urllib3 < 1.24.3,1 https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=urllib3&search_type=all&pub_start_date=01%2F01%2F2018&pub_end_date=11%2F10%2F2019 CVE-2018-20060 CVE-2019-11236 CVE-2019-11324 ports/229322

VuXML ID

Description

87270ba5-03d3-11ea-b81f-3085a9a95629

urllib3 -- multiple vulnerabilities

NIST reports: (by search in the range 2018/01/01 - 2019/11/10):

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

Discovery 2018-12-11
Entry 2019-11-26
py27-urllib3
py35-urllib3
py36-urllib3
py37-urllib3
py38-urllib3

< 1.24.3,1

https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&query=urllib3&search_type=all&pub_start_date=01%2F01%2F2018&pub_end_date=11%2F10%2F2019
CVE-2018-20060
CVE-2019-11236
CVE-2019-11324
ports/229322