Your message dated Sun, 13 Jul 2025 12:34:25 +0000
with message-id <e1uavut-003ovi...@fasolo.debian.org>
and subject line Bug#1108077: fixed in python-urllib3 2.3.0-3
has caused the Debian Bug report #1108077,
regarding python-urllib3: CVE-2025-50182
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1108077: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108077
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-urllib3
Version: 2.3.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for python-urllib3.
CVE-2025-50182[0]:
| urllib3 is a user-friendly HTTP client library for Python. Prior to
| 2.5.0, urllib3 does not control redirects in browsers and Node.js.
| urllib3 supports being used in a Pyodide runtime utilizing the
| JavaScript Fetch API or falling back on XMLHttpRequest. This means
| Python libraries can be used to make HTTP requests from a browser or
| Node.js. Additionally, urllib3 provides a mechanism to control
| redirects, but the retries and redirect parameters are ignored with
| Pyodide; the runtime itself determines redirect behavior. This issue
| has been patched in version 2.5.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-50182
https://www.cve.org/CVERecord?id=CVE-2025-50182
[1] https://github.com/urllib3/urllib3/security/advisories/GHSA-48p4-8xcf-vxj5
[2]
https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-urllib3
Source-Version: 2.3.0-3
Done: Colin Watson <cjwat...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-urllib3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1108...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwat...@debian.org> (supplier of updated python-urllib3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 13 Jul 2025 14:09:35 +0200
Source: python-urllib3
Architecture: source
Version: 2.3.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Colin Watson <cjwat...@debian.org>
Closes: 1108076 1108077
Changes:
python-urllib3 (2.3.0-3) unstable; urgency=medium
.
* Team upload.
* CVE-2025-50181: Fix a security issue where restricting the maximum
number of followed redirects at the `urllib3.PoolManager` level via the
`retries` parameter did not work (closes: #1108076).
* CVE-2025-50182: Make the Node.js runtime respect redirect parameters
such as `retries` and `redirects` (closes: #1108077).
Checksums-Sha1:
e3a816239eb4cb1cbcf2ff15d30623bd9a8b00e7 2869 python-urllib3_2.3.0-3.dsc
0082e4638164ef16b06793248a987a7435255fad 41924
python-urllib3_2.3.0-3.debian.tar.xz
Checksums-Sha256:
382c19af6fa29a78d05c8ade1c6a2bd48a0d2561e9d53c4caf660971c22743e3 2869
python-urllib3_2.3.0-3.dsc
93837d926d242a6e0acc4f9f5860542f73b591add138d65254c7a0e9316be611 41924
python-urllib3_2.3.0-3.debian.tar.xz
Files:
be44260dfcf388e9837386e88d18a5a4 2869 python optional
python-urllib3_2.3.0-3.dsc
60ec38369075791d2688b45198e6f908 41924 python optional
python-urllib3_2.3.0-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmhzoiMACgkQOTWH2X2G
UAskjg/+KyTGZ8o+VpY6rKCtUU/2kOfh6XqdiL4CAYORPrIdaeQ0V6Unmu7EzkJR
YZzUre6TtXFRUltV2tI4xyjLerp1oYbG3zPksT/jQGf8kH5vMKkVG3jyD8+JLltV
5mCZ/OqifgTU2yrBHS8ZYMJ9muj1uMHFCMR8Fk+ZWigtDypI7As3NFLNeCAawbJA
gA9xGqr0gATI9QezyVtuUTp4XZW3gCvj0g1Hinj6Zw1cvgDty2gCzLxbf3UgpbLu
+MI0CPPQ5FxWkdUE64ZuftJkRG2/JME4Ll3Ta5vEaewDwzwUGdrq/4ULCV9XAd+y
KB1Md2g/aji+XHFBIIKpxFASi4AHJy/o32+SK1TArOI7uvbrsRB0/Rc9QOS+6Uxt
nFt95M0Yu1lsOBcptXRMtp4wvLVirTM0LOpBkNyS2E27cTFkaQYoNZpwoUXPFrSG
j1WAl7KHNEH7dOcHpkAzSyQJbrE5/hg9Qce4CVpHNWPhShFawSdd26u2GChRYq7M
HQ/OQMUiyOSsb1izgdvYQ43lt1e488xjzyF49XtbHJBPpLHpxe3CMtuHSTuygrS3
O3jnsH9b7xjAxf9WitmBi/ItolC3B/rCHceipofFxeHlVv6yGxAv/+ui/ltKEuKP
0RPjg6EmkQ7QDdNtzFaSY9mSbNSc281rKFmX4TUu0NlypJTMxCM=
=xgC8
-----END PGP SIGNATURE-----
pgpKt4fPC7XLl.pgp
Description: PGP signature
--- End Message ---
