Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-26137 (GCVE-0-2020-26137)
Vulnerability from cvelistv5 – Published: 2020-09-29 00:00 – Updated: 2024-08-04 15:49
VLAI
EPSS
Summary
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
8 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:49:07.138Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugs.python.org/issue39603"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/urllib3/urllib3/pull/1800"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
},
{
"name": "USN-4570-1",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4570-1/"
},
{
"name": "[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-08T13:06:22.131Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://bugs.python.org/issue39603"
},
{
"url": "https://github.com/urllib3/urllib3/pull/1800"
},
{
"url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
},
{
"name": "USN-4570-1",
"tags": [
"vendor-advisory"
],
"url": "https://usn.ubuntu.com/4570-1/"
},
{
"name": "[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26137",
"datePublished": "2020-09-29T00:00:00.000Z",
"dateReserved": "2020-09-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T15:49:07.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2020-26137",
"date": "2026-05-31",
"epss": "0.00279",
"percentile": "0.51511"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2020-26137\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-09-30T18:15:26.773\",\"lastModified\":\"2024-11-21T05:19:19.680\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.\"},{\"lang\":\"es\",\"value\":\"urllib3 versiones anteriores a 1.25.9, permite una inyecci\u00f3n de CRLF si el atacante controla el m\u00e9todo de petici\u00f3n HTTP, como es demostrado al insertar caracteres de control CR y LF en el primer argumento de la funci\u00f3n putrequest().\u0026#xa0;NOTA: esto es similar a CVE-2020-26116\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.25.9\",\"matchCriteriaId\":\"3EF5A26A-E388-4422-933C-6E2028A1C158\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*\",\"matchCriteriaId\":\"7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"902B8056-9E37-443B-8905-8AA93E2447FB\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4B77BFB7-C105-4A42-A9A4-45EF4EC8556F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3E503FB-6279-4D4A-91D8-E237ECF9D2B0\"}]}]}],\"references\":[{\"url\":\"https://bugs.python.org/issue39603\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/urllib3/urllib3/pull/1800\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://usn.ubuntu.com/4570-1/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://bugs.python.org/issue39603\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/urllib3/urllib3/pull/1800\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://usn.ubuntu.com/4570-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
}
}
FKIE_CVE-2020-26137
Vulnerability from fkie_nvd - Published: 2020-09-30 18:15 - Updated: 2024-11-21 05:19
Severity
Summary
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| python | urllib3 | * | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 20.04 | |
| debian | debian_linux | 9.0 | |
| oracle | communications_cloud_native_core_network_function_cloud_native_environment | 22.2.0 | |
| oracle | zfs_storage_appliance_kit | 8.8 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3EF5A26A-E388-4422-933C-6E2028A1C158",
"versionEndExcluding": "1.25.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4B77BFB7-C105-4A42-A9A4-45EF4EC8556F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116."
},
{
"lang": "es",
"value": "urllib3 versiones anteriores a 1.25.9, permite una inyecci\u00f3n de CRLF si el atacante controla el m\u00e9todo de petici\u00f3n HTTP, como es demostrado al insertar caracteres de control CR y LF en el primer argumento de la funci\u00f3n putrequest().\u0026#xa0;NOTA: esto es similar a CVE-2020-26116"
}
],
"id": "CVE-2020-26137",
"lastModified": "2024-11-21T05:19:19.680",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-30T18:15:26.773",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.python.org/issue39603"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/urllib3/urllib3/pull/1800"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4570-1/"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.python.org/issue39603"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/urllib3/urllib3/pull/1800"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4570-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-WQVQ-5M8C-6G24
Vulnerability from github – Published: 2021-06-18 18:46 – Updated: 2024-11-18 22:42
VLAI
Summary
CRLF injection in urllib3
Details
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Severity
6.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "urllib3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26137"
],
"database_specific": {
"cwe_ids": [
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-17T22:13:47Z",
"nvd_published_at": "2020-09-30T18:15:00Z",
"severity": "MODERATE"
},
"details": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of `putrequest()`. NOTE: this is similar to CVE-2020-26116.",
"id": "GHSA-wqvq-5m8c-6g24",
"modified": "2024-11-18T22:42:10Z",
"published": "2021-06-18T18:46:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26137"
},
{
"type": "WEB",
"url": "https://github.com/urllib3/urllib3/pull/1800"
},
{
"type": "WEB",
"url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
},
{
"type": "WEB",
"url": "https://bugs.python.org/issue39603"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2020-148.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/urllib3/urllib3"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4570-1"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CRLF injection in urllib3"
}
GSD-2020-26137
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-26137",
"description": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.",
"id": "GSD-2020-26137",
"references": [
"https://www.suse.com/security/cve/CVE-2020-26137.html",
"https://access.redhat.com/errata/RHSA-2021:1761",
"https://access.redhat.com/errata/RHSA-2021:1631",
"https://access.redhat.com/errata/RHSA-2021:0079",
"https://access.redhat.com/errata/RHSA-2021:0034",
"https://access.redhat.com/errata/RHSA-2020:4299",
"https://ubuntu.com/security/CVE-2020-26137",
"https://advisories.mageia.org/CVE-2020-26137.html",
"https://linux.oracle.com/cve/CVE-2020-26137.html",
"https://access.redhat.com/errata/RHSA-2022:5235"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-26137"
],
"details": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.",
"id": "GSD-2020-26137",
"modified": "2023-12-13T01:22:08.747642Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26137",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.python.org/issue39603",
"refsource": "MISC",
"url": "https://bugs.python.org/issue39603"
},
{
"name": "https://github.com/urllib3/urllib3/pull/1800",
"refsource": "MISC",
"url": "https://github.com/urllib3/urllib3/pull/1800"
},
{
"name": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b",
"refsource": "MISC",
"url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
},
{
"name": "USN-4570-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4570-1/"
},
{
"name": "[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.25.9",
"affected_versions": "All versions before 1.25.9",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-74",
"CWE-937"
],
"date": "2021-12-07",
"description": "urllib3 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting `CR` and `LF` control characters in the first argument of `putrequest()`. NOTE: this is similar to CVE-2020-26116.",
"fixed_versions": [
"1.25.9"
],
"identifier": "CVE-2020-26137",
"identifiers": [
"CVE-2020-26137"
],
"not_impacted": "All versions starting from 1.25.9",
"package_slug": "pypi/urllib3",
"pubdate": "2020-09-30",
"solution": "Upgrade to version 1.25.9 or above.",
"title": "Injection Vulnerability",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-26137",
"https://bugs.python.org/issue39603"
],
"uuid": "6801dbac-c618-4270-84f5-c8d5e7b7542e"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.25.9",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26137"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.python.org/issue39603",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.python.org/issue39603"
},
{
"name": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b"
},
{
"name": "https://github.com/urllib3/urllib3/pull/1800",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/urllib3/urllib3/pull/1800"
},
{
"name": "USN-4570-1",
"refsource": "UBUNTU",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4570-1/"
},
{
"name": "[debian-lts-announce] 20210615 [SECURITY] [DLA 2686-1] python-urllib3 security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "N/A",
"refsource": "N/A",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "[debian-lts-announce] 20231008 [SECURITY] [DLA 3610-1] python-urllib3 security update",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5
}
},
"lastModifiedDate": "2023-10-08T14:15Z",
"publishedDate": "2020-09-30T18:15Z"
}
}
}
MSRC_CVE-2020-26137
Vulnerability from csaf_microsoft - Published: 2020-09-02 00:00 - Updated: 2020-12-21 00:00Summary
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 16991-16820 | — |
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 16820-2 | — |
Vendor Fix
fix
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17086-1 | — |
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2020/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2020/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2020-26137 urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2020/msrc_cve-2020-26137.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.",
"tracking": {
"current_release_date": "2020-12-21T00:00:00.000Z",
"generator": {
"date": "2025-12-27T21:06:47.752Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2020-26137",
"initial_release_date": "2020-09-02T00:00:00.000Z",
"revision_history": [
{
"date": "2020-12-21T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "1.0",
"product": {
"name": "CBL Mariner 1.0",
"product_id": "16820"
}
},
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccm1 python-urllib3 1.25.9-2",
"product": {
"name": "\u003ccm1 python-urllib3 1.25.9-2",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "cm1 python-urllib3 1.25.9-2",
"product": {
"name": "cm1 python-urllib3 1.25.9-2",
"product_id": "16991"
}
}
],
"category": "product_name",
"name": "python-urllib3"
},
{
"category": "product_name",
"name": "cbl2 python-virtualenv 20.26.6-1",
"product": {
"name": "cbl2 python-virtualenv 20.26.6-1",
"product_id": "1"
}
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccm1 python-urllib3 1.25.9-2 as a component of CBL Mariner 1.0",
"product_id": "16820-2"
},
"product_reference": "2",
"relates_to_product_reference": "16820"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cm1 python-urllib3 1.25.9-2 as a component of CBL Mariner 1.0",
"product_id": "16991-16820"
},
"product_reference": "16991",
"relates_to_product_reference": "16820"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 python-virtualenv 20.26.6-1 as a component of CBL Mariner 2.0",
"product_id": "17086-1"
},
"product_reference": "1",
"relates_to_product_reference": "17086"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-26137",
"cwe": {
"id": "CWE-74",
"name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
},
"flags": [
{
"label": "vulnerable_code_not_in_execute_path",
"product_ids": [
"17086-1"
]
}
],
"notes": [
{
"category": "general",
"text": "mitre",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"16991-16820"
],
"known_affected": [
"16820-2"
],
"known_not_affected": [
"17086-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2020-26137 urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2020/msrc_cve-2020-26137.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2020-12-21T00:00:00.000Z",
"details": "1.25.9-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"16820-2"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalsScore": 0.0,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 6.5,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"16820-2"
]
}
],
"title": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116."
}
]
}
OPENSUSE-SU-2020:2237-1
Vulnerability from csaf_opensuse - Published: 2020-12-13 05:24 - Updated: 2020-12-13 05:24Summary
Security update for python-urllib3
Severity
Moderate
Notes
Title of the patch: Security update for python-urllib3
Description of the patch: This update for python-urllib3 fixes the following issues:
- CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bsc#1177120).
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Patchnames: openSUSE-2020-2237
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.8 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:python2-urllib3-1.24-lp152.5.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python2-urllib3-test-1.24-lp152.5.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python3-urllib3-1.24-lp152.5.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python3-urllib3-test-1.24-lp152.5.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-urllib3",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-urllib3 fixes the following issues:\n\n- CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bsc#1177120).\t \n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-2237",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_2237-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:2237-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3Y5UAWOTOHQRGI2VNSOUDC2SOAHGJLAH/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:2237-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3Y5UAWOTOHQRGI2VNSOUDC2SOAHGJLAH/"
},
{
"category": "self",
"summary": "SUSE Bug 1177120",
"url": "https://bugzilla.suse.com/1177120"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-26137 page",
"url": "https://www.suse.com/security/cve/CVE-2020-26137/"
}
],
"title": "Security update for python-urllib3",
"tracking": {
"current_release_date": "2020-12-13T05:24:04Z",
"generator": {
"date": "2020-12-13T05:24:04Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:2237-1",
"initial_release_date": "2020-12-13T05:24:04Z",
"revision_history": [
{
"date": "2020-12-13T05:24:04Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python2-urllib3-1.24-lp152.5.3.1.noarch",
"product": {
"name": "python2-urllib3-1.24-lp152.5.3.1.noarch",
"product_id": "python2-urllib3-1.24-lp152.5.3.1.noarch"
}
},
{
"category": "product_version",
"name": "python2-urllib3-test-1.24-lp152.5.3.1.noarch",
"product": {
"name": "python2-urllib3-test-1.24-lp152.5.3.1.noarch",
"product_id": "python2-urllib3-test-1.24-lp152.5.3.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-urllib3-1.24-lp152.5.3.1.noarch",
"product": {
"name": "python3-urllib3-1.24-lp152.5.3.1.noarch",
"product_id": "python3-urllib3-1.24-lp152.5.3.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-urllib3-test-1.24-lp152.5.3.1.noarch",
"product": {
"name": "python3-urllib3-test-1.24-lp152.5.3.1.noarch",
"product_id": "python3-urllib3-test-1.24-lp152.5.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-urllib3-1.24-lp152.5.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python2-urllib3-1.24-lp152.5.3.1.noarch"
},
"product_reference": "python2-urllib3-1.24-lp152.5.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-urllib3-test-1.24-lp152.5.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python2-urllib3-test-1.24-lp152.5.3.1.noarch"
},
"product_reference": "python2-urllib3-test-1.24-lp152.5.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-urllib3-1.24-lp152.5.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python3-urllib3-1.24-lp152.5.3.1.noarch"
},
"product_reference": "python3-urllib3-1.24-lp152.5.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-urllib3-test-1.24-lp152.5.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python3-urllib3-test-1.24-lp152.5.3.1.noarch"
},
"product_reference": "python3-urllib3-test-1.24-lp152.5.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-26137",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-26137"
}
],
"notes": [
{
"category": "general",
"text": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:python2-urllib3-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python2-urllib3-test-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python3-urllib3-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python3-urllib3-test-1.24-lp152.5.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-26137",
"url": "https://www.suse.com/security/cve/CVE-2020-26137"
},
{
"category": "external",
"summary": "SUSE Bug 1177120 for CVE-2020-26137",
"url": "https://bugzilla.suse.com/1177120"
},
{
"category": "external",
"summary": "SUSE Bug 1177211 for CVE-2020-26137",
"url": "https://bugzilla.suse.com/1177211"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:python2-urllib3-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python2-urllib3-test-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python3-urllib3-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python3-urllib3-test-1.24-lp152.5.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:python2-urllib3-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python2-urllib3-test-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python3-urllib3-1.24-lp152.5.3.1.noarch",
"openSUSE Leap 15.2:python3-urllib3-test-1.24-lp152.5.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-12-13T05:24:04Z",
"details": "moderate"
}
],
"title": "CVE-2020-26137"
}
]
}
OPENSUSE-SU-2020:2282-1
Vulnerability from csaf_opensuse - Published: 2020-12-18 11:23 - Updated: 2020-12-18 11:23Summary
Security update for python-urllib3
Severity
Moderate
Notes
Title of the patch: Security update for python-urllib3
Description of the patch: This update for python-urllib3 fixes the following issues:
- CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bsc#1177120).
This update was imported from the SUSE:SLE-15-SP1:Update update project.
Patchnames: openSUSE-2020-2282
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.8 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.1:python2-urllib3-1.24-lp151.2.9.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:python2-urllib3-test-1.24-lp151.2.9.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:python3-urllib3-1.24-lp151.2.9.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:python3-urllib3-test-1.24-lp151.2.9.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-urllib3",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-urllib3 fixes the following issues:\n\n- CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bsc#1177120).\t \n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-2282",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_2282-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:2282-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VS7J7DOJY26YMLJIUVHRH7UQFVLGBWIQ/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:2282-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VS7J7DOJY26YMLJIUVHRH7UQFVLGBWIQ/"
},
{
"category": "self",
"summary": "SUSE Bug 1177120",
"url": "https://bugzilla.suse.com/1177120"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-26137 page",
"url": "https://www.suse.com/security/cve/CVE-2020-26137/"
}
],
"title": "Security update for python-urllib3",
"tracking": {
"current_release_date": "2020-12-18T11:23:30Z",
"generator": {
"date": "2020-12-18T11:23:30Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:2282-1",
"initial_release_date": "2020-12-18T11:23:30Z",
"revision_history": [
{
"date": "2020-12-18T11:23:30Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python2-urllib3-1.24-lp151.2.9.1.noarch",
"product": {
"name": "python2-urllib3-1.24-lp151.2.9.1.noarch",
"product_id": "python2-urllib3-1.24-lp151.2.9.1.noarch"
}
},
{
"category": "product_version",
"name": "python2-urllib3-test-1.24-lp151.2.9.1.noarch",
"product": {
"name": "python2-urllib3-test-1.24-lp151.2.9.1.noarch",
"product_id": "python2-urllib3-test-1.24-lp151.2.9.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-urllib3-1.24-lp151.2.9.1.noarch",
"product": {
"name": "python3-urllib3-1.24-lp151.2.9.1.noarch",
"product_id": "python3-urllib3-1.24-lp151.2.9.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-urllib3-test-1.24-lp151.2.9.1.noarch",
"product": {
"name": "python3-urllib3-test-1.24-lp151.2.9.1.noarch",
"product_id": "python3-urllib3-test-1.24-lp151.2.9.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.1",
"product": {
"name": "openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-urllib3-1.24-lp151.2.9.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:python2-urllib3-1.24-lp151.2.9.1.noarch"
},
"product_reference": "python2-urllib3-1.24-lp151.2.9.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-urllib3-test-1.24-lp151.2.9.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:python2-urllib3-test-1.24-lp151.2.9.1.noarch"
},
"product_reference": "python2-urllib3-test-1.24-lp151.2.9.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-urllib3-1.24-lp151.2.9.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:python3-urllib3-1.24-lp151.2.9.1.noarch"
},
"product_reference": "python3-urllib3-1.24-lp151.2.9.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-urllib3-test-1.24-lp151.2.9.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:python3-urllib3-test-1.24-lp151.2.9.1.noarch"
},
"product_reference": "python3-urllib3-test-1.24-lp151.2.9.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-26137",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-26137"
}
],
"notes": [
{
"category": "general",
"text": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.1:python2-urllib3-1.24-lp151.2.9.1.noarch",
"openSUSE Leap 15.1:python2-urllib3-test-1.24-lp151.2.9.1.noarch",
"openSUSE Leap 15.1:python3-urllib3-1.24-lp151.2.9.1.noarch",
"openSUSE Leap 15.1:python3-urllib3-test-1.24-lp151.2.9.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-26137",
"url": "https://www.suse.com/security/cve/CVE-2020-26137"
},
{
"category": "external",
"summary": "SUSE Bug 1177120 for CVE-2020-26137",
"url": "https://bugzilla.suse.com/1177120"
},
{
"category": "external",
"summary": "SUSE Bug 1177211 for CVE-2020-26137",
"url": "https://bugzilla.suse.com/1177211"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.1:python2-urllib3-1.24-lp151.2.9.1.noarch",
"openSUSE Leap 15.1:python2-urllib3-test-1.24-lp151.2.9.1.noarch",
"openSUSE Leap 15.1:python3-urllib3-1.24-lp151.2.9.1.noarch",
"openSUSE Leap 15.1:python3-urllib3-test-1.24-lp151.2.9.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.1:python2-urllib3-1.24-lp151.2.9.1.noarch",
"openSUSE Leap 15.1:python2-urllib3-test-1.24-lp151.2.9.1.noarch",
"openSUSE Leap 15.1:python3-urllib3-1.24-lp151.2.9.1.noarch",
"openSUSE Leap 15.1:python3-urllib3-test-1.24-lp151.2.9.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-12-18T11:23:30Z",
"details": "moderate"
}
],
"title": "CVE-2020-26137"
}
]
}
OPENSUSE-SU-2021:1206-1
Vulnerability from csaf_opensuse - Published: 2021-08-27 04:06 - Updated: 2021-08-27 04:06Summary
Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3
Severity
Moderate
Notes
Title of the patch: Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3
Description of the patch: This patch updates the Python AWS SDK stack in SLE 15:
General:
# aws-cli
- Version updated to upstream release v1.19.9
For a detailed list of all changes, please refer to the changelog file of this package.
# python-boto3
- Version updated to upstream release 1.17.9
For a detailed list of all changes, please refer to the changelog file of this package.
# python-botocore
- Version updated to upstream release 1.20.9
For a detailed list of all changes, please refer to the changelog file of this package.
# python-urllib3
- Version updated to upstream release 1.25.10
For a detailed list of all changes, please refer to the changelog file of this package.
# python-service_identity
- Added this new package to resolve runtime dependencies for other packages.
Version: 18.1.0
# python-trustme
- Added this new package to resolve runtime dependencies for other packages.
Version: 0.6.0
Security fixes:
# python-urllib3:
- CVE-2020-26137: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated
by inserting CR and LF control characters in the first argument of putrequest() (bsc#1177120)
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patchnames: openSUSE-2021-1206
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.8 (Medium)
Affected products
Recommended
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:python-pyOpenSSL-doc-17.5.0-lp152.7.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python2-cffi-1.13.2-lp152.2.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python2-cffi-1.13.2-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python2-cryptography-2.8-lp152.2.12.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python2-cryptography-2.8-lp152.2.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python2-pyOpenSSL-17.5.0-lp152.7.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python3-cffi-1.13.2-lp152.2.3.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python3-cffi-1.13.2-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python3-cryptography-2.8-lp152.2.12.1.i586 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python3-cryptography-2.8-lp152.2.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:python3-pyOpenSSL-17.5.0-lp152.7.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
15 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This patch updates the Python AWS SDK stack in SLE 15:\n\nGeneral:\n\n# aws-cli\n\n- Version updated to upstream release v1.19.9\n For a detailed list of all changes, please refer to the changelog file of this package.\n\n# python-boto3\n\n- Version updated to upstream release 1.17.9\n For a detailed list of all changes, please refer to the changelog file of this package.\n\n# python-botocore\n\n- Version updated to upstream release 1.20.9\n For a detailed list of all changes, please refer to the changelog file of this package.\n\n# python-urllib3\n\n- Version updated to upstream release 1.25.10\n For a detailed list of all changes, please refer to the changelog file of this package.\n\n# python-service_identity\n\n- Added this new package to resolve runtime dependencies for other packages.\n Version: 18.1.0\n\n# python-trustme\n\n- Added this new package to resolve runtime dependencies for other packages.\n Version: 0.6.0\n\nSecurity fixes:\n\n# python-urllib3:\n \n- CVE-2020-26137: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated\n by inserting CR and LF control characters in the first argument of putrequest() (bsc#1177120)\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2021-1206",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_1206-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:1206-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6CAFSANHH6TU43VSKAJ5JA2EMHSREMKP/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:1206-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6CAFSANHH6TU43VSKAJ5JA2EMHSREMKP/"
},
{
"category": "self",
"summary": "SUSE Bug 1102408",
"url": "https://bugzilla.suse.com/1102408"
},
{
"category": "self",
"summary": "SUSE Bug 1138715",
"url": "https://bugzilla.suse.com/1138715"
},
{
"category": "self",
"summary": "SUSE Bug 1138746",
"url": "https://bugzilla.suse.com/1138746"
},
{
"category": "self",
"summary": "SUSE Bug 1176389",
"url": "https://bugzilla.suse.com/1176389"
},
{
"category": "self",
"summary": "SUSE Bug 1177120",
"url": "https://bugzilla.suse.com/1177120"
},
{
"category": "self",
"summary": "SUSE Bug 1182421",
"url": "https://bugzilla.suse.com/1182421"
},
{
"category": "self",
"summary": "SUSE Bug 1182422",
"url": "https://bugzilla.suse.com/1182422"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-26137 page",
"url": "https://www.suse.com/security/cve/CVE-2020-26137/"
}
],
"title": "Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3",
"tracking": {
"current_release_date": "2021-08-27T04:06:54Z",
"generator": {
"date": "2021-08-27T04:06:54Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:1206-1",
"initial_release_date": "2021-08-27T04:06:54Z",
"revision_history": [
{
"date": "2021-08-27T04:06:54Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python2-cffi-1.13.2-lp152.2.3.1.i586",
"product": {
"name": "python2-cffi-1.13.2-lp152.2.3.1.i586",
"product_id": "python2-cffi-1.13.2-lp152.2.3.1.i586"
}
},
{
"category": "product_version",
"name": "python2-cryptography-2.8-lp152.2.12.1.i586",
"product": {
"name": "python2-cryptography-2.8-lp152.2.12.1.i586",
"product_id": "python2-cryptography-2.8-lp152.2.12.1.i586"
}
},
{
"category": "product_version",
"name": "python3-cffi-1.13.2-lp152.2.3.1.i586",
"product": {
"name": "python3-cffi-1.13.2-lp152.2.3.1.i586",
"product_id": "python3-cffi-1.13.2-lp152.2.3.1.i586"
}
},
{
"category": "product_version",
"name": "python3-cryptography-2.8-lp152.2.12.1.i586",
"product": {
"name": "python3-cryptography-2.8-lp152.2.12.1.i586",
"product_id": "python3-cryptography-2.8-lp152.2.12.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "python-pyOpenSSL-doc-17.5.0-lp152.7.3.1.noarch",
"product": {
"name": "python-pyOpenSSL-doc-17.5.0-lp152.7.3.1.noarch",
"product_id": "python-pyOpenSSL-doc-17.5.0-lp152.7.3.1.noarch"
}
},
{
"category": "product_version",
"name": "python2-pyOpenSSL-17.5.0-lp152.7.3.1.noarch",
"product": {
"name": "python2-pyOpenSSL-17.5.0-lp152.7.3.1.noarch",
"product_id": "python2-pyOpenSSL-17.5.0-lp152.7.3.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-pyOpenSSL-17.5.0-lp152.7.3.1.noarch",
"product": {
"name": "python3-pyOpenSSL-17.5.0-lp152.7.3.1.noarch",
"product_id": "python3-pyOpenSSL-17.5.0-lp152.7.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python2-cffi-1.13.2-lp152.2.3.1.x86_64",
"product": {
"name": "python2-cffi-1.13.2-lp152.2.3.1.x86_64",
"product_id": "python2-cffi-1.13.2-lp152.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "python2-cryptography-2.8-lp152.2.12.1.x86_64",
"product": {
"name": "python2-cryptography-2.8-lp152.2.12.1.x86_64",
"product_id": "python2-cryptography-2.8-lp152.2.12.1.x86_64"
}
},
{
"category": "product_version",
"name": "python3-cffi-1.13.2-lp152.2.3.1.x86_64",
"product": {
"name": "python3-cffi-1.13.2-lp152.2.3.1.x86_64",
"product_id": "python3-cffi-1.13.2-lp152.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "python3-cryptography-2.8-lp152.2.12.1.x86_64",
"product": {
"name": "python3-cryptography-2.8-lp152.2.12.1.x86_64",
"product_id": "python3-cryptography-2.8-lp152.2.12.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-pyOpenSSL-doc-17.5.0-lp152.7.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python-pyOpenSSL-doc-17.5.0-lp152.7.3.1.noarch"
},
"product_reference": "python-pyOpenSSL-doc-17.5.0-lp152.7.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-cffi-1.13.2-lp152.2.3.1.i586 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python2-cffi-1.13.2-lp152.2.3.1.i586"
},
"product_reference": "python2-cffi-1.13.2-lp152.2.3.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-cffi-1.13.2-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python2-cffi-1.13.2-lp152.2.3.1.x86_64"
},
"product_reference": "python2-cffi-1.13.2-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-cryptography-2.8-lp152.2.12.1.i586 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python2-cryptography-2.8-lp152.2.12.1.i586"
},
"product_reference": "python2-cryptography-2.8-lp152.2.12.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-cryptography-2.8-lp152.2.12.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python2-cryptography-2.8-lp152.2.12.1.x86_64"
},
"product_reference": "python2-cryptography-2.8-lp152.2.12.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-pyOpenSSL-17.5.0-lp152.7.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python2-pyOpenSSL-17.5.0-lp152.7.3.1.noarch"
},
"product_reference": "python2-pyOpenSSL-17.5.0-lp152.7.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-cffi-1.13.2-lp152.2.3.1.i586 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python3-cffi-1.13.2-lp152.2.3.1.i586"
},
"product_reference": "python3-cffi-1.13.2-lp152.2.3.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-cffi-1.13.2-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python3-cffi-1.13.2-lp152.2.3.1.x86_64"
},
"product_reference": "python3-cffi-1.13.2-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-cryptography-2.8-lp152.2.12.1.i586 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python3-cryptography-2.8-lp152.2.12.1.i586"
},
"product_reference": "python3-cryptography-2.8-lp152.2.12.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-cryptography-2.8-lp152.2.12.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python3-cryptography-2.8-lp152.2.12.1.x86_64"
},
"product_reference": "python3-cryptography-2.8-lp152.2.12.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-pyOpenSSL-17.5.0-lp152.7.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:python3-pyOpenSSL-17.5.0-lp152.7.3.1.noarch"
},
"product_reference": "python3-pyOpenSSL-17.5.0-lp152.7.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-26137",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-26137"
}
],
"notes": [
{
"category": "general",
"text": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:python-pyOpenSSL-doc-17.5.0-lp152.7.3.1.noarch",
"openSUSE Leap 15.2:python2-cffi-1.13.2-lp152.2.3.1.i586",
"openSUSE Leap 15.2:python2-cffi-1.13.2-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:python2-cryptography-2.8-lp152.2.12.1.i586",
"openSUSE Leap 15.2:python2-cryptography-2.8-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:python2-pyOpenSSL-17.5.0-lp152.7.3.1.noarch",
"openSUSE Leap 15.2:python3-cffi-1.13.2-lp152.2.3.1.i586",
"openSUSE Leap 15.2:python3-cffi-1.13.2-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:python3-cryptography-2.8-lp152.2.12.1.i586",
"openSUSE Leap 15.2:python3-cryptography-2.8-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:python3-pyOpenSSL-17.5.0-lp152.7.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-26137",
"url": "https://www.suse.com/security/cve/CVE-2020-26137"
},
{
"category": "external",
"summary": "SUSE Bug 1177120 for CVE-2020-26137",
"url": "https://bugzilla.suse.com/1177120"
},
{
"category": "external",
"summary": "SUSE Bug 1177211 for CVE-2020-26137",
"url": "https://bugzilla.suse.com/1177211"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:python-pyOpenSSL-doc-17.5.0-lp152.7.3.1.noarch",
"openSUSE Leap 15.2:python2-cffi-1.13.2-lp152.2.3.1.i586",
"openSUSE Leap 15.2:python2-cffi-1.13.2-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:python2-cryptography-2.8-lp152.2.12.1.i586",
"openSUSE Leap 15.2:python2-cryptography-2.8-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:python2-pyOpenSSL-17.5.0-lp152.7.3.1.noarch",
"openSUSE Leap 15.2:python3-cffi-1.13.2-lp152.2.3.1.i586",
"openSUSE Leap 15.2:python3-cffi-1.13.2-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:python3-cryptography-2.8-lp152.2.12.1.i586",
"openSUSE Leap 15.2:python3-cryptography-2.8-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:python3-pyOpenSSL-17.5.0-lp152.7.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:python-pyOpenSSL-doc-17.5.0-lp152.7.3.1.noarch",
"openSUSE Leap 15.2:python2-cffi-1.13.2-lp152.2.3.1.i586",
"openSUSE Leap 15.2:python2-cffi-1.13.2-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:python2-cryptography-2.8-lp152.2.12.1.i586",
"openSUSE Leap 15.2:python2-cryptography-2.8-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:python2-pyOpenSSL-17.5.0-lp152.7.3.1.noarch",
"openSUSE Leap 15.2:python3-cffi-1.13.2-lp152.2.3.1.i586",
"openSUSE Leap 15.2:python3-cffi-1.13.2-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:python3-cryptography-2.8-lp152.2.12.1.i586",
"openSUSE Leap 15.2:python3-cryptography-2.8-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:python3-pyOpenSSL-17.5.0-lp152.7.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-08-27T04:06:54Z",
"details": "moderate"
}
],
"title": "CVE-2020-26137"
}
]
}
OPENSUSE-SU-2021:2817-1
Vulnerability from csaf_opensuse - Published: 2021-08-23 13:05 - Updated: 2021-08-23 13:05Summary
Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3
Severity
Moderate
Notes
Title of the patch: Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3
Description of the patch: This patch updates the Python AWS SDK stack in SLE 15:
General:
# aws-cli
- Version updated to upstream release v1.19.9
For a detailed list of all changes, please refer to the changelog file of this package.
# python-boto3
- Version updated to upstream release 1.17.9
For a detailed list of all changes, please refer to the changelog file of this package.
# python-botocore
- Version updated to upstream release 1.20.9
For a detailed list of all changes, please refer to the changelog file of this package.
# python-urllib3
- Version updated to upstream release 1.25.10
For a detailed list of all changes, please refer to the changelog file of this package.
# python-service_identity
- Added this new package to resolve runtime dependencies for other packages.
Version: 18.1.0
# python-trustme
- Added this new package to resolve runtime dependencies for other packages.
Version: 0.6.0
Security fixes:
# python-urllib3:
- CVE-2020-26137: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated
by inserting CR and LF control characters in the first argument of putrequest() (bsc#1177120)
Patchnames: openSUSE-SLE-15.3-2021-2817
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.8 (Medium)
Affected products
Recommended
28 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:aws-cli-1.19.9-26.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python2-asn1crypto-0.24.0-3.2.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python2-boto3-1.17.9-19.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python2-botocore-1.20.9-33.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python2-cryptography-2.8-10.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python2-cryptography-2.8-10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python2-cryptography-2.8-10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python2-cryptography-2.8-10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python2-pyasn1-0.4.2-3.2.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python2-pycparser-2.17-3.2.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python2-urllib3-1.25.10-9.14.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-asn1crypto-0.24.0-3.2.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-boto3-1.17.9-19.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-botocore-1.20.9-33.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-cryptography-2.8-10.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-cryptography-2.8-10.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-cryptography-2.8-10.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-cryptography-2.8-10.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-pyasn1-0.4.2-3.2.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:python3-pycparser-2.17-3.2.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
15 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This patch updates the Python AWS SDK stack in SLE 15:\n\nGeneral:\n\n# aws-cli\n\n- Version updated to upstream release v1.19.9\n For a detailed list of all changes, please refer to the changelog file of this package.\n\n# python-boto3\n\n- Version updated to upstream release 1.17.9\n For a detailed list of all changes, please refer to the changelog file of this package.\n\n# python-botocore\n\n- Version updated to upstream release 1.20.9\n For a detailed list of all changes, please refer to the changelog file of this package.\n\n# python-urllib3\n\n- Version updated to upstream release 1.25.10\n For a detailed list of all changes, please refer to the changelog file of this package.\n\n# python-service_identity\n\n- Added this new package to resolve runtime dependencies for other packages.\n Version: 18.1.0\n\n# python-trustme\n\n- Added this new package to resolve runtime dependencies for other packages.\n Version: 0.6.0\n\nSecurity fixes:\n\n# python-urllib3:\n \n- CVE-2020-26137: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated\n by inserting CR and LF control characters in the first argument of putrequest() (bsc#1177120)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-SLE-15.3-2021-2817",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_2817-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:2817-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TOZI5ZFPFR2BACIE74HUJWDXC2ZWXNGD/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:2817-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TOZI5ZFPFR2BACIE74HUJWDXC2ZWXNGD/"
},
{
"category": "self",
"summary": "SUSE Bug 1102408",
"url": "https://bugzilla.suse.com/1102408"
},
{
"category": "self",
"summary": "SUSE Bug 1138715",
"url": "https://bugzilla.suse.com/1138715"
},
{
"category": "self",
"summary": "SUSE Bug 1138746",
"url": "https://bugzilla.suse.com/1138746"
},
{
"category": "self",
"summary": "SUSE Bug 1176389",
"url": "https://bugzilla.suse.com/1176389"
},
{
"category": "self",
"summary": "SUSE Bug 1177120",
"url": "https://bugzilla.suse.com/1177120"
},
{
"category": "self",
"summary": "SUSE Bug 1182421",
"url": "https://bugzilla.suse.com/1182421"
},
{
"category": "self",
"summary": "SUSE Bug 1182422",
"url": "https://bugzilla.suse.com/1182422"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-26137 page",
"url": "https://www.suse.com/security/cve/CVE-2020-26137/"
}
],
"title": "Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3",
"tracking": {
"current_release_date": "2021-08-23T13:05:21Z",
"generator": {
"date": "2021-08-23T13:05:21Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:2817-1",
"initial_release_date": "2021-08-23T13:05:21Z",
"revision_history": [
{
"date": "2021-08-23T13:05:21Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python2-cffi-1.13.2-3.2.5.aarch64",
"product": {
"name": "python2-cffi-1.13.2-3.2.5.aarch64",
"product_id": "python2-cffi-1.13.2-3.2.5.aarch64"
}
},
{
"category": "product_version",
"name": "python2-cryptography-2.8-10.1.aarch64",
"product": {
"name": "python2-cryptography-2.8-10.1.aarch64",
"product_id": "python2-cryptography-2.8-10.1.aarch64"
}
},
{
"category": "product_version",
"name": "python3-cffi-1.13.2-3.2.5.aarch64",
"product": {
"name": "python3-cffi-1.13.2-3.2.5.aarch64",
"product_id": "python3-cffi-1.13.2-3.2.5.aarch64"
}
},
{
"category": "product_version",
"name": "python3-cryptography-2.8-10.1.aarch64",
"product": {
"name": "python3-cryptography-2.8-10.1.aarch64",
"product_id": "python3-cryptography-2.8-10.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "aws-cli-1.19.9-26.1.noarch",
"product": {
"name": "aws-cli-1.19.9-26.1.noarch",
"product_id": "aws-cli-1.19.9-26.1.noarch"
}
},
{
"category": "product_version",
"name": "python2-asn1crypto-0.24.0-3.2.1.noarch",
"product": {
"name": "python2-asn1crypto-0.24.0-3.2.1.noarch",
"product_id": "python2-asn1crypto-0.24.0-3.2.1.noarch"
}
},
{
"category": "product_version",
"name": "python2-boto3-1.17.9-19.1.noarch",
"product": {
"name": "python2-boto3-1.17.9-19.1.noarch",
"product_id": "python2-boto3-1.17.9-19.1.noarch"
}
},
{
"category": "product_version",
"name": "python2-botocore-1.20.9-33.1.noarch",
"product": {
"name": "python2-botocore-1.20.9-33.1.noarch",
"product_id": "python2-botocore-1.20.9-33.1.noarch"
}
},
{
"category": "product_version",
"name": "python2-pyasn1-0.4.2-3.2.1.noarch",
"product": {
"name": "python2-pyasn1-0.4.2-3.2.1.noarch",
"product_id": "python2-pyasn1-0.4.2-3.2.1.noarch"
}
},
{
"category": "product_version",
"name": "python2-pycparser-2.17-3.2.1.noarch",
"product": {
"name": "python2-pycparser-2.17-3.2.1.noarch",
"product_id": "python2-pycparser-2.17-3.2.1.noarch"
}
},
{
"category": "product_version",
"name": "python2-urllib3-1.25.10-9.14.1.noarch",
"product": {
"name": "python2-urllib3-1.25.10-9.14.1.noarch",
"product_id": "python2-urllib3-1.25.10-9.14.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-asn1crypto-0.24.0-3.2.1.noarch",
"product": {
"name": "python3-asn1crypto-0.24.0-3.2.1.noarch",
"product_id": "python3-asn1crypto-0.24.0-3.2.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-boto3-1.17.9-19.1.noarch",
"product": {
"name": "python3-boto3-1.17.9-19.1.noarch",
"product_id": "python3-boto3-1.17.9-19.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-botocore-1.20.9-33.1.noarch",
"product": {
"name": "python3-botocore-1.20.9-33.1.noarch",
"product_id": "python3-botocore-1.20.9-33.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-pyasn1-0.4.2-3.2.1.noarch",
"product": {
"name": "python3-pyasn1-0.4.2-3.2.1.noarch",
"product_id": "python3-pyasn1-0.4.2-3.2.1.noarch"
}
},
{
"category": "product_version",
"name": "python3-pycparser-2.17-3.2.1.noarch",
"product": {
"name": "python3-pycparser-2.17-3.2.1.noarch",
"product_id": "python3-pycparser-2.17-3.2.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python2-cffi-1.13.2-3.2.5.ppc64le",
"product": {
"name": "python2-cffi-1.13.2-3.2.5.ppc64le",
"product_id": "python2-cffi-1.13.2-3.2.5.ppc64le"
}
},
{
"category": "product_version",
"name": "python2-cryptography-2.8-10.1.ppc64le",
"product": {
"name": "python2-cryptography-2.8-10.1.ppc64le",
"product_id": "python2-cryptography-2.8-10.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python3-cffi-1.13.2-3.2.5.ppc64le",
"product": {
"name": "python3-cffi-1.13.2-3.2.5.ppc64le",
"product_id": "python3-cffi-1.13.2-3.2.5.ppc64le"
}
},
{
"category": "product_version",
"name": "python3-cryptography-2.8-10.1.ppc64le",
"product": {
"name": "python3-cryptography-2.8-10.1.ppc64le",
"product_id": "python3-cryptography-2.8-10.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python2-cffi-1.13.2-3.2.5.s390x",
"product": {
"name": "python2-cffi-1.13.2-3.2.5.s390x",
"product_id": "python2-cffi-1.13.2-3.2.5.s390x"
}
},
{
"category": "product_version",
"name": "python2-cryptography-2.8-10.1.s390x",
"product": {
"name": "python2-cryptography-2.8-10.1.s390x",
"product_id": "python2-cryptography-2.8-10.1.s390x"
}
},
{
"category": "product_version",
"name": "python3-cffi-1.13.2-3.2.5.s390x",
"product": {
"name": "python3-cffi-1.13.2-3.2.5.s390x",
"product_id": "python3-cffi-1.13.2-3.2.5.s390x"
}
},
{
"category": "product_version",
"name": "python3-cryptography-2.8-10.1.s390x",
"product": {
"name": "python3-cryptography-2.8-10.1.s390x",
"product_id": "python3-cryptography-2.8-10.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python2-cffi-1.13.2-3.2.5.x86_64",
"product": {
"name": "python2-cffi-1.13.2-3.2.5.x86_64",
"product_id": "python2-cffi-1.13.2-3.2.5.x86_64"
}
},
{
"category": "product_version",
"name": "python2-cryptography-2.8-10.1.x86_64",
"product": {
"name": "python2-cryptography-2.8-10.1.x86_64",
"product_id": "python2-cryptography-2.8-10.1.x86_64"
}
},
{
"category": "product_version",
"name": "python3-cffi-1.13.2-3.2.5.x86_64",
"product": {
"name": "python3-cffi-1.13.2-3.2.5.x86_64",
"product_id": "python3-cffi-1.13.2-3.2.5.x86_64"
}
},
{
"category": "product_version",
"name": "python3-cryptography-2.8-10.1.x86_64",
"product": {
"name": "python3-cryptography-2.8-10.1.x86_64",
"product_id": "python3-cryptography-2.8-10.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "aws-cli-1.19.9-26.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:aws-cli-1.19.9-26.1.noarch"
},
"product_reference": "aws-cli-1.19.9-26.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-asn1crypto-0.24.0-3.2.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python2-asn1crypto-0.24.0-3.2.1.noarch"
},
"product_reference": "python2-asn1crypto-0.24.0-3.2.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-boto3-1.17.9-19.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python2-boto3-1.17.9-19.1.noarch"
},
"product_reference": "python2-boto3-1.17.9-19.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-botocore-1.20.9-33.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python2-botocore-1.20.9-33.1.noarch"
},
"product_reference": "python2-botocore-1.20.9-33.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-cffi-1.13.2-3.2.5.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.aarch64"
},
"product_reference": "python2-cffi-1.13.2-3.2.5.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-cffi-1.13.2-3.2.5.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.ppc64le"
},
"product_reference": "python2-cffi-1.13.2-3.2.5.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-cffi-1.13.2-3.2.5.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.s390x"
},
"product_reference": "python2-cffi-1.13.2-3.2.5.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-cffi-1.13.2-3.2.5.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.x86_64"
},
"product_reference": "python2-cffi-1.13.2-3.2.5.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-cryptography-2.8-10.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python2-cryptography-2.8-10.1.aarch64"
},
"product_reference": "python2-cryptography-2.8-10.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-cryptography-2.8-10.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python2-cryptography-2.8-10.1.ppc64le"
},
"product_reference": "python2-cryptography-2.8-10.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-cryptography-2.8-10.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python2-cryptography-2.8-10.1.s390x"
},
"product_reference": "python2-cryptography-2.8-10.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-cryptography-2.8-10.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python2-cryptography-2.8-10.1.x86_64"
},
"product_reference": "python2-cryptography-2.8-10.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-pyasn1-0.4.2-3.2.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python2-pyasn1-0.4.2-3.2.1.noarch"
},
"product_reference": "python2-pyasn1-0.4.2-3.2.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-pycparser-2.17-3.2.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python2-pycparser-2.17-3.2.1.noarch"
},
"product_reference": "python2-pycparser-2.17-3.2.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-urllib3-1.25.10-9.14.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python2-urllib3-1.25.10-9.14.1.noarch"
},
"product_reference": "python2-urllib3-1.25.10-9.14.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-asn1crypto-0.24.0-3.2.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python3-asn1crypto-0.24.0-3.2.1.noarch"
},
"product_reference": "python3-asn1crypto-0.24.0-3.2.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-boto3-1.17.9-19.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python3-boto3-1.17.9-19.1.noarch"
},
"product_reference": "python3-boto3-1.17.9-19.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-botocore-1.20.9-33.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python3-botocore-1.20.9-33.1.noarch"
},
"product_reference": "python3-botocore-1.20.9-33.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-cffi-1.13.2-3.2.5.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.aarch64"
},
"product_reference": "python3-cffi-1.13.2-3.2.5.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-cffi-1.13.2-3.2.5.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.ppc64le"
},
"product_reference": "python3-cffi-1.13.2-3.2.5.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-cffi-1.13.2-3.2.5.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.s390x"
},
"product_reference": "python3-cffi-1.13.2-3.2.5.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-cffi-1.13.2-3.2.5.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.x86_64"
},
"product_reference": "python3-cffi-1.13.2-3.2.5.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-cryptography-2.8-10.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python3-cryptography-2.8-10.1.aarch64"
},
"product_reference": "python3-cryptography-2.8-10.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-cryptography-2.8-10.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python3-cryptography-2.8-10.1.ppc64le"
},
"product_reference": "python3-cryptography-2.8-10.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-cryptography-2.8-10.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python3-cryptography-2.8-10.1.s390x"
},
"product_reference": "python3-cryptography-2.8-10.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-cryptography-2.8-10.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python3-cryptography-2.8-10.1.x86_64"
},
"product_reference": "python3-cryptography-2.8-10.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-pyasn1-0.4.2-3.2.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python3-pyasn1-0.4.2-3.2.1.noarch"
},
"product_reference": "python3-pyasn1-0.4.2-3.2.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-pycparser-2.17-3.2.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:python3-pycparser-2.17-3.2.1.noarch"
},
"product_reference": "python3-pycparser-2.17-3.2.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-26137",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-26137"
}
],
"notes": [
{
"category": "general",
"text": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:aws-cli-1.19.9-26.1.noarch",
"openSUSE Leap 15.3:python2-asn1crypto-0.24.0-3.2.1.noarch",
"openSUSE Leap 15.3:python2-boto3-1.17.9-19.1.noarch",
"openSUSE Leap 15.3:python2-botocore-1.20.9-33.1.noarch",
"openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.aarch64",
"openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.ppc64le",
"openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.s390x",
"openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.x86_64",
"openSUSE Leap 15.3:python2-cryptography-2.8-10.1.aarch64",
"openSUSE Leap 15.3:python2-cryptography-2.8-10.1.ppc64le",
"openSUSE Leap 15.3:python2-cryptography-2.8-10.1.s390x",
"openSUSE Leap 15.3:python2-cryptography-2.8-10.1.x86_64",
"openSUSE Leap 15.3:python2-pyasn1-0.4.2-3.2.1.noarch",
"openSUSE Leap 15.3:python2-pycparser-2.17-3.2.1.noarch",
"openSUSE Leap 15.3:python2-urllib3-1.25.10-9.14.1.noarch",
"openSUSE Leap 15.3:python3-asn1crypto-0.24.0-3.2.1.noarch",
"openSUSE Leap 15.3:python3-boto3-1.17.9-19.1.noarch",
"openSUSE Leap 15.3:python3-botocore-1.20.9-33.1.noarch",
"openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.aarch64",
"openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.ppc64le",
"openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.s390x",
"openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.x86_64",
"openSUSE Leap 15.3:python3-cryptography-2.8-10.1.aarch64",
"openSUSE Leap 15.3:python3-cryptography-2.8-10.1.ppc64le",
"openSUSE Leap 15.3:python3-cryptography-2.8-10.1.s390x",
"openSUSE Leap 15.3:python3-cryptography-2.8-10.1.x86_64",
"openSUSE Leap 15.3:python3-pyasn1-0.4.2-3.2.1.noarch",
"openSUSE Leap 15.3:python3-pycparser-2.17-3.2.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-26137",
"url": "https://www.suse.com/security/cve/CVE-2020-26137"
},
{
"category": "external",
"summary": "SUSE Bug 1177120 for CVE-2020-26137",
"url": "https://bugzilla.suse.com/1177120"
},
{
"category": "external",
"summary": "SUSE Bug 1177211 for CVE-2020-26137",
"url": "https://bugzilla.suse.com/1177211"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:aws-cli-1.19.9-26.1.noarch",
"openSUSE Leap 15.3:python2-asn1crypto-0.24.0-3.2.1.noarch",
"openSUSE Leap 15.3:python2-boto3-1.17.9-19.1.noarch",
"openSUSE Leap 15.3:python2-botocore-1.20.9-33.1.noarch",
"openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.aarch64",
"openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.ppc64le",
"openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.s390x",
"openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.x86_64",
"openSUSE Leap 15.3:python2-cryptography-2.8-10.1.aarch64",
"openSUSE Leap 15.3:python2-cryptography-2.8-10.1.ppc64le",
"openSUSE Leap 15.3:python2-cryptography-2.8-10.1.s390x",
"openSUSE Leap 15.3:python2-cryptography-2.8-10.1.x86_64",
"openSUSE Leap 15.3:python2-pyasn1-0.4.2-3.2.1.noarch",
"openSUSE Leap 15.3:python2-pycparser-2.17-3.2.1.noarch",
"openSUSE Leap 15.3:python2-urllib3-1.25.10-9.14.1.noarch",
"openSUSE Leap 15.3:python3-asn1crypto-0.24.0-3.2.1.noarch",
"openSUSE Leap 15.3:python3-boto3-1.17.9-19.1.noarch",
"openSUSE Leap 15.3:python3-botocore-1.20.9-33.1.noarch",
"openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.aarch64",
"openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.ppc64le",
"openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.s390x",
"openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.x86_64",
"openSUSE Leap 15.3:python3-cryptography-2.8-10.1.aarch64",
"openSUSE Leap 15.3:python3-cryptography-2.8-10.1.ppc64le",
"openSUSE Leap 15.3:python3-cryptography-2.8-10.1.s390x",
"openSUSE Leap 15.3:python3-cryptography-2.8-10.1.x86_64",
"openSUSE Leap 15.3:python3-pyasn1-0.4.2-3.2.1.noarch",
"openSUSE Leap 15.3:python3-pycparser-2.17-3.2.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:aws-cli-1.19.9-26.1.noarch",
"openSUSE Leap 15.3:python2-asn1crypto-0.24.0-3.2.1.noarch",
"openSUSE Leap 15.3:python2-boto3-1.17.9-19.1.noarch",
"openSUSE Leap 15.3:python2-botocore-1.20.9-33.1.noarch",
"openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.aarch64",
"openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.ppc64le",
"openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.s390x",
"openSUSE Leap 15.3:python2-cffi-1.13.2-3.2.5.x86_64",
"openSUSE Leap 15.3:python2-cryptography-2.8-10.1.aarch64",
"openSUSE Leap 15.3:python2-cryptography-2.8-10.1.ppc64le",
"openSUSE Leap 15.3:python2-cryptography-2.8-10.1.s390x",
"openSUSE Leap 15.3:python2-cryptography-2.8-10.1.x86_64",
"openSUSE Leap 15.3:python2-pyasn1-0.4.2-3.2.1.noarch",
"openSUSE Leap 15.3:python2-pycparser-2.17-3.2.1.noarch",
"openSUSE Leap 15.3:python2-urllib3-1.25.10-9.14.1.noarch",
"openSUSE Leap 15.3:python3-asn1crypto-0.24.0-3.2.1.noarch",
"openSUSE Leap 15.3:python3-boto3-1.17.9-19.1.noarch",
"openSUSE Leap 15.3:python3-botocore-1.20.9-33.1.noarch",
"openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.aarch64",
"openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.ppc64le",
"openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.s390x",
"openSUSE Leap 15.3:python3-cffi-1.13.2-3.2.5.x86_64",
"openSUSE Leap 15.3:python3-cryptography-2.8-10.1.aarch64",
"openSUSE Leap 15.3:python3-cryptography-2.8-10.1.ppc64le",
"openSUSE Leap 15.3:python3-cryptography-2.8-10.1.s390x",
"openSUSE Leap 15.3:python3-cryptography-2.8-10.1.x86_64",
"openSUSE Leap 15.3:python3-pyasn1-0.4.2-3.2.1.noarch",
"openSUSE Leap 15.3:python3-pycparser-2.17-3.2.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-08-23T13:05:21Z",
"details": "moderate"
}
],
"title": "CVE-2020-26137"
}
]
}
OPENSUSE-SU-2024:13212-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
python310-urllib3-2.0.4-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: python310-urllib3-2.0.4-2.1 on GA media
Description of the patch: These are all security issues fixed in the python310-urllib3-2.0.4-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-13212
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.8 (Medium)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
6 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python310-urllib3-2.0.4-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python310-urllib3-2.0.4-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13212",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13212-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-26137 page",
"url": "https://www.suse.com/security/cve/CVE-2020-26137/"
}
],
"title": "python310-urllib3-2.0.4-2.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13212-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python310-urllib3-2.0.4-2.1.aarch64",
"product": {
"name": "python310-urllib3-2.0.4-2.1.aarch64",
"product_id": "python310-urllib3-2.0.4-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-urllib3-2.0.4-2.1.aarch64",
"product": {
"name": "python311-urllib3-2.0.4-2.1.aarch64",
"product_id": "python311-urllib3-2.0.4-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "python39-urllib3-2.0.4-2.1.aarch64",
"product": {
"name": "python39-urllib3-2.0.4-2.1.aarch64",
"product_id": "python39-urllib3-2.0.4-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-urllib3-2.0.4-2.1.ppc64le",
"product": {
"name": "python310-urllib3-2.0.4-2.1.ppc64le",
"product_id": "python310-urllib3-2.0.4-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-urllib3-2.0.4-2.1.ppc64le",
"product": {
"name": "python311-urllib3-2.0.4-2.1.ppc64le",
"product_id": "python311-urllib3-2.0.4-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python39-urllib3-2.0.4-2.1.ppc64le",
"product": {
"name": "python39-urllib3-2.0.4-2.1.ppc64le",
"product_id": "python39-urllib3-2.0.4-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-urllib3-2.0.4-2.1.s390x",
"product": {
"name": "python310-urllib3-2.0.4-2.1.s390x",
"product_id": "python310-urllib3-2.0.4-2.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-urllib3-2.0.4-2.1.s390x",
"product": {
"name": "python311-urllib3-2.0.4-2.1.s390x",
"product_id": "python311-urllib3-2.0.4-2.1.s390x"
}
},
{
"category": "product_version",
"name": "python39-urllib3-2.0.4-2.1.s390x",
"product": {
"name": "python39-urllib3-2.0.4-2.1.s390x",
"product_id": "python39-urllib3-2.0.4-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-urllib3-2.0.4-2.1.x86_64",
"product": {
"name": "python310-urllib3-2.0.4-2.1.x86_64",
"product_id": "python310-urllib3-2.0.4-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-urllib3-2.0.4-2.1.x86_64",
"product": {
"name": "python311-urllib3-2.0.4-2.1.x86_64",
"product_id": "python311-urllib3-2.0.4-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "python39-urllib3-2.0.4-2.1.x86_64",
"product": {
"name": "python39-urllib3-2.0.4-2.1.x86_64",
"product_id": "python39-urllib3-2.0.4-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-urllib3-2.0.4-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.aarch64"
},
"product_reference": "python310-urllib3-2.0.4-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-urllib3-2.0.4-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.ppc64le"
},
"product_reference": "python310-urllib3-2.0.4-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-urllib3-2.0.4-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.s390x"
},
"product_reference": "python310-urllib3-2.0.4-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-urllib3-2.0.4-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.x86_64"
},
"product_reference": "python310-urllib3-2.0.4-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-urllib3-2.0.4-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.aarch64"
},
"product_reference": "python311-urllib3-2.0.4-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-urllib3-2.0.4-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.ppc64le"
},
"product_reference": "python311-urllib3-2.0.4-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-urllib3-2.0.4-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.s390x"
},
"product_reference": "python311-urllib3-2.0.4-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-urllib3-2.0.4-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.x86_64"
},
"product_reference": "python311-urllib3-2.0.4-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-urllib3-2.0.4-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.aarch64"
},
"product_reference": "python39-urllib3-2.0.4-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-urllib3-2.0.4-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.ppc64le"
},
"product_reference": "python39-urllib3-2.0.4-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-urllib3-2.0.4-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.s390x"
},
"product_reference": "python39-urllib3-2.0.4-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-urllib3-2.0.4-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.x86_64"
},
"product_reference": "python39-urllib3-2.0.4-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-26137",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-26137"
}
],
"notes": [
{
"category": "general",
"text": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.aarch64",
"openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.ppc64le",
"openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.s390x",
"openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.x86_64",
"openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.aarch64",
"openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.ppc64le",
"openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.s390x",
"openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.x86_64",
"openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.aarch64",
"openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.ppc64le",
"openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.s390x",
"openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-26137",
"url": "https://www.suse.com/security/cve/CVE-2020-26137"
},
{
"category": "external",
"summary": "SUSE Bug 1177120 for CVE-2020-26137",
"url": "https://bugzilla.suse.com/1177120"
},
{
"category": "external",
"summary": "SUSE Bug 1177211 for CVE-2020-26137",
"url": "https://bugzilla.suse.com/1177211"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.aarch64",
"openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.ppc64le",
"openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.s390x",
"openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.x86_64",
"openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.aarch64",
"openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.ppc64le",
"openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.s390x",
"openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.x86_64",
"openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.aarch64",
"openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.ppc64le",
"openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.s390x",
"openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.aarch64",
"openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.ppc64le",
"openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.s390x",
"openSUSE Tumbleweed:python310-urllib3-2.0.4-2.1.x86_64",
"openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.aarch64",
"openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.ppc64le",
"openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.s390x",
"openSUSE Tumbleweed:python311-urllib3-2.0.4-2.1.x86_64",
"openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.aarch64",
"openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.ppc64le",
"openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.s390x",
"openSUSE Tumbleweed:python39-urllib3-2.0.4-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-26137"
}
]
}
OPENSUSE-SU-2024:13213-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
python310-urllib3_1-1.26.16-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: python310-urllib3_1-1.26.16-2.1 on GA media
Description of the patch: These are all security issues fixed in the python310-urllib3_1-1.26.16-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-13213
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.8 (Medium)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
6 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python310-urllib3_1-1.26.16-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python310-urllib3_1-1.26.16-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13213",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13213-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-26137 page",
"url": "https://www.suse.com/security/cve/CVE-2020-26137/"
}
],
"title": "python310-urllib3_1-1.26.16-2.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13213-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python310-urllib3_1-1.26.16-2.1.aarch64",
"product": {
"name": "python310-urllib3_1-1.26.16-2.1.aarch64",
"product_id": "python310-urllib3_1-1.26.16-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-urllib3_1-1.26.16-2.1.aarch64",
"product": {
"name": "python311-urllib3_1-1.26.16-2.1.aarch64",
"product_id": "python311-urllib3_1-1.26.16-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "python39-urllib3_1-1.26.16-2.1.aarch64",
"product": {
"name": "python39-urllib3_1-1.26.16-2.1.aarch64",
"product_id": "python39-urllib3_1-1.26.16-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-urllib3_1-1.26.16-2.1.ppc64le",
"product": {
"name": "python310-urllib3_1-1.26.16-2.1.ppc64le",
"product_id": "python310-urllib3_1-1.26.16-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-urllib3_1-1.26.16-2.1.ppc64le",
"product": {
"name": "python311-urllib3_1-1.26.16-2.1.ppc64le",
"product_id": "python311-urllib3_1-1.26.16-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python39-urllib3_1-1.26.16-2.1.ppc64le",
"product": {
"name": "python39-urllib3_1-1.26.16-2.1.ppc64le",
"product_id": "python39-urllib3_1-1.26.16-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-urllib3_1-1.26.16-2.1.s390x",
"product": {
"name": "python310-urllib3_1-1.26.16-2.1.s390x",
"product_id": "python310-urllib3_1-1.26.16-2.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-urllib3_1-1.26.16-2.1.s390x",
"product": {
"name": "python311-urllib3_1-1.26.16-2.1.s390x",
"product_id": "python311-urllib3_1-1.26.16-2.1.s390x"
}
},
{
"category": "product_version",
"name": "python39-urllib3_1-1.26.16-2.1.s390x",
"product": {
"name": "python39-urllib3_1-1.26.16-2.1.s390x",
"product_id": "python39-urllib3_1-1.26.16-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python310-urllib3_1-1.26.16-2.1.x86_64",
"product": {
"name": "python310-urllib3_1-1.26.16-2.1.x86_64",
"product_id": "python310-urllib3_1-1.26.16-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-urllib3_1-1.26.16-2.1.x86_64",
"product": {
"name": "python311-urllib3_1-1.26.16-2.1.x86_64",
"product_id": "python311-urllib3_1-1.26.16-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "python39-urllib3_1-1.26.16-2.1.x86_64",
"product": {
"name": "python39-urllib3_1-1.26.16-2.1.x86_64",
"product_id": "python39-urllib3_1-1.26.16-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-urllib3_1-1.26.16-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.aarch64"
},
"product_reference": "python310-urllib3_1-1.26.16-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-urllib3_1-1.26.16-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.ppc64le"
},
"product_reference": "python310-urllib3_1-1.26.16-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-urllib3_1-1.26.16-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.s390x"
},
"product_reference": "python310-urllib3_1-1.26.16-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python310-urllib3_1-1.26.16-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.x86_64"
},
"product_reference": "python310-urllib3_1-1.26.16-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-urllib3_1-1.26.16-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.aarch64"
},
"product_reference": "python311-urllib3_1-1.26.16-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-urllib3_1-1.26.16-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.ppc64le"
},
"product_reference": "python311-urllib3_1-1.26.16-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-urllib3_1-1.26.16-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.s390x"
},
"product_reference": "python311-urllib3_1-1.26.16-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-urllib3_1-1.26.16-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.x86_64"
},
"product_reference": "python311-urllib3_1-1.26.16-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-urllib3_1-1.26.16-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.aarch64"
},
"product_reference": "python39-urllib3_1-1.26.16-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-urllib3_1-1.26.16-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.ppc64le"
},
"product_reference": "python39-urllib3_1-1.26.16-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-urllib3_1-1.26.16-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.s390x"
},
"product_reference": "python39-urllib3_1-1.26.16-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python39-urllib3_1-1.26.16-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.x86_64"
},
"product_reference": "python39-urllib3_1-1.26.16-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-26137",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-26137"
}
],
"notes": [
{
"category": "general",
"text": "urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.aarch64",
"openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.ppc64le",
"openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.s390x",
"openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.x86_64",
"openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.aarch64",
"openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.ppc64le",
"openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.s390x",
"openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.x86_64",
"openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.aarch64",
"openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.ppc64le",
"openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.s390x",
"openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-26137",
"url": "https://www.suse.com/security/cve/CVE-2020-26137"
},
{
"category": "external",
"summary": "SUSE Bug 1177120 for CVE-2020-26137",
"url": "https://bugzilla.suse.com/1177120"
},
{
"category": "external",
"summary": "SUSE Bug 1177211 for CVE-2020-26137",
"url": "https://bugzilla.suse.com/1177211"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.aarch64",
"openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.ppc64le",
"openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.s390x",
"openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.x86_64",
"openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.aarch64",
"openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.ppc64le",
"openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.s390x",
"openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.x86_64",
"openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.aarch64",
"openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.ppc64le",
"openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.s390x",
"openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.aarch64",
"openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.ppc64le",
"openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.s390x",
"openSUSE Tumbleweed:python310-urllib3_1-1.26.16-2.1.x86_64",
"openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.aarch64",
"openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.ppc64le",
"openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.s390x",
"openSUSE Tumbleweed:python311-urllib3_1-1.26.16-2.1.x86_64",
"openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.aarch64",
"openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.ppc64le",
"openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.s390x",
"openSUSE Tumbleweed:python39-urllib3_1-1.26.16-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-26137"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…