PublicDateAtUSN: 2020-09-30 00:00:00 UTC Candidate: CVE-2020-26137 PublicDate: 2020-09-30 18:15:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137 https://github.com/urllib3/urllib3/pull/1800 https://ubuntu.com/security/notices/USN-4570-1 Description: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. Ubuntu-Description: Notes: mdeslaur> the python-pip package bundles python-urllib3 binaries mdeslaur> when built. After updating python-urllib3, a no-change mdeslaur> rebuild of python-pip is required. Mitigation: Bugs: https://bugs.python.org/issue39603 Priority: medium Discovered-by: Assigned-to: mdeslaur CVSS: nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N [6.5 MEDIUM] Patches_python-urllib3: upstream: https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b (1.25.9) upstream_python-urllib3: released (1.25.9-1) precise/esm_python-urllib3: DNE trusty_python-urllib3: ignored (reached end-of-life) trusty/esm_python-urllib3: needed xenial_python-urllib3: released (1.13.1-2ubuntu0.16.04.4) esm-infra/xenial_python-urllib3: released (1.13.1-2ubuntu0.16.04.4) bionic_python-urllib3: released (1.22-1ubuntu0.18.04.2) focal_python-urllib3: released (1.25.8-2ubuntu0.1) groovy_python-urllib3: not-affected (1.25.9-1) hirsute_python-urllib3: not-affected (1.25.9-1) impish_python-urllib3: not-affected (1.25.9-1) jammy_python-urllib3: not-affected (1.25.9-1) devel_python-urllib3: not-affected (1.25.9-1) Patches_python-pip: upstream_python-pip: needs-triage precise/esm_python-pip: DNE trusty_python-pip: ignored (reached end of life) trusty/esm_python-pip: needed xenial_python-pip: released (8.1.1-2ubuntu0.6) bionic_python-pip: released (9.0.1-2.3~ubuntu1.18.04.3) focal_python-pip: released (20.0.2-5ubuntu1.1) groovy_python-pip: not-affected (20.1.1-2) hirsute_python-pip: not-affected (20.1.1-2) impish_python-pip: not-affected (20.1.1-2) jammy_python-pip: not-affected (20.1.1-2) devel_python-pip: not-affected (20.1.1-2)