CVE-2019-11324

NameCVE-2019-11324
DescriptionThe urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs927412

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-urllib3 (PTS)jessie1.9.1-3fixed
stretch1.19.1-1vulnerable
buster, sid1.24.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-urllib3source(unstable)(unfixed)medium927412
python-urllib3sourcejessie(not affected)

Notes

[jessie] - python-urllib3 <not-affected> (Vulnerable code introduced later)
https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4
https://www.openwall.com/lists/oss-security/2019/04/17/3

Search for package or bug name: Reporting problems