CVE-2019-11324

NameCVE-2019-11324
DescriptionThe urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs927412

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-urllib3 (PTS)stretch1.19.1-1vulnerable
buster1.24.1-1vulnerable
bullseye, sid1.25.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-urllib3sourcejessie(not affected)
python-urllib3source(unstable)1.25.6-4927412

Notes

[buster] - python-urllib3 <no-dsa> (Minor issue)
[stretch] - python-urllib3 <no-dsa> (Minor issue)
[jessie] - python-urllib3 <not-affected> (Vulnerable code introduced later)
https://github.com/urllib3/urllib3/commit/1efadf43dc63317cd9eaa3e0fdb9e05ab07254b1
https://www.openwall.com/lists/oss-security/2019/04/17/3

Search for package or bug name: Reporting problems