- Package:
- src:python-urllib3
- Source:
- src:python-urllib3
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-26 23:49:01 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for python-urllib3. CVE-2026-44431[0]: | urllib3 is an HTTP client library for Python. From 1.23 to before | 2.7.0, cross-origin redirects followed from the low-level API via | ProxyManager.connection_from_url().urlopen(..., | assert_same_host=False) still forward these sensitive headers. This | vulnerability is fixed in 2.7.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44431 https://www.cve.org/CVERecord?id=CVE-2026-44431 [1] https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc Please adjust the affected versions in the BTS as needed. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of python-urllib3, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1136653@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Moritz Mühlenhoff <jmm@debian.org> (supplier of updated python-urllib3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Sun, 21 Jun 2026 18:46:48 +0200 Source: python-urllib3 Architecture: source Version: 2.3.0-3+deb13u2 Distribution: trixie-security Urgency: medium Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Moritz Mühlenhoff <jmm@debian.org> Closes: 1136653 Changes: python-urllib3 (2.3.0-3+deb13u2) trixie-security; urgency=medium . * CVE-2026-44431 (Closes: #1136653) Checksums-Sha1: 93028885d5ff8230dc65858c4f9c052758809717 2781 python-urllib3_2.3.0-3+deb13u2.dsc d056ab93b3f3f09e483574542f8601cb486be103 44716 python-urllib3_2.3.0-3+deb13u2.debian.tar.xz a0dcd2113753593512c198eb1ee6d8eb64ad7f53 8593 python-urllib3_2.3.0-3+deb13u2_amd64.buildinfo Checksums-Sha256: 2643b0e2f7e687d48051c13479bfee3a40a1ed2a114d6e832de17c6b660348e7 2781 python-urllib3_2.3.0-3+deb13u2.dsc 6da9c5bf310b34fadee02edadba60d914a8fd0cf72429ef1ebee18f1f7f7b6e8 44716 python-urllib3_2.3.0-3+deb13u2.debian.tar.xz 94e6d4ab79c125a4182fd1ddf13573fdb26914452b76471b1351b83e0e3a3273 8593 python-urllib3_2.3.0-3+deb13u2_amd64.buildinfo Files: 2563a44678e91b20ded5edde70187c3e 2781 python optional python-urllib3_2.3.0-3+deb13u2.dsc afa527b2e7951a635552415acabaae1a 44716 python optional python-urllib3_2.3.0-3+deb13u2.debian.tar.xz 2fc5b29ba82ec27b839dfe981ad5d5b6 8593 python optional python-urllib3_2.3.0-3+deb13u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmo4Fi4ACgkQEMKTtsN8 TjYkGA/+Lo6jJ3konPotOMDs2S8ZV9zyZVc1uu/3zwknplbQUQFotyzv0LsLrJ1d 8QpD95S/DQYgJ/Q5CmzM8hO1FmwjCH9W9dvbMthwTeK/sJDbndPQGIl2opUp5Iky woYnQP7by7DyfNRO3zC3H38UjLNWmi7juyvBivoEilG31SvUCxaDeJq0nSv6NuJu F/hA13r91u8tJSbvm5ExkE9F4is71TZDvjKQRT9UWnZ9hPe7guqrZU+ZHWGO2jll z801DQUEgB0B9WpUhXRqH8YoykK44h3uEL5JLDvAGuuU0jXURq4bvWNPSs/llgr/ BRct3amWwPLRz1kkzgpuy1xh5DhKwvh4+1kHaThYOC4kDOEcnVYS48/ouEVyNqed sMw6YN6bx0U1zY6XIUJ4fhv7+f2nXGk1XZD41b/Zfsg4rMXElRdk6vR5skdVcn17 5GjhvicZOW29c9BklXHhanAkNioUdUPg4XBRY37yVLggAuPH/fgiBm0vI3aw7dBU ocBhieQD0RTQrt1WUTXTEYuaD0iKoPcOBchJV2uc4C/NDigqNqjm2im/tcPlzxTt 2/Ag6ZP3lt5Wa0/O7JQD4op23ibXqKAdQugVxjXF4J5JGEjFpiEo6bigfvWUwCMm MIQCPoBzJzo+6Wx78MBAqOVBmuebUjanrUFvyyyWg6yYoB0cbHU= =EY5r -----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
python-urllib3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1136653@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated python-urllib3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 26 Jun 2026 07:01:27 +0200
Source: python-urllib3
Architecture: source
Version: 1.26.12-1+deb12u4
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1136653
Changes:
python-urllib3 (1.26.12-1+deb12u4) bookworm-security; urgency=high
.
* Non-maintainer upload by the LTS Team.
* Fix CVE-2026-44431: Sensitive headers forwarded across origins in proxied
low-level redirects. (Closes: #1136653)
Checksums-Sha1:
345f115bc623058ead2d0a93cebc38f32215ac6b 2344 python-urllib3_1.26.12-1+deb12u4.dsc
7193c8fa7a0f2f551be0ef4293992ac9db88aebc 21004 python-urllib3_1.26.12-1+deb12u4.debian.tar.xz
4a28b32a26911f64045bcb432b0ac35a81cd61b1 7134 python-urllib3_1.26.12-1+deb12u4_source.buildinfo
Checksums-Sha256:
a5d6af5b8142af435741492f2d559d78c9f5f2949a71876609ae5d506a34b69b 2344 python-urllib3_1.26.12-1+deb12u4.dsc
573bde9b4476edf6e1059915625be136937987c8df192e6d18dc51efd19e3509 21004 python-urllib3_1.26.12-1+deb12u4.debian.tar.xz
fc369f0ec51e81fcc6f0b9cfafbbab31bc370bf3388d948308182c61e0e51f8e 7134 python-urllib3_1.26.12-1+deb12u4_source.buildinfo
Files:
323031678d2460d6e6e6ef99e420f043 2344 python optional python-urllib3_1.26.12-1+deb12u4.dsc
250e69bad9a5b43900895e2395ac6980 21004 python optional python-urllib3_1.26.12-1+deb12u4.debian.tar.xz
ac5c53b6f51bb7d6a8e82d38e673a437 7134 python optional python-urllib3_1.26.12-1+deb12u4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmo+MqIACgkQ05pJnDwh
pVK3vhAAwB9bOfMtL9b52Mrxzu58Ls1ch9X+8sdaWsrbClhvcVge9Bpl/hGFvc1Q
C3XVAiROIwMUrSZbMtkEcyvMMMnyNdF1HoUnlylChkZxRbnrkv4UNu/wJH2KCyxC
bjIz3GhliLSiweQjZPckWhXLWypWMPlXKEk6ZjeNwwzzpRR6WjdAFsuqnWcOw5kK
zr/HfNe+olvFsx8FUM2MKs5RgEtkXegpbCtS7A4/sex6vUXLvzKJ4/xPgh4QbEd3
kBcyLDr7cGmPprBqLQkZ3uYCTuCIbVoQECBAK5kXmB453N9+oJ79M5B3M+pvE+YV
bZqpZx33gGFDW6uHCoOZdaXK0liFfD9sAkRMYQgOO+MNaT/AxF8I5h0SNOU9bOiu
bnITaUrMht5lcjj3Z0zODY4vwMa79Qm574BGqjym+BO7veq8jIc/fpf2GrIobReO
1PspTCn/QhjlE5BQwMH53ak0iSuelTE4f8P8l+gs+vR11y9Iv7fJdkjouhZXnJjb
DGKAXGWVV6RzVH1MkYAweAmyO73TB2NgbfUwMe/Z0UpL+6W65CL2cIMquC3saiUV
hLI1dUU/6+0DPlkah9yMs87yM1cXuhRCzvtL1L4+ZhZ5/73Y26x2i6jEaZKnwkkE
6V8CDSpuncNqjC6bQKZ4U2W060qTxIwYOVJq29/zesKxoTRt3kA=
=Iipm
-----END PGP SIGNATURE-----