[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: urllib3: adds system certificates to ssl_context
From:       Havoc Pennington <hp () tidelift ! com>
Date:       2019-04-19 0:40:56
Message-ID: CAC7nai19LLaw_ZGOQK9XvLOMcMCpxF0ZKRoniRGvU3URTaALWw () mail ! gmail ! com
[Download RAW message or body]

Hello,

This vulnerability "urllib3: adds system certificates to ssl_context"
has been assigned CVE-2019-11324

Thank you
Havoc

On Wed, Apr 17, 2019 at 2:21 PM Havoc Pennington <hp@tidelift.com> wrote:
>
> A vulnerability has been discovered in the urllib3 Python library.
>
> When verifying HTTPS connections when an SSLContext is passed to
> urllib3, system CA certificates will be loaded into the SSLContext
> by default in addition to any manually-specified CA certificates.
> This causes TLS handshakes that should fail given only the
> manually specified certs to succeed based on system CA certs.
>
> This affects urllib3 1.24.1 and below. The fix has been released
> in version 1.24.2.
>
> The vulnerability was reported by Christian Heimes.
>
> A CVE ID has been requested, will follow up with it when we have it.
>
> Best
> Havoc / on behalf of Tidelift security team & urllib3 team
[prev in list] [next in list] [prev in thread] [next in thread]