UbuntuUpdates.org

Package "python-urllib3"

Name: python-urllib3

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • HTTP library with thread-safe connection pooling for Python3
Latest version: 2.6.3-1ubuntu1.1
Release: resolute (26.04)
Level: security
Repository: main

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "python-urllib3" in Resolute

Repository Area Version
base main 2.6.3-1ubuntu1
updates main 2.6.3-1ubuntu1.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.6.3-1ubuntu1.1 2026-06-03 18:07:53 UTC

  python-urllib3 (2.6.3-1ubuntu1.1) resolute-security; urgency=medium

  * SECURITY UPDATE: sensitive headers not stripped in cross-origin redirects
    - debian/patches/CVE-2026-44431.patch: remove sensitive headers in proxy
      pools too in dummyserver/asgi_proxy.py, src/urllib3/connectionpool.py,
      test/with_dummyserver/test_proxy_poolmanager.py.
    - CVE-2026-44431
  * SECURITY UPDATE: resource consumption via response decompression
    - debian/patches/CVE-2026-44432.patch: fix full decompression on the 2nd
      small read from response using Brotli in
      src/urllib3/response.py, test/test_response.py,
      test/with_dummyserver/test_connection.py.
    - CVE-2026-44432

 -- Marc Deslauriers <email address hidden> Fri, 22 May 2026 13:26:37 -0400
CVE-2026-44431 urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.conn
CVE-2026-44432 urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portio


About   -   Send Feedback to @ubuntu_updates