VDB
PYSEC-2019-133
PYSEC-2019-133
PUBLISHED
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | urllib3 | 0, 0.3, 0.4.0 |
Timeline
- Apr 18, 2019 CVE Published
- Nov 8, 2023 CVE Updated
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
References
- https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4 url
- http://www.openwall.com/lists/oss-security/2019/04/19/1 url
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html url
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/ url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/ url
- https://github.com/advisories/GHSA-mh33-7rrq-662w advisory
- https://usn.ubuntu.com/3990-1/ advisory
- https://access.redhat.com/errata/RHSA-2019:3335 advisory
- https://access.redhat.com/errata/RHSA-2019:3590 advisory