UbuntuUpdates.org

Package "python3-urllib3"

Name: python3-urllib3

Description:

HTTP library with thread-safe connection pooling for Python3
Latest version: 1.26.5-1~exp1ubuntu0.6
Release: jammy (22.04)
Level: updates
Repository: main
Head package: python-urllib3
Homepage: https://urllib3.readthedocs.org

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "python3-urllib3"

All arch deb package
APT INSTALL

Other versions of "python3-urllib3" in Jammy

Repository Area Version
base main 1.26.5-1~exp1
security main 1.26.5-1~exp1ubuntu0.6

Changelog

Version: 1.26.5-1~exp1ubuntu0.6 2026-01-19 19:15:35 UTC

  python-urllib3 (1.26.5-1~exp1ubuntu0.6) jammy-security; urgency=medium

  * SECURITY REGRESSION: Missing _has_decoded_content from CVE-2026-21441
    (LP: #2138420)
    - debian/patches/CVE-2026-21441-fix1.patch: Implement _has_decoded_content
      and decoded checks in src/urllib3/response.py. Add tests in
      test/test_response.py.

 -- Hlib Korzhynskyy <email address hidden> Fri, 16 Jan 2026 19:39:26 -0330
Source diff to previous version
2138420 backport of CVE-2026-21441 results in broken package
CVE-2026-21441 urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the c

Version: 1.26.5-1~exp1ubuntu0.5 2026-01-12 21:08:31 UTC

  python-urllib3 (1.26.5-1~exp1ubuntu0.5) jammy-security; urgency=medium

  * SECURITY UPDATE: Decompression bomb in HTTP redirect responses.
    - debian/patches/CVE-2026-21441.patch: Add decode_content to self.read()
      in src/urllib3/response.py. Add tests in
      test/with_dummyserver/test_connectionpool.py.
    - CVE-2026-21441

 -- Hlib Korzhynskyy <email address hidden> Thu, 08 Jan 2026 16:06:10 -0330
Source diff to previous version
CVE-2026-21441 urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the c

Version: 1.26.5-1~exp1ubuntu0.4 2025-12-12 01:08:24 UTC

  python-urllib3 (1.26.5-1~exp1ubuntu0.4) jammy-security; urgency=medium

  * SECURITY UPDATE: Denial of service due to unbounded decompression chain.
    - debian/patches/CVE-2025-66418.patch: Add max_decode_links limit and
      checks in src/urllib3/response.py. Add test in test/test_response.py.
    - CVE-2025-66418

 -- Hlib Korzhynskyy <email address hidden> Wed, 10 Dec 2025 17:29:42 -0330
Source diff to previous version
CVE-2025-66418 urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chai

Version: 1.26.5-1~exp1ubuntu0.3 2025-06-26 00:07:01 UTC

  python-urllib3 (1.26.5-1~exp1ubuntu0.3) jammy-security; urgency=medium

  * SECURITY UPDATE: Information disclosure through improperly disabled
    redirects.
    - debian/patches/CVE-2025-50181.patch: Add "retries" check and set retries
      to Retry.from_int(retries, redirect=False) as well as set
      raise_on_redirect in ./src/urllib3/poolmanager.py.
    - CVE-2025-50181

 -- Hlib Korzhynskyy <email address hidden> Mon, 23 Jun 2025 17:07:25 -0230
Source diff to previous version
CVE-2025-50181 urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a Po

Version: 1.26.5-1~exp1ubuntu0.2 2024-10-29 18:07:01 UTC

  python-urllib3 (1.26.5-1~exp1ubuntu0.2) jammy-security; urgency=medium

  * SECURITY UPDATE: The Proxy-Authorization header is not correctly stripped
    when redirecting to a different host.
    - debian/patches/CVE-2024-37891.patch: Add "Proxy-Authorization" to
      DEFAULT_REMOVE_HEADERS_ON_REDIRECT in src/urllib3/util/retry.py. Add
      header to tests.
    - CVE-2024-37891

 -- Hlib Korzhynskyy <email address hidden> Thu, 17 Oct 2024 10:19:08 -0230
CVE-2024-37891 urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header i


About   -   Send Feedback to @ubuntu_updates