UbuntuUpdates.org

Package "python-urllib3"

Name: python-urllib3

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • HTTP library with thread-safe connection pooling for Python3
Latest version: 2.3.0-2ubuntu0.5
Release: plucky (25.04)
Level: security
Repository: main

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "python-urllib3" in Plucky

Repository Area Version
base main 2.3.0-2
updates main 2.3.0-2ubuntu0.5

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.3.0-2ubuntu0.5 2026-01-13 18:07:50 UTC

  python-urllib3 (2.3.0-2ubuntu0.5) plucky-security; urgency=medium

  * SECURITY REGRESSION: Zstandard missing attribute after CVE-2025-66471 fix.
    (LP: #2136906)
    - debian/patches/CVE-2025-66471-fix2.patch: Fall back if "needs_input" is
      not a zstd object attribute in src/urllib3/response.py.

 -- Hlib Korzhynskyy <email address hidden> Tue, 13 Jan 2026 09:33:06 -0330
Source diff to previous version
2136906 python3-urllib3 in 24.04 is now incompatible with shipped python3-zstandard
CVE-2025-66471 urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly co

Version: 2.3.0-2ubuntu0.4 2026-01-13 10:07:48 UTC

  python-urllib3 (2.3.0-2ubuntu0.4) plucky-security; urgency=medium

  * SECURITY REGRESSION: Zstd issues after CVE-2025-66471 fix. (LP: #2136906)
    - debian/patches/CVE-2025-66471-fix1.patch: Revert zstd fix due to not
      being compatible with zstandard.

 -- Hlib Korzhynskyy <email address hidden> Mon, 12 Jan 2026 17:21:47 -0330
Source diff to previous version
2136906 python3-urllib3 in 24.04 is now incompatible with shipped python3-zstandard
CVE-2025-66471 urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly co

Version: 2.3.0-2ubuntu0.3 2026-01-12 18:08:53 UTC

  python-urllib3 (2.3.0-2ubuntu0.3) plucky-security; urgency=medium

  * SECURITY UPDATE: Decompression bomb in HTTP redirect responses.
    - debian/patches/CVE-2026-21441.patch: Add decode_content to self.read()
      in src/urllib3/response.py. Add tests in
      test/with_dummyserver/test_connectionpool.py and dummyserver/app.py.
    - CVE-2026-21441

 -- Hlib Korzhynskyy <email address hidden> Thu, 08 Jan 2026 14:53:20 -0330
Source diff to previous version
CVE-2026-21441 urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the c

Version: 2.3.0-2ubuntu0.2 2025-12-11 21:08:23 UTC

  python-urllib3 (2.3.0-2ubuntu0.2) plucky-security; urgency=medium

  * SECURITY UPDATE: Denial of service due to unbounded decompression chain.
    - debian/patches/CVE-2025-66418.patch: Add max_decode_links limit and
      checks in src/urllib3/response.py. Add test in test/test_response.py.
    - CVE-2025-66418
  * SECURITY UPDATE: Denial of service due to decompression bomb.
    - debian/patches/CVE-2025-66471.patch: Fix decompression bomb in
      src/urllib3/response.py. Add tests in test/test_response.py.
    - debian/patches/CVE-2025-66471-post1.patch: Remove brotli version warning
      due to intrusive backport for brotli fixes and upstream version warning
      not being appropriate for distro backporting.
    - CVE-2025-66471

 -- Hlib Korzhynskyy <email address hidden> Wed, 10 Dec 2025 15:28:14 -0330
Source diff to previous version
CVE-2025-66418 urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chai
CVE-2025-66471 urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly co

Version: 2.3.0-2ubuntu0.1 2025-06-25 23:07:18 UTC

  python-urllib3 (2.3.0-2ubuntu0.1) plucky-security; urgency=medium

  * SECURITY UPDATE: Information disclosure through improperly disabled
    redirects.
    - debian/patches/CVE-2025-50181.patch: Add "retries" check and set retries
      to Retry.from_int(retries, redirect=False) as well as set
      raise_on_redirect in ./src/urllib3/poolmanager.py.
    - debian/patches/CVE-2025-50182.patch: Set fetch_data["redirect"] to manual
      when in node.js and add _is_node_js() function in
      ./src/urllib3/contrib/emscripten/fetch.py.
    - CVE-2025-50181
    - CVE-2025-50182

 -- Hlib Korzhynskyy <email address hidden> Mon, 23 Jun 2025 14:59:50 -0230
CVE-2025-50181 urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a Po
CVE-2025-50182 urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 suppor


About   -   Send Feedback to @ubuntu_updates