UbuntuUpdates.org

Package "python3-urllib3"

Name: python3-urllib3

Description:

HTTP library with thread-safe connection pooling for Python3
Latest version: 2.3.0-3ubuntu0.1
Release: questing (25.10)
Level: updates
Repository: main
Head package: python-urllib3
Homepage: https://urllib3.readthedocs.org

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "python3-urllib3"

All arch deb package
APT INSTALL

Other versions of "python3-urllib3" in Questing

Repository Area Version
base main 2.3.0-3
security main 2.3.0-3ubuntu0.1

Changelog

Version: 2.3.0-3ubuntu0.1 2025-12-12 01:08:32 UTC

  python-urllib3 (2.3.0-3ubuntu0.1) questing-security; urgency=medium

  * SECURITY UPDATE: Denial of service due to unbounded decompression chain.
    - debian/patches/CVE-2025-66418.patch: Add max_decode_links limit and
      checks in src/urllib3/response.py. Add test in test/test_response.py.
    - CVE-2025-66418
  * SECURITY UPDATE: Denial of service due to decompression bomb.
    - debian/patches/CVE-2025-66471.patch: Fix decompression bomb in
      src/urllib3/response.py. Add tests in test/test_response.py.
    - debian/patches/CVE-2025-66471-post1.patch: Remove brotli version warning
      due to intrusive backport for brotli fixes and upstream version warning
      not being appropriate for distro backporting.
    - CVE-2025-66471

 -- Hlib Korzhynskyy <email address hidden> Wed, 10 Dec 2025 12:29:16 -0330
CVE-2025-66418 urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chai
CVE-2025-66471 urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly co


About   -   Send Feedback to @ubuntu_updates