CVE-2019-11324

NameCVE-2019-11324
DescriptionThe urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2686-1, DLA-3610-1
Debian Bugs927412

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-urllib3 (PTS)jessie, jessie (lts)1.9.1-3+deb8u2fixed
stretch (security)1.19.1-1+deb9u1fixed
stretch (lts), stretch1.19.1-1+deb9u2fixed
buster (security), buster, buster (lts)1.24.1-1+deb10u2fixed
bullseye1.26.5-1~exp1fixed
bookworm1.26.12-1fixed
sid, trixie2.0.7-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-urllib3sourcewheezy(not affected)
python-urllib3sourcejessie(not affected)
python-urllib3sourcestretch1.19.1-1+deb9u1DLA-2686-1
python-urllib3sourcebuster1.24.1-1+deb10u1DLA-3610-1
python-urllib3source(unstable)1.25.6-4927412

Notes

[jessie] - python-urllib3 <not-affected> (Vulnerable code introduced later)
https://github.com/urllib3/urllib3/commit/1efadf43dc63317cd9eaa3e0fdb9e05ab07254b1
https://www.openwall.com/lists/oss-security/2019/04/17/3
[wheezy] - python-urllib3 <not-affected> (Vulnerable code introduced later)
Search for package or bug name: Reporting problems