Debian Patches

Status for python-urllib3/1.26.12-1+deb12u3

Patch Description Author Forwarded Bugs Origin Last update
01_do-not-use-embedded-python-six.patch Do not use embedded copy of python-six. Daniele Tricoli <eriol@mornie.org> not-needed 2015-10-08
02_require-cert-verification.patch require SSL certificate validation by default by using
CERT_REQUIRED and using the system /etc/ssl/certs/ca-certificates.crt		 Jamie Strandboge <jamie@canonical.com> no debian 2014-09-01
CVE-2023-43804.patch Backport GHSA-v845-jxx5-vc9f Seth Michael Larson <sethmichaellarson@gmail.com> yes debian upstream https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb 2023-10-02
CVE-2023-45803.patch Merge pull request from GHSA-g4mx-q9vg-27p4 Illia Volochii <illia.volochii@gmail.com> yes debian upstream https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36 2023-10-17
Prevent-issue-in-HTTPResponse-.read-when-decoded_con.patch Prevent issue in HTTPResponse().read() when decoded_content is True and then False Provided it has initialized eligible decoder(decompressor) and
did decode once

[Salvatore Bonaccorso: Backport for code before c35033f6cc54 ("Standardize
HTTPResponse.read(X) behavior regardless of compression").]		 Ousret <ahmed.tahri@cloudnursery.dev> no https://github.com/urllib3/urllib3/commit/cefd1dbba6a20ea4f017e6e472f9ada3a8a743e0 2022-11-17
CVE-2026-21441.patch Merge commit from fork
* Stop decoding response content during redirects needlessly

* Rename the new query parameter

* Add a changelog entry		 Illia Volochii <illia.volochii@gmail.com> no debian https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b 2026-01-07
CVE-2024-37891.patch Merge pull request from GHSA-34jh-p97f-mpxf
Strip Proxy-Authorization header on redirects		 Quentin Pradet <quentin.pradet@gmail.com> no debian https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468 2024-06-17
CVE-2025-50181.patch Merge commit from fork
* Apply Quentin's suggestion


* Add tests for disabled redirects in the pool manager

* Add a possible fix for the issue with not raised `MaxRetryError`

* Make urllib3 handle redirects instead of JS when JSPI is used

* Fix info in the new comment

* State that redirects with XHR are not controlled by urllib3

* Remove excessive params from new test requests

* Add tests reaching max non-0 redirects

* Test redirects with Emscripten

* Fix `test_merge_pool_kwargs`

* Add a changelog entry

* Parametrize tests

* Drop a fix for Emscripten

* Apply Seth's suggestion to docs


* Use a minor release instead of the patch one		 Illia Volochii <illia.volochii@gmail.com> no debian https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857 2025-06-18
CVE-2025-66418.patch Merge commit from fork
* Add a hard-coded limit for the decompression chain

* Reuse new list		 Illia Volochii <illia.volochii@gmail.com> no debian https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8 2025-12-05
fix-missed-coverage-when-calling-read-having-amt-Non.patch fix missed coverage when calling read() having amt=None Ousret <ahmed.tahri@cloudnursery.dev> no https://github.com/urllib3/urllib3/commit/4acccf76c2892e80aebb5840f7de1460a4c64a61 2022-11-17
apply-suggestion-from-pquentin.patch apply suggestion from @pquentin + had to change expectations as the initial payload changed

[Salvatore Bonaccorso: Backport for code before c35033f6cc54 ("Standardize
HTTPResponse.read(X) behavior regardless of compression").]		 Ousret <ahmed.tahri@cloudnursery.dev> no https://github.com/urllib3/urllib3/commit/698df9ef7e88354e8ec9392471189a168fb31521 2022-11-20

All known versions for source package 'python-urllib3'

Links