| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 02_require-cert-verification.patch | require SSL certificate validation by default by using CERT_REQUIRED and using the system /etc/ssl/certs/ca-certificates.crt |
Jamie Strandboge <jamie@canonical.com> | no | debian | 2014-09-01 | |
| 01_do-not-use-embedded-python-six.patch | Do not use embedded copy of python-six. | Daniele Tricoli <eriol@mornie.org> | not-needed | 2015-10-08 | ||
| 05_avoid-embedded-ssl-match-hostname.patch | Do not use embedded copy of ssl.match_hostname, when possible The system python has the necessary features backported, since 2.7.8-7 (and 221a1f9155e2, releasing in 2.7.9, upstream). However, alternative python implementations don't, yet, and urllib3 is used by pip in virtualenvs. |
Stefano Rivera <stefanor@debian.org> | not-needed | 2014-11-18 | ||
| CVE-2023-43804.patch | Backport GHSA-v845-jxx5-vc9f | Seth Michael Larson <sethmichaellarson@gmail.com> | yes | debian upstream | https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb | 2023-10-02 |
| CVE-2023-45803.patch | Merge pull request from GHSA-g4mx-q9vg-27p4 | Illia Volochii <illia.volochii@gmail.com> | yes | debian upstream | https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36 | 2023-10-17 |
| CVE-2024-37891.patch | Merge pull request from GHSA-34jh-p97f-mpxf Strip Proxy-Authorization header on redirects |
Quentin Pradet <quentin.pradet@gmail.com> | no | debian | https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468 | 2024-06-17 |