Requests: URLlib 1.24.1 vulnerable to CVE-2019-11324 (rated CVSS 7.5 High)
Requests currently lists urllib3 1.24.1 as an acceptable dependency. Understanding that urllib3 1.25 support is in the pipeline, CVE-2019-11324 (Published just 4 days ago as of this submission) already has remediation in the incremental urllib3 version 1.24.2. This incremental change is likely to require minimal refactoring to support and would provide immediate remediation to a vulnerability listed as CVSS 7.5 (High).
https://nvd.nist.gov/vuln/detail/CVE-2019-11324
An incremental version update to urllib3 1.24.2 should be regression tested and implemented, rather than waiting for 1.25.0 support. This 1.24.2 fix has minimal code changes and should be expected to work with minimal labor.
There is (of course) a non-zero chance that a regression could occur by forcing urllib3 >= 1.24.2 , but the ease of implementation vs the potential impact of not supporting this change feels like a clear choice for editing these two sections. (Listed below)
Specific issues
Pipfile.lock
"urllib3": {
"hashes": [
"sha256:06330f386d6e4b195fbfc736b297f58c5a892e4440e54d294d7004e3a9bbea1b",
"sha256:cc44da8e1145637334317feebd728bd869a35285b93cbb4cca2577da7e62db4f"
],
"version": "==1.22"
setup.py
requires = [
'chardet>=3.0.2,<3.1.0',
'idna>=2.5,<2.9',
'urllib3>=1.21.1,<1.25',
'certifi>=2017.4.17'
]
BlackburnHax
All 9 comments
Hi Brandon, thanks for the ticket. We鈥檙e aware of the change and working to get Requests tested and upgraded. I鈥檒l leave this open for now in case anyone else comes along with a similar inquiry.
nateprewitt
on 22 Apr 2019
Excellent, glad to hear 1.25 support is so close! Keep up the good work.
BlackburnHax
on 22 Apr 2019
May I ask, how close is requests to supporting 1.25? Imminently, days, or weeks?
(Asking only so we can get an idea of the timeframe involved.)
Edit: Specifically 1.25
MartinFalatic
on 23 Apr 2019
@MartinFalatic, I can鈥檛 commit to a timeline yet but I would say end of week is a reasonable high level estimate. I鈥檒l get things out sooner if resources allow.
nateprewitt
on 23 Apr 2019
Sounds good - thank you for the info!
MartinFalatic
on 23 Apr 2019
Just FYI, I've had the patch up with testing infra fixes and the 1.22 release on the urllib31.25 branch for a few days but we're blocked on urllib3/urllib3#1583 and urllib3/urllib3#1586. Once 1.25.2 is released, we'll update the pin to only support 1.25.2+ and should be ready for a release.
And just to clarify impact, the way Requests uses urllib3 means it shouldn't be vulnerable* to this issue out of the box.
*We can't speak to the security of any hooks or modifications people have made on top of Requests.
nateprewitt
on 29 Apr 2019
FYI, a resolution has also been merged into the 1.24 series and released as 1.24.3:
https://github.com/urllib3/urllib3/pull/1593
https://github.com/urllib3/urllib3/releases/tag/1.24.3
ryanpetrello
on 2 May 2019
@nateprewitt it looks like both of those PRs have been merged. Any ETA on a new version?
EDIT:
And just to clarify impact, the way Requests uses urllib3 means it shouldn't be vulnerable* to this issue out of the box.
Also, some clarity here would be nice. What about the use of urllib prevents this from impacting requests?
Plazmaz
on 7 May 2019
Resolved with #5092.
nateprewitt
on 16 May 2019
Related issues
8key
路
3Comments
jake491
路
3Comments
iLaus
路
3Comments
ghtyrant
路
3Comments
remram44
路
4Comments
Most helpful comment
@nateprewitt it looks like both of those PRs have been merged. Any ETA on a new version?
EDIT:
Also, some clarity here would be nice. What about the use of
urllibprevents this from impactingrequests?