| Package | python-urllib3 |
|---|---|
| Version | 1.19.1-1+deb9u5 (stretch), 1.24.1-1+deb10u6 (buster) |
| Related CVEs | CVE-2026-44431 |
It was discovered that python-urllib3, did not strip out sensitive
headers (such as Authorization or Cookie) during cross-origin
redirects followed from the low-level API. The issue may lead to
information disclosure or authorization bypass.
The issue stems from an incomplete fix for CVE-2018-20060.
For Debian 10 buster, these problems have been fixed in version 1.24.1-1+deb10u6.
For Debian 9 stretch, these problems have been fixed in version 1.19.1-1+deb9u5.
We recommend that you upgrade your python-urllib3 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.