Description
It was discovered that urllib3 incorrectly removed Authorization HTTP
headers when handled cross-origin redirects. This could result in
credentials being sent to unintended hosts (CVE-2018-20060).
It was discovered that urllib3 incorrectly stripped certain characters
from requests. A remote attacker could use this issue to perform CRLF
injection (CVE-2019-11236).
It was discovered that urllib3 incorrectly handled situations where a
desired set of CA certificates were specified. This could result in
certificates being accepted by the default CA certificates contrary to
expectatons (CVE-2019-11324).
The python-urllib3 package has been updated to version 1.24.3 to fix these
issues and other bugs. The python-requests package has been fixed to work
with the updated python-urllib3