Security update for python-urllib3 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:2012-1 Final 1 1 2021-07-10T06:15:28Z current 2021-07-10T06:15:28Z 2021-07-10T06:15:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-urllib3 This update for python-urllib3 fixes the following issues: - CVE-2021-33503: Fixed a denial of service when the URL contained many @ characters in the authority component (bsc#1187045) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-SLE-15.3-2021-2012 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NYARUF6IH56FOIKBV7PTO7AXODL5GKNT/ E-Mail link for openSUSE-SU-2021:2012-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1187045 SUSE Bug 1187045 https://www.suse.com/security/cve/CVE-2021-33503/ SUSE CVE CVE-2021-33503 page openSUSE Leap 15.3 python3-urllib3-1.25.10-4.3.1 python3-urllib3-1.25.10-4.3.1 as a component of openSUSE Leap 15.3 An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. CVE-2021-33503 openSUSE Leap 15.3:python3-urllib3-1.25.10-4.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NYARUF6IH56FOIKBV7PTO7AXODL5GKNT/ https://www.suse.com/security/cve/CVE-2021-33503.html CVE-2021-33503 https://bugzilla.suse.com/1187045 SUSE Bug 1187045