urllib3 v1.18.1 Release Notes
Release Date: 2016-10-27 // over 7 years ago-
- CVE-2016-9015. Users who are using urllib3 version 1.17 or 1.18 along with
PyOpenSSL injection and OpenSSL 1.1.0 must upgrade to this version. This
release fixes a vulnerability whereby urllib3 in the above configuration
would silently fail to validate TLS certificates due to erroneously setting
invalid flags in OpenSSL's
SSL_CTX_set_verifyfunction. These erroneous flags do not cause a problem in OpenSSL versions before 1.1.0, which interprets the presence of any flag as requesting certificate validation.
There is no PR for this patch, as it was prepared for simultaneous disclosure and release. The master branch received the same fix in Pull #1010.
- CVE-2016-9015. Users who are using urllib3 version 1.17 or 1.18 along with
PyOpenSSL injection and OpenSSL 1.1.0 must upgrade to this version. This
release fixes a vulnerability whereby urllib3 in the above configuration
would silently fail to validate TLS certificates due to erroneously setting
invalid flags in OpenSSL's