ALAS-2019-1224

Amazon Linux 1 (EOL) Security Advisory: ALAS-2019-1224
Advisory Released Date: 2019-06-11
Advisory Updated Date: 2019-06-13

Severity: Low

References: CVE-2018-20060
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext. (CVE-2018-20060)

Affected Packages:

python-urllib3

Issue Correction:
Run yum update python-urllib3 to update your system.

New Packages:

noarch:
    python27-urllib3-1.24.1-1.6.amzn1.noarch
    python26-urllib3-1.24.1-1.6.amzn1.noarch

src:
    python-urllib3-1.24.1-1.6.amzn1.src

Additional References

Red Hat: CVE-2018-20060

Mitre: CVE-2018-20060