update urllib3 to >=1.24.2 in requirements.txt

Question

update urllib3 to >=1.24.2 in requirements.txt

Niraj-Kamdar opened this issue 4 years ago · 0 comments

Bug:

product: urllib3
cve: CVE-2019-11324
severity: high
Vulnerable versions: < 1.24.2
Patched version: 1.24.2
description: The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is a correct outcome. This is related to the use of the ssl_context, ca_certs, or ca_certs_dir argument.

Fix:

Update urllib3 to version 1.24.2 or higher in requirements.txt and make sure it won't cause problems with other dependencies.