Version in base suite: 1.26.12-1+deb12u3

Base version: python-urllib3_1.26.12-1+deb12u3
Target version: python-urllib3_1.26.12-1+deb12u4
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/python-urllib3/python-urllib3_1.26.12-1+deb12u3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/python-urllib3/python-urllib3_1.26.12-1+deb12u4.dsc

 changelog                    |    8 ++
 patches/CVE-2026-44431.patch |  127 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 136 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpz2j3wxyn/python-urllib3_1.26.12-1+deb12u3.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpz2j3wxyn/python-urllib3_1.26.12-1+deb12u4.dsc: no acceptable signature found
diff -Nru python-urllib3-1.26.12/debian/changelog python-urllib3-1.26.12/debian/changelog
--- python-urllib3-1.26.12/debian/changelog	2026-01-20 21:34:53.000000000 +0000
+++ python-urllib3-1.26.12/debian/changelog	2026-06-26 05:01:27.000000000 +0000
@@ -1,3 +1,11 @@
+python-urllib3 (1.26.12-1+deb12u4) bookworm-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * Fix CVE-2026-44431: Sensitive headers forwarded across origins in proxied
+    low-level redirects. (Closes: #1136653)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Fri, 26 Jun 2026 07:01:27 +0200
+
 python-urllib3 (1.26.12-1+deb12u3) bookworm-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru python-urllib3-1.26.12/debian/patches/CVE-2026-44431.patch python-urllib3-1.26.12/debian/patches/CVE-2026-44431.patch
--- python-urllib3-1.26.12/debian/patches/CVE-2026-44431.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-urllib3-1.26.12/debian/patches/CVE-2026-44431.patch	2026-06-26 05:01:27.000000000 +0000
@@ -0,0 +1,127 @@
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Thu, 7 May 2026 18:40:31 +0300
+Subject: Remove sensitive headers in proxy pools too
+
+Co-authored-by: Copilot <copilot@github.com>
+Origin: https://github.com/urllib3/urllib3/commit/5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc
+Bug: https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc
+Bug-Debian: https://bugs.debian.org/1136653
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-44431
+---
+ src/urllib3/connectionpool.py                   | 12 +++++
+ test/with_dummyserver/test_proxy_poolmanager.py | 72 +++++++++++++++++++++++++
+ 2 files changed, 84 insertions(+)
+
+diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
+index 06aa8b8..1873312 100644
+--- a/src/urllib3/connectionpool.py
++++ b/src/urllib3/connectionpool.py
+@@ -840,6 +840,18 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
+                 body = None
+                 headers = HTTPHeaderDict(headers)._prepare_for_method_change()
+ 
++            # Strip headers marked as unsafe to forward to the redirected location.
++            # Check remove_headers_on_redirect to avoid a potential network call within
++            # self.is_same_host() which may use socket.gethostbyname() in the future.
++            if retries.remove_headers_on_redirect and not self.is_same_host(
++                redirect_location
++            ):
++                new_headers = headers.copy()  # type: ignore[union-attr]
++                for header in headers:
++                    if header.lower() in retries.remove_headers_on_redirect:
++                        new_headers.pop(header, None)
++                headers = new_headers
++
+             try:
+                 retries = retries.increment(method, url, response=response, _pool=self)
+             except MaxRetryError:
+diff --git a/test/with_dummyserver/test_proxy_poolmanager.py b/test/with_dummyserver/test_proxy_poolmanager.py
+index 7b292a2..0af6fed 100644
+--- a/test/with_dummyserver/test_proxy_poolmanager.py
++++ b/test/with_dummyserver/test_proxy_poolmanager.py
+@@ -34,6 +34,7 @@ from urllib3.exceptions import (
+     SubjectAltNameWarning,
+ )
+ from urllib3.poolmanager import ProxyManager, proxy_from_url
++from urllib3.util.retry import RequestHistory
+ from urllib3.util import Timeout
+ from urllib3.util.ssl_ import create_urllib3_context
+ 
+@@ -277,6 +278,77 @@ class TestHTTPProxyManager(HTTPDummyProxyTestCase):
+             )
+             assert r._pool.host != self.http_host_alt
+ 
++    _sensitive_headers = {
++        "Authorization": "foo",
++        "Proxy-Authorization": "bar",
++        "Cookie": "foo=bar",
++    }
++
++    @pytest.mark.parametrize(
++        "sensitive_headers",
++        (_sensitive_headers, {k.lower(): v for k, v in _sensitive_headers.items()}),
++        ids=("capitalized", "lowercase"),
++    )
++    def test_cross_host_redirect_remove_headers_via_proxy_manager(
++        self, sensitive_headers: dict[str, str]
++    ) -> None:
++        headers_url = f"{self.http_url_alt}/headers"
++        initial_url = f"{self.http_url}/redirect?target={headers_url}"
++        with proxy_from_url(self.proxy_url) as proxy_mgr:
++            r = proxy_mgr.request(
++                "GET", initial_url, headers=sensitive_headers, retries=1
++            )
++            assert r.status == 200
++            assert r.retries is not None
++            assert r.retries.history == (
++                RequestHistory(
++                    method="GET",
++                    url=initial_url,
++                    error=None,
++                    status=303,
++                    redirect_location=headers_url,
++                ),
++            )
++            data = json.loads(r.data.decode("utf-8"))
++            for header in sensitive_headers:
++                assert header not in data
++
++    @pytest.mark.parametrize(
++        "sensitive_headers",
++        (_sensitive_headers, {k.lower(): v for k, v in _sensitive_headers.items()}),
++        ids=("capitalized", "lowercase"),
++    )
++    def test_cross_host_redirect_remove_headers_via_pool(
++        self, sensitive_headers: dict[str, str]
++    ) -> None:
++        headers_url = f"{self.http_url_alt}/headers"
++        initial_url = f"{self.http_url}/redirect?target={headers_url}"
++        with proxy_from_url(self.proxy_url) as proxy_mgr:
++            pool = proxy_mgr.connection_from_url(self.http_url)
++            r = pool.urlopen(
++                "GET",
++                initial_url,
++                headers=sensitive_headers,
++                retries=1,
++                redirect=True,
++                assert_same_host=False,
++                preload_content=True,
++            )
++            assert r.status == 200
++            assert r.retries is not None
++            assert r.retries.history == (
++                RequestHistory(
++                    method="GET",
++                    url=initial_url,
++                    error=None,
++                    status=303,
++                    redirect_location=headers_url,
++                ),
++            )
++            data = json.loads(r.data.decode("utf-8"))
++            for header in sensitive_headers:
++                assert header not in data
++
+     def test_cross_protocol_redirect(self):
+         with proxy_from_url(self.proxy_url, ca_certs=DEFAULT_CA) as http:
+             cross_protocol_location = "%s/echo?a=b" % self.https_url
diff -Nru python-urllib3-1.26.12/debian/patches/series python-urllib3-1.26.12/debian/patches/series
--- python-urllib3-1.26.12/debian/patches/series	2026-01-20 21:27:46.000000000 +0000
+++ python-urllib3-1.26.12/debian/patches/series	2026-06-26 05:01:27.000000000 +0000
@@ -9,3 +9,4 @@
 Prevent-issue-in-HTTPResponse-.read-when-decoded_con.patch
 fix-missed-coverage-when-calling-read-having-amt-Non.patch
 apply-suggestion-from-pquentin.patch
+CVE-2026-44431.patch