Version in base suite: 2.3.0-3+deb13u1

Base version: python-urllib3_2.3.0-3+deb13u1
Target version: python-urllib3_2.3.0-3+deb13u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/python-urllib3/python-urllib3_2.3.0-3+deb13u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/python-urllib3/python-urllib3_2.3.0-3+deb13u2.dsc

 .gitignore                   |    1 
 changelog                    |    6 ++
 patches/CVE-2026-44431.patch |  124 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 4 files changed, 131 insertions(+), 1 deletion(-)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp7jdc8cvj/python-urllib3_2.3.0-3+deb13u1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp7jdc8cvj/python-urllib3_2.3.0-3+deb13u2.dsc: no acceptable signature found
diff -Nru python-urllib3-2.3.0/debian/.gitignore python-urllib3-2.3.0/debian/.gitignore
--- python-urllib3-2.3.0/debian/.gitignore	2026-01-03 20:27:45.000000000 +0000
+++ python-urllib3-2.3.0/debian/.gitignore	1970-01-01 00:00:00.000000000 +0000
@@ -1 +0,0 @@
-/files
diff -Nru python-urllib3-2.3.0/debian/changelog python-urllib3-2.3.0/debian/changelog
--- python-urllib3-2.3.0/debian/changelog	2026-01-12 21:38:24.000000000 +0000
+++ python-urllib3-2.3.0/debian/changelog	2026-06-21 16:46:48.000000000 +0000
@@ -1,3 +1,9 @@
+python-urllib3 (2.3.0-3+deb13u2) trixie-security; urgency=medium
+
+  * CVE-2026-44431 (Closes: #1136653)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Sun, 21 Jun 2026 18:46:48 +0200
+
 python-urllib3 (2.3.0-3+deb13u1) trixie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru python-urllib3-2.3.0/debian/patches/CVE-2026-44431.patch python-urllib3-2.3.0/debian/patches/CVE-2026-44431.patch
--- python-urllib3-2.3.0/debian/patches/CVE-2026-44431.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-urllib3-2.3.0/debian/patches/CVE-2026-44431.patch	2026-06-21 16:46:45.000000000 +0000
@@ -0,0 +1,124 @@
+From 5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Thu, 7 May 2026 18:40:31 +0300
+Subject: [PATCH] Merge commit from fork
+
+--- python-urllib3-2.3.0.orig/dummyserver/asgi_proxy.py
++++ python-urllib3-2.3.0/dummyserver/asgi_proxy.py
+@@ -56,6 +56,7 @@ class ProxyApp:
+             client_response = await client.request(
+                 method=scope["method"],
+                 url=scope["path"],
++                params=scope["query_string"].decode(),
+                 headers=list(scope["headers"]),
+                 content=await _read_body(receive),
+             )
+--- python-urllib3-2.3.0.orig/src/urllib3/connectionpool.py
++++ python-urllib3-2.3.0/src/urllib3/connectionpool.py
+@@ -896,6 +896,18 @@ class HTTPConnectionPool(ConnectionPool,
+                 body = None
+                 headers = HTTPHeaderDict(headers)._prepare_for_method_change()
+ 
++            # Strip headers marked as unsafe to forward to the redirected location.
++            # Check remove_headers_on_redirect to avoid a potential network call within
++            # self.is_same_host() which may use socket.gethostbyname() in the future.
++            if retries.remove_headers_on_redirect and not self.is_same_host(
++                redirect_location
++            ):
++                new_headers = headers.copy()  # type: ignore[union-attr]
++                for header in headers:
++                    if header.lower() in retries.remove_headers_on_redirect:
++                        new_headers.pop(header, None)
++                headers = new_headers
++
+             try:
+                 retries = retries.increment(method, url, response=response, _pool=self)
+             except MaxRetryError:
+--- python-urllib3-2.3.0.orig/test/with_dummyserver/test_proxy_poolmanager.py
++++ python-urllib3-2.3.0/test/with_dummyserver/test_proxy_poolmanager.py
+@@ -37,6 +37,7 @@ from urllib3.exceptions import (
+     SSLError,
+ )
+ from urllib3.poolmanager import ProxyManager, proxy_from_url
++from urllib3.util.retry import RequestHistory
+ from urllib3.util.ssl_ import create_urllib3_context
+ from urllib3.util.timeout import Timeout
+ 
+@@ -300,6 +301,77 @@ class TestHTTPProxyManager(HypercornDumm
+             assert r._pool is not None
+             assert r._pool.host != self.http_host_alt
+ 
++    _sensitive_headers = {
++        "Authorization": "foo",
++        "Proxy-Authorization": "bar",
++        "Cookie": "foo=bar",
++    }
++
++    @pytest.mark.parametrize(
++        "sensitive_headers",
++        (_sensitive_headers, {k.lower(): v for k, v in _sensitive_headers.items()}),
++        ids=("capitalized", "lowercase"),
++    )
++    def test_cross_host_redirect_remove_headers_via_proxy_manager(
++        self, sensitive_headers: dict[str, str]
++    ) -> None:
++        headers_url = f"{self.http_url_alt}/headers"
++        initial_url = f"{self.http_url}/redirect?target={headers_url}"
++        with proxy_from_url(self.proxy_url) as proxy_mgr:
++            r = proxy_mgr.request(
++                "GET", initial_url, headers=sensitive_headers, retries=1
++            )
++            assert r.status == 200
++            assert r.retries is not None
++            assert r.retries.history == (
++                RequestHistory(
++                    method="GET",
++                    url=initial_url,
++                    error=None,
++                    status=303,
++                    redirect_location=headers_url,
++                ),
++            )
++            data = r.json()
++            for header in sensitive_headers:
++                assert header not in data
++
++    @pytest.mark.parametrize(
++        "sensitive_headers",
++        (_sensitive_headers, {k.lower(): v for k, v in _sensitive_headers.items()}),
++        ids=("capitalized", "lowercase"),
++    )
++    def test_cross_host_redirect_remove_headers_via_pool(
++        self, sensitive_headers: dict[str, str]
++    ) -> None:
++        headers_url = f"{self.http_url_alt}/headers"
++        initial_url = f"{self.http_url}/redirect?target={headers_url}"
++        with proxy_from_url(self.proxy_url) as proxy_mgr:
++            pool = proxy_mgr.connection_from_url(self.http_url)
++            r = pool.urlopen(
++                "GET",
++                initial_url,
++                headers=sensitive_headers,
++                retries=1,
++                redirect=True,
++                assert_same_host=False,
++                preload_content=True,
++            )
++            assert r.status == 200
++            assert r.retries is not None
++            assert r.retries.history == (
++                RequestHistory(
++                    method="GET",
++                    url=initial_url,
++                    error=None,
++                    status=303,
++                    redirect_location=headers_url,
++                ),
++            )
++            data = r.json()
++            for header in sensitive_headers:
++                assert header not in data
++
+     def test_cross_protocol_redirect(self) -> None:
+         with proxy_from_url(self.proxy_url, ca_certs=DEFAULT_CA) as http:
+             cross_protocol_location = f"{self.https_url}/echo?a=b"
diff -Nru python-urllib3-2.3.0/debian/patches/series python-urllib3-2.3.0/debian/patches/series
--- python-urllib3-2.3.0/debian/patches/series	2026-01-12 21:38:24.000000000 +0000
+++ python-urllib3-2.3.0/debian/patches/series	2026-06-21 16:46:24.000000000 +0000
@@ -5,3 +5,4 @@
 CVE-2025-50182.patch
 CVE-2025-66418.patch
 CVE-2026-21441.patch
+CVE-2026-44431.patch