Impact
Users who are using an HTTPS proxy to issue HTTPS requests and haven't configured their own SSLContext via proxy_config
.
Only the default SSLContext is impacted.
Patches
urllib3 >=1.26.4 has the issue resolved. urllib3<1.26 is not impacted due to not supporting HTTPS requests via HTTPS proxies.
Workarounds
Upgrading is recommended as this is a minor release and not likely to break current usage.
Configuring an SSLContext
with check_hostname=True
and passing via proxy_config
instead of relying on the default SSLContext
For more information
If you have any questions or comments about this advisory:
Impact
Users who are using an HTTPS proxy to issue HTTPS requests and haven't configured their own SSLContext via
proxy_config
.Only the default SSLContext is impacted.
Patches
urllib3 >=1.26.4 has the issue resolved. urllib3<1.26 is not impacted due to not supporting HTTPS requests via HTTPS proxies.
Workarounds
Upgrading is recommended as this is a minor release and not likely to break current usage.
Configuring an
SSLContext
withcheck_hostname=True
and passing viaproxy_config
instead of relying on the defaultSSLContext
For more information
If you have any questions or comments about this advisory: