Impact
Users who are using an HTTPS proxy to issue HTTPS requests and haven't configured their own SSLContext via proxy_config.
Only the default SSLContext is impacted.
Patches
urllib3 >=1.26.4 has the issue resolved. urllib3<1.26 is not impacted due to not supporting HTTPS requests via HTTPS proxies.
Workarounds
Upgrading is recommended as this is a minor release and not likely to break current usage.
Configuring an SSLContext with check_hostname=True and passing via proxy_config instead of relying on the default SSLContext
For more information
If you have any questions or comments about this advisory:
Impact
Users who are using an HTTPS proxy to issue HTTPS requests and haven't configured their own SSLContext via
proxy_config.Only the default SSLContext is impacted.
Patches
urllib3 >=1.26.4 has the issue resolved. urllib3<1.26 is not impacted due to not supporting HTTPS requests via HTTPS proxies.
Workarounds
Upgrading is recommended as this is a minor release and not likely to break current usage.
Configuring an
SSLContextwithcheck_hostname=Trueand passing viaproxy_configinstead of relying on the defaultSSLContextFor more information
If you have any questions or comments about this advisory: