apk package
chainguard/duplicity
pkg:apk/chainguard/duplicity
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44432 | Hig | 7.5 | < 3.0.7-r4 | 3.0.7-r4 | May 13, 2026 | urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) w | |
| CVE-2026-44431 | Med | 5.3 | < 3.0.7-r4 | 3.0.7-r4 | May 13, 2026 | urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0. | |
| CVE-2026-44405 | Low | 3.4 | < 3.0.7-r4 | 3.0.7-r4 | May 6, 2026 | In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm. |
- affected < 3.0.7-r4fixed 3.0.7-r4
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) w
- affected < 3.0.7-r4fixed 3.0.7-r4
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
- affected < 3.0.7-r4fixed 3.0.7-r4
In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.