urllib3 is vulnerable to SSL Hostname verification bypass. The vulnerability exists as urllib3 incorrectly loads system certificates even when an explicit set of CA certificates were specified, possibly allowing man-in-the-middle attacks.
lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html
www.openwall.com/lists/oss-security/2019/04/19/1
access.redhat.com/errata/RHSA-2019:3335
access.redhat.com/errata/RHSA-2019:3590
github.com/urllib3/urllib3/commit/75e071eea2d0698b0089db13a2b716a8f5f18eb1
github.com/urllib3/urllib3/compare/a6ec68a...1efadf4
github.com/urllib3/urllib3/pull/1564
lists.debian.org/debian-lts-announce/2021/06/msg00015.html
lists.fedoraproject.org/archives/list/[email protected]/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/
lists.fedoraproject.org/archives/list/[email protected]/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/
usn.ubuntu.com/3990-1/