Roberto C. Sánchez · Roberto C. Sánchez · 8c443eae · 8c443eae
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1267,6 +1267,8 @@ CVE-2019-11237
 CVE-2019-11236 (In the urllib3 library through 1.24.1 for Python, CRLF injection is po ...)
 	- python-urllib3 <unfixed> (bug #927172)
 	NOTE: https://github.com/urllib3/urllib3/issues/1553
+	NOTE: https://github.com/urllib3/urllib3/commit/9b76785331243689a9d52cef3db05ef7462cb02d
+	NOTE: https://github.com/urllib3/urllib3/commit/efddd7e7bad26188c3b692d1090cba768afa9162
 CVE-2019-11235 (FreeRADIUS before 3.0.19 mishandles the "each participant verifies tha ...)
 	- freeradius 3.0.17+dfsg-1.1 (bug #926958)
 	[stretch] - freeradius <no-dsa> (Minor issue; plugin not enabled by default)
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -101,7 +101,8 @@ poppler
  NOTE: 20190408: No known upstream patches available for remaining open CVEs (sunweaver)
 --
 python-urllib3 (Roberto C. Sánchez)
-  NOTE: 20190429: Waiting on upstream action for CVE-2019-9740 (roberto)
+  NOTE: 20190504: Upstream has committed fix for CVE-2019-11236; though, their commits, 9b76785 and efddd7e, reference CVE-2019-9740 (roberto)
+  NOTE: 20190504: Working now on backporting the fixes (roberto)
 --
 python2.7 (Roberto C. Sánchez)
  NOTE: 20190321: Patches integrated for CVE-2018-14647, CVE-2019-5010, and CVE-2019-9636