| Summary: | python, python3 new security issue CVE-2019-10160, CVE-2019-9740, CVE-2019-994[78] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Python Stack Maintainers <python> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | marja11 |
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO, MGA6TOO | ||
| Source RPM: | python-2.7.16-2.mga7.src.rpm, python3-3.7.3-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 25641 | ||
| Bug Blocks: | |||
|
Description
David Walser
2019-06-24 15:49:31 CEST
David Walser
2019-06-24 15:49:43 CEST
Whiteboard:
(none) =>
MGA7TOO, MGA6TOO
Marja Van Waes
2019-06-26 08:28:13 CEST
Assignee:
bugsquad =>
python RedHat has issued an advisory on August 6: https://access.redhat.com/errata/RHSA-2019:2030 This fixes three additional issues: CVE-2019-9740, CVE-2019-9947, CVE-2019-9948 These issues are related to the urllib3 issue (Bug 23880). Mageia 6, Mageia 7, and Cauldron are all affected. Summary:
python, python3 new security issue CVE-2019-10160 =>
python, python3 new security issue CVE-2019-10160, CVE-2019-9740, CVE-2019-994[78] RedHat has issued an advisory for this today (November 5): https://access.redhat.com/errata/RHSA-2019:3520 Apparently fixed in Bug 25641: https://advisories.mageia.org/MGASA-2019-0318.html Depends on:
(none) =>
25641 An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in
Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a
url parameter, as demonstrated by the first argument to urllib.request.urlopen
with \r\n followed by an HTTP header or a Redis command (CVE-2019-9740).
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in
Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a
url parameter, as demonstrated by the first argument to urllib.request.urlopen
with \r\n (specifically in the path component of a URL) followed by an HTTP
header or a Redis command. This is similar to CVE-2019-9740 query string issue
(CVE-2019-9947).
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes
it easier for remote attackers to bypass protection mechanisms that blacklist
file: URIs, as demonstrated by triggering a
urllib.urlopen('local_file:///etc/passwd') call (CVE-2019-9948).
A security regression of CVE-2019-9636 was discovered in python, which still
allows an attacker to exploit CVE-2019-9636 by abusing the user and password
parts of a URL. When an application parses user-supplied URLs to store cookies,
authentication credentials, or other kind of information, it is possible for an
attacker to provide specially crafted URLs to make the application locate
host-related information (e.g. cookies, authentication data) and send them to a
different host than where it should, unlike if the URLs had been correctly
parsed. The result of an attack may vary based on the application
(CVE-2019-10160).
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160
https://access.redhat.com/errata/RHSA-2019:1587
https://access.redhat.com/errata/RHSA-2019:2030
https://access.redhat.com/errata/RHSA-2019:3520
|