RedHat has issued an advisory on June 20: https://access.redhat.com/errata/RHSA-2019:1587 Mageia 6 is also affected.
Whiteboard: (none) => MGA7TOO, MGA6TOO
Assignee: bugsquad => pythonCC: (none) => marja11
RedHat has issued an advisory on August 6: https://access.redhat.com/errata/RHSA-2019:2030 This fixes three additional issues: CVE-2019-9740, CVE-2019-9947, CVE-2019-9948 These issues are related to the urllib3 issue (Bug 23880). Mageia 6, Mageia 7, and Cauldron are all affected.
Summary: python, python3 new security issue CVE-2019-10160 => python, python3 new security issue CVE-2019-10160, CVE-2019-9740, CVE-2019-994[78]
RedHat has issued an advisory for this today (November 5): https://access.redhat.com/errata/RHSA-2019:3520
One more: https://access.redhat.com/errata/RHSA-2019:3335
Apparently fixed in Bug 25641: https://advisories.mageia.org/MGASA-2019-0318.html
Depends on: (none) => 25641Resolution: (none) => FIXEDStatus: NEW => RESOLVED
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n followed by an HTTP header or a Redis command (CVE-2019-9740). An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL) followed by an HTTP header or a Redis command. This is similar to CVE-2019-9740 query string issue (CVE-2019-9947). urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call (CVE-2019-9948). A security regression of CVE-2019-9636 was discovered in python, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application (CVE-2019-10160). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160 https://access.redhat.com/errata/RHSA-2019:1587 https://access.redhat.com/errata/RHSA-2019:2030 https://access.redhat.com/errata/RHSA-2019:3520