[SECURITY] [DLA 2337-1] python2.7 security update

To: [email protected]
Subject: [SECURITY] [DLA 2337-1] python2.7 security update
From: Thorsten Alteholz <[email protected]>
Date: Sat, 22 Aug 2020 16:48:43 +0200 (CEST)
Message-id: <[🔎] [email protected]>
Mail-followup-to: [email protected]
Reply-to: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2337-1                [email protected]
https://www.debian.org/lts/security/                    Thorsten Alteholz
August 22, 2020                               https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : python2.7
Version        : 2.7.13-2+deb9u4
CVE ID         : CVE-2018-20852 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740
                 CVE-2019-9947 CVE-2019-9948 CVE-2019-10160 CVE-2019-16056
                 CVE-2019-20907


Multiple vulnerabilities were discovered in Python2.7, an interactive
high-level object-oriented language.

CVE-2018-20852

    By using a malicious server an attacker might steal cookies that are
    meant for other domains.

CVE-2019-5010

    NULL pointer dereference using a specially crafted X509 certificate.

CVE-2019-9636

    Improper Handling of Unicode Encoding (with an incorrect netloc)
    during NFKC normalization resulting in information disclosure
    (credentials, cookies, etc. that are cached against a given
    hostname).  A specially crafted URL could be incorrectly parsed to
    locate cookies or authentication data and send that information to
    a different host than when parsed correctly.

CVE-2019-9740

    An issue was discovered in urllib2 where CRLF injection is possible
    if the attacker controls a url parameter, as demonstrated by the
    first argument to urllib.request.urlopen with \r\n (specifically in
    the query string after a ? character) followed by an HTTP header or
    a Redis command.

CVE-2019-9947

    An issue was discovered in urllib2 where CRLF injection is possible
    if the attacker controls a url parameter, as demonstrated by the
    first argument to urllib.request.urlopen with \r\n (specifically in
    the path component of a URL that lacks a ? character) followed by an
    HTTP header or a Redis command. This is similar to the CVE-2019-9740
    query string issue.

CVE-2019-9948

    urllib supports the local_file: scheme, which makes it easier for
    remote attackers to bypass protection mechanisms that blacklist
    file: URIs, as demonstrated by triggering a
    urllib.urlopen('local_file:///etc/passwd') call.

CVE-2019-10160

    A security regression of CVE-2019-9636 was discovered which still
    allows an attacker to exploit CVE-2019-9636 by abusing the user and
    password parts of a URL. When an application parses user-supplied
    URLs to store cookies, authentication credentials, or other kind of
    information, it is possible for an attacker to provide specially
    crafted URLs to make the application locate host-related information
    (e.g. cookies, authentication data) and send them to a different
    host than where it should, unlike if the URLs had been correctly
    parsed. The result of an attack may vary based on the application.

CVE-2019-16056

    The email module wrongly parses email addresses that contain
    multiple @ characters. An application that uses the email module and
    implements some kind of checks on the From/To headers of a message
    could be tricked into accepting an email address that should be
    denied.

CVE-2019-20907

    Opening a crafted tar file could result in an infinite loop due to
    missing header validation.


For Debian 9 stretch, these problems have been fixed in version
2.7.13-2+deb9u4.

We recommend that you upgrade your python2.7 packages.

For the detailed security status of python2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python2.7

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl9BMEtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEfv8Q//QjWU3RC56E70nXBe5R9Su06UQSLBQWW4xSIq7hpw1ZzD/Qlmmxoy2OVP
Vbc3BHXlOEhqrDPcRGyQ2m51PM+6kO1T1QvpOkSvV90+FPq7QwnTwfxxNjkgiBYj
Ycxhy5U5OLbj/RTf44eeqqaBeOOkn7s7Zd2RqzovMMYMG8aKm8wWiArUaWUCLHis
xDjebHU9ArI1rnKCQenV5Q4fcTOIHjjnt6g7E9ZQWOj4FFyi0rYBiqnwELGtydLC
nUIcyB81Qlbwk5vYnH49ls5P9eRRpONU8uTJCvY7dfS+1ubqXu1y2bYPOWGBi/Oz
uqF97qdwBZ7j447HqWzajMcn793wtoB41qeoQwoHRiClJDDH/xlb4gsAdcH1cLBh
UwEdkCOnfgx7jf53c/XZPGr+CBHFSCkF+VLH7gx7rt0oYBAHGPtUGPU5F4xcqZzn
tVvr65b8MEnK0GqOrsZmqN94iXpXtxVDQG+yvXtUvdNn9nhBd+vNhmaVAv1RSgZx
X7WuR7dGfIkRCuzq6xSBygSmwnGvweYXI0fzIyF4irVFjW8I47AnogtxJTUOuZAa
6p45CJVKIIKimqMTOs/04pmUmAuDoEhGzEq+8WlueU7re5MRr3r+t7yiXDBp/azS
F+P9xHY3ZvUPvNBuePCc5txUtVRX30Uoaz+WJFOJRYY6ua1JxnQ=
=TSfH
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2336-1] firejail security update
Next by Date: [SECURITY] [DLA 2339-1] software-properties security update
Previous by thread: [SECURITY] [DLA 2336-1] firejail security update
Next by thread: [SECURITY] [DLA 2339-1] software-properties security update
Index(es):
- Date
- Thread