-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2287
             Multiple vulnerabilities in python affect Debian
                               25 June 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           python2.7
                   python3.4
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Access Privileged Data         -- Remote with User Interaction
                   Denial of Service              -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote/Unauthenticated      
                   Access Confidential Data       -- Remote/Unauthenticated      
                   Reduced Security               -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-10160 CVE-2019-9948 CVE-2019-9947
                   CVE-2019-9740 CVE-2019-9636 CVE-2019-5010
                   CVE-2018-14647  

Reference:         ESB-2019.2267
                   ESB-2019.2218
                   ESB-2019.2110
                   ESB-2019.2108
                   ESB-2019.1880
                   ESB-2019.1840

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html
   https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html

Comment: This bulletin contains two (2) Debian security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Package        : python2.7
Version        : 2.7.9-2+deb8u3
CVE ID         : CVE-2018-14647 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740
                 CVE-2019-9947 CVE-2019-9948 CVE-2019-10160
Debian Bug     : 921039 921040 924073


Multiple vulnerabilities were discovered in Python, an interactive
high-level object-oriented language, including

CVE-2018-14647

    Python's elementtree C accelerator failed to initialise Expat's hash
    salt during initialization. This could make it easy to conduct
    denial of service attacks against Expat by constructing an XML
    document that would cause pathological hash collisions in Expat's
    internal data structures, consuming large amounts CPU and RAM.

CVE-2019-5010

    NULL pointer dereference using a specially crafted X509 certificate.

CVE-2019-9636

    Improper Handling of Unicode Encoding (with an incorrect netloc)
    during NFKC normalization resulting in information disclosure
    (credentials, cookies, etc. that are cached against a given
    hostname).  A specially crafted URL could be incorrectly parsed to
    locate cookies or authentication data and send that information to
    a different host than when parsed correctly.

CVE-2019-9740

    An issue was discovered in urllib2 where CRLF injection is possible
    if the attacker controls a url parameter, as demonstrated by the
    first argument to urllib.request.urlopen with \r\n (specifically in
    the query string after a ? character) followed by an HTTP header or
    a Redis command.

CVE-2019-9947

    An issue was discovered in urllib2 where CRLF injection is possible
    if the attacker controls a url parameter, as demonstrated by the
    first argument to urllib.request.urlopen with \r\n (specifically in
    the path component of a URL that lacks a ? character) followed by an
    HTTP header or a Redis command. This is similar to the CVE-2019-9740
    query string issue.

CVE-2019-9948

    urllib supports the local_file: scheme, which makes it easier for
    remote attackers to bypass protection mechanisms that blacklist
    file: URIs, as demonstrated by triggering a
    urllib.urlopen('local_file:///etc/passwd') call.

CVE-2019-10160

    A security regression of CVE-2019-9636 was discovered which still
    allows an attacker to exploit CVE-2019-9636 by abusing the user and
    password parts of a URL. When an application parses user-supplied
    URLs to store cookies, authentication credentials, or other kind of
    information, it is possible for an attacker to provide specially
    crafted URLs to make the application locate host-related information
    (e.g. cookies, authentication data) and send them to a different
    host than where it should, unlike if the URLs had been correctly
    parsed. The result of an attack may vary based on the application.

For Debian 8 "Jessie", these problems have been fixed in version
2.7.9-2+deb8u3.

We recommend that you upgrade your python2.7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- ----
Package        : python3.4
Version        : 3.4.2-1+deb8u3
CVE ID         : CVE-2018-14647 CVE-2019-9636 CVE-2019-9740 CVE-2019-9947
Debian Bug     : 921039 924072


Multiple vulnerabilities were discovered in Python, an interactive
high-level object-oriented language, including 

CVE-2018-14647

    Python's elementtree C accelerator failed to initialise Expat's hash
    salt during initialization. This could make it easy to conduct
    denial of service attacks against Expat by constructing an XML
    document that would cause pathological hash collisions in Expat's
    internal data structures, consuming large amounts CPU and RAM.

CVE-2019-9636

    Improper Handling of Unicode Encoding (with an incorrect netloc)
    during NFKC normalization resulting in information disclosure
    (credentials, cookies, etc. that are cached against a given
    hostname).  A specially crafted URL could be incorrectly parsed to
    locate cookies or authentication data and send that information to
    a different host than when parsed correctly.

CVE-2019-9740

    An issue was discovered in urllib where CRLF injection is possible
    if the attacker controls a url parameter, as demonstrated by the
    first argument to urllib.request.urlopen with \r\n (specifically in
    the query string after a ? character) followed by an HTTP header or
    a Redis command.

CVE-2019-9947

    An issue was discovered in urllib where CRLF injection is possible
    if the attacker controls a url parameter, as demonstrated by the
    first argument to urllib.request.urlopen with \r\n (specifically in
    the path component of a URL that lacks a ? character) followed by an
    HTTP header or a Redis command. This is similar to the CVE-2019-9740
    query string issue.

For Debian 8 "Jessie", these problems have been fixed in version
3.4.2-1+deb8u3.

We recommend that you upgrade your python3.4 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXRG88WaOgq3Tt24GAQgyxA//fhnDIV1ecq1nwFcLfUT4ow52kOgUqxpo
wvY//5IpclDspJtUCPcNucJIgzQkxBJPvqdiA74Pd+f5XdZN9pWWIQ6v8kEqwB02
uV+xj3LTXW8EQfJ28Q7hLKgkQfdycWCVts1MwV5rZE/iCLS33/XVFk1SznEJ/ufT
R8CmLWHwWu51eYlokbo8QoH0bHq08FHpfDOgJ3SI3vKaecavhHP3VGf410hiDwQr
Cb5sAp6M+A6k1LIcpEzLaecPcGJUNJ05qjTaKt1NHQB++gHRmr4Epkgmoz0wtJOc
Q2XMVyKrRsCCGjycCzpUJXJrqrDM1erFA6X0dONKJCUnv8r2hC0OkGcZ/Ic6hgGb
NiaK6Dxu/OMoPgXCDq86JlU7Hdud2rFq/abg2eZzjA4dgu8550dnk/op9n5ildDw
D/hHgWGfdj/fsg2fztgmesMn5vHwY09jb4C4vrAooipUMeSQtc0fKjNoQSQutVcs
A1l0Q3cdCCbnuqyY8V4BOIxgBqofBcRkpBpen/WdhjlwpFhFIblyTWaXab6Mk2jD
0BTJOuRH4gxEUJ4lWnJ11YVUFUV8eezgKXQkHK99yitc37guXVfX787GZSU+e4Lt
gVSFoMxQxGDlX47PX3F+W9B+9H/ASJKSqo6ndL0I2yHadWGp7g6Wy9cPjtJG7QSB
pduHhfqUl7E=
=2Zrq
-----END PGP SIGNATURE-----