Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2287 Multiple vulnerabilities in python affect Debian 25 June 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python2.7 python3.4 Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Access Privileged Data -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-10160 CVE-2019-9948 CVE-2019-9947 CVE-2019-9740 CVE-2019-9636 CVE-2019-5010 CVE-2018-14647 Reference: ESB-2019.2267 ESB-2019.2218 ESB-2019.2110 ESB-2019.2108 ESB-2019.1880 ESB-2019.1840 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html Comment: This bulletin contains two (2) Debian security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Package : python2.7 Version : 2.7.9-2+deb8u3 CVE ID : CVE-2018-14647 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740 CVE-2019-9947 CVE-2019-9948 CVE-2019-10160 Debian Bug : 921039 921040 924073 Multiple vulnerabilities were discovered in Python, an interactive high-level object-oriented language, including CVE-2018-14647 Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. CVE-2019-5010 NULL pointer dereference using a specially crafted X509 certificate. CVE-2019-9636 Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization resulting in information disclosure (credentials, cookies, etc. that are cached against a given hostname). A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. CVE-2019-9740 An issue was discovered in urllib2 where CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. CVE-2019-9947 An issue was discovered in urllib2 where CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. CVE-2019-9948 urllib supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. CVE-2019-10160 A security regression of CVE-2019-9636 was discovered which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. For Debian 8 "Jessie", these problems have been fixed in version 2.7.9-2+deb8u3. We recommend that you upgrade your python2.7 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - ---- Package : python3.4 Version : 3.4.2-1+deb8u3 CVE ID : CVE-2018-14647 CVE-2019-9636 CVE-2019-9740 CVE-2019-9947 Debian Bug : 921039 924072 Multiple vulnerabilities were discovered in Python, an interactive high-level object-oriented language, including CVE-2018-14647 Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. CVE-2019-9636 Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization resulting in information disclosure (credentials, cookies, etc. that are cached against a given hostname). A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. CVE-2019-9740 An issue was discovered in urllib where CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. CVE-2019-9947 An issue was discovered in urllib where CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. For Debian 8 "Jessie", these problems have been fixed in version 3.4.2-1+deb8u3. We recommend that you upgrade your python3.4 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXRG88WaOgq3Tt24GAQgyxA//fhnDIV1ecq1nwFcLfUT4ow52kOgUqxpo wvY//5IpclDspJtUCPcNucJIgzQkxBJPvqdiA74Pd+f5XdZN9pWWIQ6v8kEqwB02 uV+xj3LTXW8EQfJ28Q7hLKgkQfdycWCVts1MwV5rZE/iCLS33/XVFk1SznEJ/ufT R8CmLWHwWu51eYlokbo8QoH0bHq08FHpfDOgJ3SI3vKaecavhHP3VGf410hiDwQr Cb5sAp6M+A6k1LIcpEzLaecPcGJUNJ05qjTaKt1NHQB++gHRmr4Epkgmoz0wtJOc Q2XMVyKrRsCCGjycCzpUJXJrqrDM1erFA6X0dONKJCUnv8r2hC0OkGcZ/Ic6hgGb NiaK6Dxu/OMoPgXCDq86JlU7Hdud2rFq/abg2eZzjA4dgu8550dnk/op9n5ildDw D/hHgWGfdj/fsg2fztgmesMn5vHwY09jb4C4vrAooipUMeSQtc0fKjNoQSQutVcs A1l0Q3cdCCbnuqyY8V4BOIxgBqofBcRkpBpen/WdhjlwpFhFIblyTWaXab6Mk2jD 0BTJOuRH4gxEUJ4lWnJ11YVUFUV8eezgKXQkHK99yitc37guXVfX787GZSU+e4Lt gVSFoMxQxGDlX47PX3F+W9B+9H/ASJKSqo6ndL0I2yHadWGp7g6Wy9cPjtJG7QSB pduHhfqUl7E= =2Zrq -----END PGP SIGNATURE-----