Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2421 python3.5 security update 16 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python3.5 Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-14422 CVE-2020-8492 CVE-2019-18348 CVE-2019-16935 CVE-2019-16056 CVE-2019-11340 CVE-2019-10160 CVE-2019-9948 CVE-2019-9947 CVE-2019-9740 CVE-2019-9636 CVE-2019-5010 CVE-2018-20852 CVE-2018-20406 Reference: ASB-2020.0129 ASB-2020.0026 ESB-2020.1559 ESB-2020.1341 ESB-2020.0397 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2280 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2280-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ July 15, 2020 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : python3.5 Version : 3.5.3-1+deb9u2 CVE ID : CVE-2018-20406 CVE-2018-20852 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740 CVE-2019-9947 CVE-2019-9948 CVE-2019-10160 CVE-2019-16056 CVE-2019-16935 CVE-2019-18348 CVE-2020-8492 CVE-2020-14422 Debian Bug : 924072 921064 940901 Multiple security issues were discovered in Python, an interactive high-level object-oriented language. CVE-2018-20406 Modules/_pickle.c has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. CVE-2018-20852 http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. CVE-2019-5010 An exploitable denial-of-service vulnerability exists in the X509 certificate parser. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability. CVE-2019-9636 Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. CVE-2019-9740 An issue was discovered in urllib2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. CVE-2019-9947 An issue was discovered in urllib2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. CVE-2019-9948 urllib supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. CVE-2019-10160 A security regression was discovered in python, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. CVE-2019-16056 The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally. CVE-2019-16935 The documentation XML-RPC server has XSS via the server_title field. This occurs in Lib/xmlrpc/server.py. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. CVE-2019-18348 An issue was discovered in urllib2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue CVE-2020-8492 Python allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. CVE-2020-14422 Lib/ipaddress.py improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. For Debian 9 stretch, these problems have been fixed in version 3.5.3-1+deb9u2. We recommend that you upgrade your python3.5 packages. For the detailed security status of python3.5 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python3.5 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl8O0iMACgkQj/HLbo2J BZ9JUwf9FbhjAkMZqcZt1DMhjXqyV6VYMRkS2UT9NakOL0vKZodkElUcyBu6gexV +NMu+dtV/uwPaHANOqp4NFfP8YMZ6OL+ahSSzL6LIIOlAJxf97uKp13FfHQVgW+Y aVw3sRQ214oM+rCovrFwNiYxELpDrT3q9pc/BMJevWSFJ7c3/8lT74UtBOiW7D4i A+IBSfeGdDhBnoSSsLt/s+STvPbyWlMhm68swy71692z6JxSoTG7aiVily9oxJgI 5iMl9fxDUAK9vxH1MTcn/JyI/wWPdEVFkNsgclsnuiBS3sH3YFq8vt0H1vrodsDK R3Q5ZUe6qclYqFCB50ugCN71Vh4LfQ== =+nMr - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXw/RR+NLKJtyKPYoAQiltBAAhJHTSQlzfWDp5W6LfTMHCg4qWxMqt5GB 6990pa/q+NECgf6BnQ1Nj3CHzJ1i9bHHTMLoatg5kwQUxu7AywmnL/sXCgX/deOG UDov5wawk7sN+IIyYffl1ZIEbLCWQdYtfTZnxWjJhpFusGjk2tEHEzzghGud+Uxs yJUHFFipJYQ1TLZyAZ3qisD80vyZn6hLz7Ew5R8S9KXoMrzpyppRuK2USOnMvN8J RiYnXMYOdO9FXoexAMw29GiPz05fqi7YO4OenBWWo1x1qQkIa6ERet+DPqcKiwhK 5FgqXELNyIXkYR33BHRkKbxy+9uKgoYFHQKOYt2bpKZFKutwRbL6utGlAFrS2XBf tTfpUTZ0GO2iNIavCyS3xIP+B+MuZHwji72ez86q+cBZLfdGlYhTmdHEINgLl4hx nBNdYrddOIMPrVo6QwYc+DU+X+To18cMefoak67jgIhIlLbFbiKgfzWMvStxgC6L ezyVRQE7M3PYCJnmA+murnq3oqBnTddRuax6v8oIEqxLiMmT7U3G1dUBN8KlkALg Dmb/8Gx6PL/yYddSfR9o73fa9zvUtM5+NiSyevVEwN7Q2y6t4gSYx6yT1Ks/zC/N YT2LHdZLL961DOt+tz66txFRbnyvIVkMEj0xIfT/1xIpVb+7tpjAPtTMMmHCaX+H FBU+y632P14= =fwIU -----END PGP SIGNATURE-----