Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1309
python2.7 security update
19 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python2.7
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-23336 CVE-2019-16935
Reference: ESB-2021.1122
ESB-2021.1014
ESB-2021.0864
Original Bulletin:
https://www.debian.org/lts/security/2021/dla-2628
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2628-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
April 17, 2021 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : python2.7
Version : 2.7.13-2+deb9u5
CVE ID : CVE-2019-16935 CVE-2021-23336
Two security issues have been discovered in python2.7:
CVE-2019-16935
The documentation XML-RPC server in Python 2.7 has XSS via the server_title
field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in
Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with
untrusted input, arbitrary JavaScript can be delivered to clients that
visit the http URL for this server.
CVE-2021-23336
The Python2.7 vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl
and urllib.parse.parse_qs by using a vector called parameter cloaking. When
the attacker can separate query parameters using a semicolon (;), they can
cause a difference in the interpretation of the request between the proxy
(running with default configuration) and the server. This can result in malicious
requests being cached as completely safe ones, as the proxy would usually not
see the semicolon as a separator, and therefore would not include it in a cache
key of an unkeyed parameter.
**Attention, API-change!**
Please be sure your software is working properly if it uses `urllib.parse.parse_qs`
or `urllib.parse.parse_qsl`, `cgi.parse` or `cgi.parse_multipart`.
Earlier Python versions allowed using both ``;`` and ``&`` as query parameter
separators in `urllib.parse.parse_qs` and `urllib.parse.parse_qsl`.
Due to security concerns, and to conform with
newer W3C recommendations, this has been changed to allow only a single
separator key, with ``&`` as the default. This change also affects
`cgi.parse` and `cgi.parse_multipart` as they use the affected
functions internally. For more details, please see their respective
documentation.
For Debian 9 stretch, these problems have been fixed in version
2.7.13-2+deb9u5.
We recommend that you upgrade your python2.7 packages.
For the detailed security status of python2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python2.7
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmB7N4EACgkQ0+Fzg8+n
/wb/qxAAj6FN++ub8ZbGfOH4my+nWTGASrjSPjUk4+XSA1JsKxTgXUfqEeYW1+ms
N7JvsaO4tgS946tVvlxDEokjso3BH7ljJQHpNKhbqsDmIUHvK3Fm2Xrg1J750gGl
dsJjkUx85Yq/+B8JyidJMrsj//AZVsd76B9J5cSw47gyowLa++fAT4Lbk1rTCajO
FL80pGEA2Mmw4c/HA9qgLvNtMsQWlgQCIObK20d0mQSzvCA5X13SM5U4bhbsoAqW
AM3mEWOyFs53MssKBych940sqA2YZKUkS7voL2BzjXANSTAFI2rPiQn3kPaoNtl6
7v9JMDYuhZypj2VdNOWS0NkZGUtBI9RcsLAIUdrrzLIDEQ0tvgOBWHakvS0W/K7H
IZOUoBoyRSU573dhGC4WaQMgaaYmk/E+sWngy6Qu6G4FmSZOX/ANeX1NkU8JGBJ7
Ej9FUn9/4nOkYSwspznueXuFsSFEtmBQD9hZ9xV+L8xxyASlT/5dORsIYYkz2xX3
E6yJ5foLuk0xqCXH5tBlHoS/9Wy2ccoOEltYZCXFvvA6vL7izrmXWxOniOPsQ6b8
cOnQBHHXu0ervBD017MgXPfpmjXlc8STlF+oz35TYEZ6K8Q0caCYK7vKHUCVgSev
YcAZoIrwEV43nWsSWjK03NnZfLfLCleoTtsyB7rwvokXEZrTErs=
=OkPp
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYHzn2uNLKJtyKPYoAQjREg//f3mSLHumqwdsmYhDZKJDdfrj5LaXiBUs
Jf37lftSDwwkIyNeLjdWDzy4YWo/HmGJiQaKP2PFMGQlSlnZ28bBdLmPrD5cBOrh
jnqnuYQ9nBFdSlZiX8TMO1gDrqYsGutGKGFUzMrKUCy3CvcNtPf3xJQf3xM0zj8L
dymFMUNSx4SjuvcFsRHGp81HKyZ9/gsxt7c8ZQTa2wH0VGBad4adoVRvCKaqjkie
IzqRvuR6GdWVtTsJCq6FYlHYbTBdsub427vQE0PTCQyEeMxUcCb0mvAW0tOfZik5
Csup2ktONPilwHEDij8TKXE98UeyfUmi2qoFx+9Xls1RPTtJmSmedlhL7g6h5qAe
WHr5amvrIyLNlaE1PzGljPWGSt6BDE7TIwtrNryxhwFk3g2YWma4lUOrJwm/ic5z
ijrgLyh7XR1g8jDUiWIlfqmR0myv7DXClKelKfEquo0hQg3bYHoLPiOZ/lQxEodc
hbGxDalMeaRS5otf2kZK4WlMgp88nUjysf5rKHLbdfYfUHFZwN1tadxfPwF3ioBg
RKKyNDTmm4uI+0DA9xqxSuBaFdrCL+6nawJbaEW/WSg7oODKQJLyPcrIqFXkpNB8
f4wHe0n9FyIjtyVTvCWlUtpEDVx8fYDKs54QrUdqrUed0MUKVXJfVLkANavSt2CZ
Pc4P5jiotsA=
=jEJh
-----END PGP SIGNATURE-----