Comment 1 Quality Assurance 2020-07-23 13:16:57 CEST

--- mirror/ftp/4.3/unmaintained/4.3-3/source/python3.5_3.5.3-1+deb9u1.dsc
+++ apt/ucs_4.4-0-errata4.4-5/source/python3.5_3.5.3-1+deb9u2.dsc
@@ -1,3 +1,80 @@
+3.5.3-1+deb9u2 [Thu, 09 Jul 2020 15:00:10 +0200] Sylvain Beucler <beuc@debian.org>:
+
+  * Non-maintainer upload by the LTS Security Team.
+  * CVE-2018-20406: Modules/_pickle.c has an integer overflow via a large
+    LONG_BINPUT value that is mishandled during a "resize to twice the
+    size" attempt. This issue might cause memory exhaustion, but is only
+    relevant if the pickle format is used for serializing tens or hundreds
+    of gigabytes of data.
+  * CVE-2018-20852: http.cookiejar.DefaultPolicy.domain_return_ok in
+    Lib/http/cookiejar.py does not correctly validate the domain: it can
+    be tricked into sending existing cookies to the wrong server. An
+    attacker may abuse this flaw by using a server with a hostname that
+    has another valid hostname as a suffix (e.g., pythonicexample.com to
+    steal cookies for example.com). When a program uses
+    http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an
+    attacker-controlled server, existing cookies can be leaked to the
+    attacker.
+  * Update test_ssl.py with newer certificate and openssl version handling
+  * CVE-2019-5010: an exploitable denial-of-service vulnerability exists
+    in the X509 certificate parser. A specially crafted X509 certificate
+    can cause a NULL pointer dereference, resulting in a denial of
+    service. An attacker can initiate or accept TLS connections using
+    crafted certificates to trigger this vulnerability.
+  * CVE-2019-9636: Improper Handling of Unicode Encoding (with an
+    incorrect netloc) during NFKC normalization. The impact is:
+    Information disclosure (credentials, cookies, etc. that are cached
+    against a given hostname). The components are: urllib.parse.urlsplit,
+    urllib.parse.urlparse. The attack vector is: A specially crafted URL
+    could be incorrectly parsed to locate cookies or authentication data
+    and send that information to a different host than when parsed
+    correctly.
+  * Fix functional regression introduced by CVE-2019-9636 fix, which in
+    turn introduces CVE-2019-10160
+  * CVE-2019-10160: a security regression was discovered in python, which
+    still allows an attacker to exploit CVE-2019-9636 by abusing the user
+    and password parts of a URL. When an application parses user-supplied
+    URLs to store cookies, authentication credentials, or other kind of
+    information, it is possible for an attacker to provide specially
+    crafted URLs to make the application locate host-related information
+    (e.g. cookies, authentication data) and send them to a different host
+    than where it should, unlike if the URLs had been correctly
+    parsed. The result of an attack may vary based on the application.
+  * CVE-2019-9740: an issue was discovered in urllib2. CRLF injection is
+    possible if the attacker controls a url parameter, as demonstrated by
+    the first argument to urllib.request.urlopen with \r\n (specifically
+    in the query string after a ? character) followed by an HTTP header or
+    a Redis command.
+  * CVE-2019-9947: an issue was discovered in urllib2. CRLF injection is
+    possible if the attacker controls a url parameter, as demonstrated by
+    the first argument to urllib.request.urlopen with \r\n (specifically
+    in the path component of a URL that lacks a ? character) followed by
+    an HTTP header or a Redis command. This is similar to the
+    CVE-2019-9740 query string issue.
+  * CVE-2019-18348: an issue was discovered in urllib2. CRLF injection is
+    possible if the attacker controls a url parameter, as demonstrated by
+    the first argument to urllib.request.urlopen with \r\n (specifically
+    in the host component of a URL) followed by an HTTP header. This is
+    similar to the CVE-2019-9740 query string issue and the CVE-2019-9947
+    path string issue
+  * CVE-2019-9948: urllib supports the local_file: scheme, which makes it
+    easier for remote attackers to bypass protection mechanisms that
+    blacklist file: URIs, as demonstrated by triggering a
+    urllib.urlopen('local_file:///etc/passwd') call.
+  * CVE-2019-16935: The documentation XML-RPC server has XSS via the
+    server_title field. This occurs in Lib/xmlrpc/server.py. If
+    set_server_title is called with untrusted input, arbitrary JavaScript
+    can be delivered to clients that visit the http URL for this server.
+  * CVE-2019-16056: the email module wrongly parses email addresses that
+    contain multiple @ characters. An application that uses the email
+    module and implements some kind of checks on the From/To headers of a
+    message could be tricked into accepting an email address that should
+    be denied. An attack may be the same as in CVE-2019-11340; however,
+    this CVE applies to Python more generally.
+  * CVE-2020-8492: Python allows an HTTP server to conduct Regular
+    Expression Denial of Service (ReDoS) attacks against a client because
+    of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
+
 3.5.3-1+deb9u1 [Thu, 27 Sep 2018 19:25:39 +0200] Moritz Mühlenhoff <jmm@debian.org>:
 
   * CVE-2017-1000158 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647

<http://10.200.17.11/4.4-5/#6646714487350710605>

Comment 2 Philipp Hahn 2020-07-23 16:39:25 CEST

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-5] 1ac6e2ea07 Bug #51715: python3.5 3.5.3-1+deb9u2
 doc/errata/staging/python3.5.yaml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

[4.4-5] 2aad90b2f3 Bug #51715: python3.5 3.5.3-1+deb9u2
 doc/errata/staging/python3.5.yaml | 44 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

Comment 3 Erik Damrose 2020-07-29 16:50:47 CEST

<https://errata.software-univention.de/#/?erratum=4.4x671>