Univention Bugzilla – Bug 51715
python3.5: Multiple issues (4.4)
Last modified: 2020-07-29 16:50:47 CEST
New Debian python3.5 3.5.3-1+deb9u2 fixes: This update addresses the following issues: * Integer overflow in Modules/_pickle.c allows for memory exhaustion if serializing gigabytes of data (CVE-2018-20406) * Cookie domain check returns incorrect results (CVE-2018-20852) * NULL pointer dereference using a specially crafted X509 certificate (CVE-2019-5010) * Information Disclosure due to urlsplit improper NFKC normalization (CVE-2019-9636) * improper neutralization of CRLF sequences in urllib module (CVE-2019-9740) * improper neutralization of CRLF sequences in urllib module (CVE-2019-9947) * undocumented local_file protocol allows remote attackers to bypass protection mechanisms (CVE-2019-9948) * regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160) * email.utils.parseaddr wrongly parses email addresses (CVE-2019-16056) * XSS vulnerability in the documentation XML-RPC server in server_title field (CVE-2019-16935) * CRLF injection via the host part of the url passed to urlopen() (CVE-2019-18348) * wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS (CVE-2020-8492) * DoS via inefficiency in IPv{4,6}Interface classes (CVE-2020-14422)
--- mirror/ftp/4.3/unmaintained/4.3-3/source/python3.5_3.5.3-1+deb9u1.dsc +++ apt/ucs_4.4-0-errata4.4-5/source/python3.5_3.5.3-1+deb9u2.dsc @@ -1,3 +1,80 @@ +3.5.3-1+deb9u2 [Thu, 09 Jul 2020 15:00:10 +0200] Sylvain Beucler <beuc@debian.org>: + + * Non-maintainer upload by the LTS Security Team. + * CVE-2018-20406: Modules/_pickle.c has an integer overflow via a large + LONG_BINPUT value that is mishandled during a "resize to twice the + size" attempt. This issue might cause memory exhaustion, but is only + relevant if the pickle format is used for serializing tens or hundreds + of gigabytes of data. + * CVE-2018-20852: http.cookiejar.DefaultPolicy.domain_return_ok in + Lib/http/cookiejar.py does not correctly validate the domain: it can + be tricked into sending existing cookies to the wrong server. An + attacker may abuse this flaw by using a server with a hostname that + has another valid hostname as a suffix (e.g., pythonicexample.com to + steal cookies for example.com). When a program uses + http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an + attacker-controlled server, existing cookies can be leaked to the + attacker. + * Update test_ssl.py with newer certificate and openssl version handling + * CVE-2019-5010: an exploitable denial-of-service vulnerability exists + in the X509 certificate parser. A specially crafted X509 certificate + can cause a NULL pointer dereference, resulting in a denial of + service. An attacker can initiate or accept TLS connections using + crafted certificates to trigger this vulnerability. + * CVE-2019-9636: Improper Handling of Unicode Encoding (with an + incorrect netloc) during NFKC normalization. The impact is: + Information disclosure (credentials, cookies, etc. that are cached + against a given hostname). The components are: urllib.parse.urlsplit, + urllib.parse.urlparse. The attack vector is: A specially crafted URL + could be incorrectly parsed to locate cookies or authentication data + and send that information to a different host than when parsed + correctly. + * Fix functional regression introduced by CVE-2019-9636 fix, which in + turn introduces CVE-2019-10160 + * CVE-2019-10160: a security regression was discovered in python, which + still allows an attacker to exploit CVE-2019-9636 by abusing the user + and password parts of a URL. When an application parses user-supplied + URLs to store cookies, authentication credentials, or other kind of + information, it is possible for an attacker to provide specially + crafted URLs to make the application locate host-related information + (e.g. cookies, authentication data) and send them to a different host + than where it should, unlike if the URLs had been correctly + parsed. The result of an attack may vary based on the application. + * CVE-2019-9740: an issue was discovered in urllib2. CRLF injection is + possible if the attacker controls a url parameter, as demonstrated by + the first argument to urllib.request.urlopen with \r\n (specifically + in the query string after a ? character) followed by an HTTP header or + a Redis command. + * CVE-2019-9947: an issue was discovered in urllib2. CRLF injection is + possible if the attacker controls a url parameter, as demonstrated by + the first argument to urllib.request.urlopen with \r\n (specifically + in the path component of a URL that lacks a ? character) followed by + an HTTP header or a Redis command. This is similar to the + CVE-2019-9740 query string issue. + * CVE-2019-18348: an issue was discovered in urllib2. CRLF injection is + possible if the attacker controls a url parameter, as demonstrated by + the first argument to urllib.request.urlopen with \r\n (specifically + in the host component of a URL) followed by an HTTP header. This is + similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 + path string issue + * CVE-2019-9948: urllib supports the local_file: scheme, which makes it + easier for remote attackers to bypass protection mechanisms that + blacklist file: URIs, as demonstrated by triggering a + urllib.urlopen('local_file:///etc/passwd') call. + * CVE-2019-16935: The documentation XML-RPC server has XSS via the + server_title field. This occurs in Lib/xmlrpc/server.py. If + set_server_title is called with untrusted input, arbitrary JavaScript + can be delivered to clients that visit the http URL for this server. + * CVE-2019-16056: the email module wrongly parses email addresses that + contain multiple @ characters. An application that uses the email + module and implements some kind of checks on the From/To headers of a + message could be tricked into accepting an email address that should + be denied. An attack may be the same as in CVE-2019-11340; however, + this CVE applies to Python more generally. + * CVE-2020-8492: Python allows an HTTP server to conduct Regular + Expression Denial of Service (ReDoS) attacks against a client because + of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. + 3.5.3-1+deb9u1 [Thu, 27 Sep 2018 19:25:39 +0200] Moritz Mühlenhoff <jmm@debian.org>: * CVE-2017-1000158 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 <http://10.200.17.11/4.4-5/#6646714487350710605>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-5] 1ac6e2ea07 Bug #51715: python3.5 3.5.3-1+deb9u2 doc/errata/staging/python3.5.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) [4.4-5] 2aad90b2f3 Bug #51715: python3.5 3.5.3-1+deb9u2 doc/errata/staging/python3.5.yaml | 44 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x671>