Debian Long Term Support / LTS Security Information / 2020 / Security Information -- DLA-2337-1 python2.7

Debian Security Advisory

DLA-2337-1 python2.7 -- LTS security update

Date Reported:

22 Aug 2020

Affected Packages:

python2.7

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2018-20852, CVE-2019-5010, CVE-2019-9636, CVE-2019-9740, CVE-2019-9947, CVE-2019-9948, CVE-2019-10160, CVE-2019-16056, CVE-2019-20907.

More information:

Multiple vulnerabilities were discovered in Python2.7, an interactive high-level object-oriented language.

• CVE-2018-20852

  By using a malicious server an attacker might steal cookies that are meant for other domains.

• CVE-2019-5010

  NULL pointer dereference using a specially crafted X509 certificate.

• CVE-2019-9636

  Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization resulting in information disclosure (credentials, cookies, etc. that are cached against a given hostname). A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.

• CVE-2019-9740

  An issue was discovered in urllib2 where CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.

• CVE-2019-9947

  An issue was discovered in urllib2 where CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.

• CVE-2019-9948

  urllib supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

• CVE-2019-10160

  A security regression of CVE-2019-9636 was discovered which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

• CVE-2019-16056

  The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied.

• CVE-2019-20907

  Opening a crafted tar file could result in an infinite loop due to missing header validation.

  For Debian 9 stretch, these problems have been fixed in version 2.7.13-2+deb9u4.

  We recommend that you upgrade your python2.7 packages.

  For the detailed security status of python2.7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python2.7

  Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS