Arch Linux 811 Published by

Updated python2 packages has been released for Arch Linux to address an information disclosure improper Handling of Unicode Encoding during NFKC normalization.





Arch Linux Security Advisory ASA-201911-4
========================================

Severity: High
Date : 2019-11-03
CVE-ID : CVE-2019-9636
Package : python2
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-978

Summary
======

The package python2 before version 2.7.17-1 is vulnerable to information disclosure.

Resolution
=========

Upgrade to 2.7.17-1.

# pacman -Syu "python2>=2.7.17-1"

The problem has been fixed upstream in version 2.7.17.

Workaround
=========

None.

Description
==========

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. A specially crafted URL could be incorrectly parsed by urllib.parse.urlsplit and urllib.parse.urlparse to locate cookies or authentication data and send that information to a different host than when parsed correctly.

Impact
=====
A remote attacker is able to craft a malicious URL and transfer private data to a different host than expected.

References
=========

https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.htmlhttps://github.com/python/cpython/commit/daad2c482c91de32d8305abbccc76a5de8b3a8be
https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de
https://security.archlinux.org/CVE-2019-9636