A python2.7 security update has been released for Debian GNU/Linux 9 LTS to address an issue where a crafted tar file could result in an infinite loop due to missing header validation.
DLA 2337-1: python2.7 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2337-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
August 22, 2020 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : python2.7
Version : 2.7.13-2+deb9u4
CVE ID : CVE-2018-20852 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740
CVE-2019-9947 CVE-2019-9948 CVE-2019-10160 CVE-2019-16056
CVE-2019-20907
Multiple vulnerabilities were discovered in Python2.7, an interactive
high-level object-oriented language.
CVE-2018-20852
By using a malicious server an attacker might steal cookies that are
meant for other domains.
CVE-2019-5010
NULL pointer dereference using a specially crafted X509 certificate.
CVE-2019-9636
Improper Handling of Unicode Encoding (with an incorrect netloc)
during NFKC normalization resulting in information disclosure
(credentials, cookies, etc. that are cached against a given
hostname). A specially crafted URL could be incorrectly parsed to
locate cookies or authentication data and send that information to
a different host than when parsed correctly.
CVE-2019-9740
An issue was discovered in urllib2 where CRLF injection is possible
if the attacker controls a url parameter, as demonstrated by the
first argument to urllib.request.urlopen with \r\n (specifically in
the query string after a ? character) followed by an HTTP header or
a Redis command.
CVE-2019-9947
An issue was discovered in urllib2 where CRLF injection is possible
if the attacker controls a url parameter, as demonstrated by the
first argument to urllib.request.urlopen with \r\n (specifically in
the path component of a URL that lacks a ? character) followed by an
HTTP header or a Redis command. This is similar to the CVE-2019-9740
query string issue.
CVE-2019-9948
urllib supports the local_file: scheme, which makes it easier for
remote attackers to bypass protection mechanisms that blacklist
file: URIs, as demonstrated by triggering a
urllib.urlopen('local_file:///etc/passwd') call.
CVE-2019-10160
A security regression of CVE-2019-9636 was discovered which still
allows an attacker to exploit CVE-2019-9636 by abusing the user and
password parts of a URL. When an application parses user-supplied
URLs to store cookies, authentication credentials, or other kind of
information, it is possible for an attacker to provide specially
crafted URLs to make the application locate host-related information
(e.g. cookies, authentication data) and send them to a different
host than where it should, unlike if the URLs had been correctly
parsed. The result of an attack may vary based on the application.
CVE-2019-16056
The email module wrongly parses email addresses that contain
multiple @ characters. An application that uses the email module and
implements some kind of checks on the From/To headers of a message
could be tricked into accepting an email address that should be
denied.
CVE-2019-20907
Opening a crafted tar file could result in an infinite loop due to
missing header validation.
For Debian 9 stretch, these problems have been fixed in version
2.7.13-2+deb9u4.
We recommend that you upgrade your python2.7 packages.
For the detailed security status of python2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python2.7
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
