Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • Adélie Package Tree Adélie Package Tree
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 403
    • Issues 403
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 21
    • Merge requests 21
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Releases
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Adélie Linux
  • Adélie Package TreeAdélie Package Tree
  • Issues
  • #232
Closed
Open
Created Feb 25, 2020 by Emily@emily🤖

system/python3: multiple vulnerabilities

Bugzilla ID 232
Alias(es) CVE-2019-18348, CVE-2019-20907, CVE-2019-20916, CVE-2019-9674, CVE-2020-14422, CVE-2020-26116, CVE-2020-27619, CVE-2020-8315, CVE-2020-8492
Reporter Max Rees (sroracle)
Assignee Max Rees (sroracle)
Reported 2020-02-24 22:56:38 -0600
Modified 2020-12-03 23:22:57 -0600
Status CONFIRMED
Version 1.0-RC1
Hardware Adélie Linux / All
Importance --- / normal
Package(s) system/python3

Description

CVE-2019-18348: https://nvd.nist.gov/vuln/detail/CVE-2019-18348

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and
urllib in Python 3.x through 3.8.0. CRLF injection is possible if the
attacker controls a url parameter, as demonstrated by the first
argument to urllib.request.urlopen with \r\n (specifically in the host
component of a URL) followed by an HTTP header. This is similar to the
CVE-2019-9740 query string issue and the CVE-2019-9947 path string
issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)

CVE-2020-8315: https://nvd.nist.gov/vuln/detail/CVE-2020-8315

In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8
through 3.8.1, an insecure dependency load upon launch on Windows 7
may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll
being loaded and used instead of the system's copy. Windows 8 and
later are unaffected.

CVE-2020-8492: https://nvd.nist.gov/vuln/detail/CVE-2020-8492

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7
through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct
Regular Expression Denial of Service (ReDoS) attacks against a client
because of urllib.request.AbstractBasicAuthHandler catastrophic
backtracking.

Assignee
Assign to
Time tracking