Lucene search

DebianDEBIAN:DLA-1835-1:96F0B

HistoryJun 25, 2019 - 3:40 a.m.

[SECURITY] [DLA 1835-1] python3.4 security update

2019-06-2503:40:34

lists.debian.org

180

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

Low

0.007 Low

EPSS

Percentile

80.8%

JSON

Package : python3.4
Version : 3.4.2-1+deb8u3
CVE ID : CVE-2018-14647 CVE-2019-9636 CVE-2019-9740 CVE-2019-9947
Debian Bug : 921039 924072

Multiple vulnerabilities were discovered in Python, an interactive
high-level object-oriented language, including

CVE-2018-14647

Python&#x27;s elementtree C accelerator failed to initialise Expat&#x27;s hash
salt during initialization. This could make it easy to conduct
denial of service attacks against Expat by constructing an XML
document that would cause pathological hash collisions in Expat&#x27;s
internal data structures, consuming large amounts CPU and RAM.

CVE-2019-9636

Improper Handling of Unicode Encoding (with an incorrect netloc)
during NFKC normalization resulting in information disclosure
(credentials, cookies, etc. that are cached against a given
hostname).  A specially crafted URL could be incorrectly parsed to
locate cookies or authentication data and send that information to
a different host than when parsed correctly.

CVE-2019-9740

An issue was discovered in urllib where CRLF injection is possible
if the attacker controls a url parameter, as demonstrated by the
first argument to urllib.request.urlopen with \r\n (specifically in
the query string after a ? character) followed by an HTTP header or
a Redis command.

CVE-2019-9947

An issue was discovered in urllib where CRLF injection is possible
if the attacker controls a url parameter, as demonstrated by the
first argument to urllib.request.urlopen with \r\n (specifically in
the path component of a URL that lacks a ? character) followed by an
HTTP header or a Redis command. This is similar to the CVE-2019-9740
query string issue.

For Debian 8 "Jessie", these problems have been fixed in version
3.4.2-1+deb8u3.

We recommend that you upgrade your python3.4 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian9i386python3.5-dbg< 3.5.3-1+deb9u2python3.5-dbg_3.5.3-1+deb9u2_i386.deb
Debian9amd64libpython3.5-dev< 3.5.3-1+deb9u2libpython3.5-dev_3.5.3-1+deb9u2_amd64.deb
Debian9amd64libpython2.7< 2.7.13-2+deb9u4libpython2.7_2.7.13-2+deb9u4_amd64.deb
Debian10mips64elpython3.7-dbg< 3.7.3-2+deb10u1python3.7-dbg_3.7.3-2+deb10u1_mips64el.deb
Debian10i386libpython3.7-stdlib< 3.7.3-2+deb10u1libpython3.7-stdlib_3.7.3-2+deb10u1_i386.deb
Debian9allpython3.5-examples< 3.5.3-1+deb9u2python3.5-examples_3.5.3-1+deb9u2_all.deb
Debian9armellibpython3.5-dev< 3.5.3-1+deb9u2libpython3.5-dev_3.5.3-1+deb9u2_armel.deb
Debian9amd64libpython2.7-dbg< 2.7.13-2+deb9u4libpython2.7-dbg_2.7.13-2+deb9u4_amd64.deb
Debian9armellibpython2.7-stdlib< 2.7.13-2+deb9u4libpython2.7-stdlib_2.7.13-2+deb9u4_armel.deb
Debian9arm64python2.7< 2.7.13-2+deb9u4python2.7_2.7.13-2+deb9u4_arm64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	i386	python3.5-dbg	< 3.5.3-1+deb9u2	python3.5-dbg_3.5.3-1+deb9u2_i386.deb
Debian	9	amd64	libpython3.5-dev	< 3.5.3-1+deb9u2	libpython3.5-dev_3.5.3-1+deb9u2_amd64.deb
Debian	9	amd64	libpython2.7	< 2.7.13-2+deb9u4	libpython2.7_2.7.13-2+deb9u4_amd64.deb
Debian	10	mips64el	python3.7-dbg	< 3.7.3-2+deb10u1	python3.7-dbg_3.7.3-2+deb10u1_mips64el.deb
Debian	10	i386	libpython3.7-stdlib	< 3.7.3-2+deb10u1	libpython3.7-stdlib_3.7.3-2+deb10u1_i386.deb
Debian	9	all	python3.5-examples	< 3.5.3-1+deb9u2	python3.5-examples_3.5.3-1+deb9u2_all.deb
Debian	9	armel	libpython3.5-dev	< 3.5.3-1+deb9u2	libpython3.5-dev_3.5.3-1+deb9u2_armel.deb
Debian	9	amd64	libpython2.7-dbg	< 2.7.13-2+deb9u4	libpython2.7-dbg_2.7.13-2+deb9u4_amd64.deb
Debian	9	armel	libpython2.7-stdlib	< 2.7.13-2+deb9u4	libpython2.7-stdlib_2.7.13-2+deb9u4_armel.deb
Debian	9	arm64	python2.7	< 2.7.13-2+deb9u4	python2.7_2.7.13-2+deb9u4_arm64.deb