{"id":"MGASA-2019-0318","summary":"Updated python packages fix security vulnerabilities","details":"Updated python and python3 packages fix security vulnerabilities:\n\nAn issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib\nin Python 3.x through 3.7.2. CRLF injection is possible if the attacker\ncontrols a url parameter, as demonstrated by the first argument to\nurllib.request.urlopen with \\r\\n followed by an HTTP header or a Redis\ncommand (CVE-2019-9740).\n\nAn issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib\nin Python 3.x through 3.7.2. CRLF injection is possible if the attacker\ncontrols a url parameter, as demonstrated by the first argument to\nurllib.request.urlopen with \\r\\n (specifically in the path component of a\nURL) followed by an HTTP header or a Redis command. This is similar to\nCVE-2019-9740 query string issue (CVE-2019-9947).\n\nurllib in Python 2.x through 2.7.16 supports the local_file: scheme, which\nmakes it easier for remote attackers to bypass protection mechanisms that\nblacklist file: URIs, as demonstrated by triggering a \nurllib.urlopen('local_file:///etc/passwd') call (CVE-2019-9948).\n\nA security regression of CVE-2019-9636 was discovered in python, which\nstill allows an attacker to exploit CVE-2019-9636 by abusing the user and\npassword parts of a URL. When an application parses user-supplied URLs to\nstore cookies, authentication credentials, or other kind of information,\nit is possible for an attacker to provide specially crafted URLs to make\nthe application locate host-related information (e.g. cookies,\nauthentication data) and send them to a different host than where it\nshould, unlike if the URLs had been correctly parsed. The result of an\nattack may vary based on the application (CVE-2019-10160).\n\nIt was discovered that Python incorrectly parsed certain email addresses.\nA remote attacker could possibly use this issue to trick Python\napplications into accepting email addresses that should be denied\n(CVE-2019-16056).\n\nIt was discovered that the Python documentation XML-RPC server incorrectly\nhandled certain fields. A remote attacker could use this issue to execute\na cross-site scripting (XSS) attack (CVE-2019-16935).\n","modified":"2026-04-16T04:42:06.850761986Z","published":"2019-11-07T23:36:48Z","upstream":["CVE-2019-10160","CVE-2019-16056","CVE-2019-16935","CVE-2019-9740","CVE-2019-9947","CVE-2019-9948"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2019-0318.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=25641"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:1587"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:2030"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:3520"},{"type":"WEB","url":"https://usn.ubuntu.com/4151-1/"}],"affected":[{"package":{"name":"python","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/python?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.17-1.1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2019-0318.json"}},{"package":{"name":"python3","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/python3?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.7.5-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2019-0318.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}