Your message dated Sat, 06 Apr 2019 02:54:10 +0000
with message-id <[email protected]>
and subject line Bug#924073: fixed in python2.7 2.7.16-2
has caused the Debian Bug report #924073,
regarding python2.7: CVE-2019-9636: urlsplit does not handle NFKC normalization
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
924073: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924073
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python3.7
Version: 3.7.2-3
Severity: important
Tags: security upstream
Forwarded: https://bugs.python.org/issue36216
Control: clone -1 -2
Control: found -1 3.7.2-2
Control: reassign -2 src:python2.7 2.7.16-1
Control: retitle -2 python2.7: CVE-2019-9636: urlsplit does not handle NFKC
normalization
Control: found -2 2.7.16~rc1-1
Control: found -2 2.7.13-2+deb9u3
Control: found -2 2.7.13-2
Hi,
The following vulnerability was published for python3.7.
CVE-2019-9636[0]:
| Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by:
| Improper Handling of Unicode Encoding (with an incorrect netloc) during
| NFKC normalization. The impact is: Information disclosure (credentials,
| cookies, etc. that are cached against a given hostname). The components
| are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector
| is: A specially crafted URL could be incorrectly parsed to locate
| cookies or authentication data and send that information to a different
| host than when parsed correctly.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-9636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636
[1] https://bugs.python.org/issue36216
[2]
https://github.com/python/cpython/commit/e37ef41289b77e0f0bb9a6aedb0360664c55bdd5
(2.7.x)
[3]
https://github.com/python/cpython/commit/daad2c482c91de32d8305abbccc76a5de8b3a8be
(3.7.x)
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python2.7
Source-Version: 2.7.16-2
We believe that the bug you reported is fixed in the latest version of
python2.7, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <[email protected]> (supplier of updated python2.7 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 06 Apr 2019 03:42:57 +0200
Source: python2.7
Architecture: source
Version: 2.7.16-2
Distribution: unstable
Urgency: high
Maintainer: Matthias Klose <[email protected]>
Changed-By: Matthias Klose <[email protected]>
Closes: 924073
Changes:
python2.7 (2.7.16-2) unstable; urgency=high
.
[ Matthias Klose ]
* CVE-2019-9636. Fix issue #36216: Add check for characters in netloc that
normalize to separators. Closes: #924073.
* CVE-2019-9948. Fix issue #35907: Stop urllib exposing the local_file schema
(file://).
.
[ Dimitri John Ledkov ]
* Bump Build-Depedency and Dependency of libssl-dev and libss1.1 to
1.1.1 or higher. As TLS1.3 constants leak into ssl module, thus one
shouldn't mix and match python2.7 & libssl1.1. LP: #1808476
Checksums-Sha1:
aafcc8959ac1ac31aea46f895290244ce66d2190 3355 python2.7_2.7.16-2.dsc
742223c8194250f167daaf85cdac8f3af69aa4cc 288124 python2.7_2.7.16-2.diff.gz
d43bff199d438c0081a846267ac1e57a720a0cbd 9755
python2.7_2.7.16-2_source.buildinfo
Checksums-Sha256:
52fd1acdfe3e96ac389403ee54e78f2495234c15edbeae6a7859e4044d0a9aa2 3355
python2.7_2.7.16-2.dsc
6ef1adb23d697d68a41d41cf97822179569852bce7b6ab5613b664a158f1609c 288124
python2.7_2.7.16-2.diff.gz
921ab93ca65c14dbdf0f724b0269d17b1f90adc2764282ac15a3a6260555f5f5 9755
python2.7_2.7.16-2_source.buildinfo
Files:
f65e661c33d2ea4507a9abe82d1ad9da 3355 python optional python2.7_2.7.16-2.dsc
d2d2979efdc5d8673d001ee97f79ae64 288124 python optional
python2.7_2.7.16-2.diff.gz
2fc1f9e607c84cb4c57cf8e10d8146e3 9755 python optional
python2.7_2.7.16-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAlyoBI8QHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9aDuD/43E4DdfzHi7NkLAuX4VCA4Xqok5A7zIoBf
3QiRMwFGO0XXiuUEIVoURGOEDYAMgZhUcvWwegWq/FLLOtS7azsno+7erG2rU20w
li+7JgMuhZT0okDRqX8fTXCDf+W5QnqUW9bwNFVD6sXhaPecCaLi3VQGcoSs/KES
3V4L2GuNVUnRAwbWxjW/F99NPGvqqqqaDz1hMzQjfCWiEX4AtE8enkQI7gr6FQeH
Ta5HMnq+mw9RwqZu2v6uSRQtepgVC+dKL1WwRxmbf8x09/4aqSSojZW07L4MhPHu
2hBwQ/hYgLLN7kMODhsplWWUxU8iMS0s36aADudNy3LWNPeEt82PfhDyIi0852+a
dGY7ZaPeavHhrCmF5Ryu5ki6sU6ByUy3qtFO9UA9Bv5MoFugcclrNzOnZRkzmhjU
3LXZqpoZ26Wt9CfJ0gTfnkXslQ7PANkoT02FxWBCx+e0HsHCTrCkGMqm4C1TfH/d
MN8YDbIy6GWFw+YFZx/1RlN5+u4wgIesl/Y4cc1U4wbaXudsPWk0zI1nxeq3cyOj
mrl1iuyGkpLcm1ZVi7UTddeHbuTv1R1BRn/J3rK1r9vti2+XpMyT+n3pyal/x3Om
w6ss3TH4NiETH34lTfCu97raChIZD1HZ9FkSiFuNB9QLmZu8Tz5kSxGP20LjrZOI
rb7Fcisjqw==
=G04g
-----END PGP SIGNATURE-----
--- End Message ---
