[SECURITY] [DLA 2628-1] python2.7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2628-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky April 17, 2021https://wiki.debian.org/LTS - - Package: python2.7 Version: 2.7.13-2+deb9u5 CVE ID : CVE-2019-16935 CVE-2021-23336 Two security issues have been discovered in python2.7: CVE-2019-16935 The documentation XML-RPC server in Python 2.7 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. CVE-2021-23336 The Python2.7 vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. **Attention, API-change!** Please be sure your software is working properly if it uses `urllib.parse.parse_qs` or `urllib.parse.parse_qsl`, `cgi.parse` or `cgi.parse_multipart`. Earlier Python versions allowed using both ``;`` and ``&`` as query parameter separators in `urllib.parse.parse_qs` and `urllib.parse.parse_qsl`. Due to security concerns, and to conform with newer W3C recommendations, this has been changed to allow only a single separator key, with ``&`` as the default. This change also affects `cgi.parse` and `cgi.parse_multipart` as they use the affected functions internally. For more details, please see their respective documentation. For Debian 9 stretch, these problems have been fixed in version 2.7.13-2+deb9u5. We recommend that you upgrade your python2.7 packages. For the detailed security status of python2.7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python2.7 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmB7N4EACgkQ0+Fzg8+n /wb/qxAAj6FN++ub8ZbGfOH4my+nWTGASrjSPjUk4+XSA1JsKxTgXUfqEeYW1+ms N7JvsaO4tgS946tVvlxDEokjso3BH7ljJQHpNKhbqsDmIUHvK3Fm2Xrg1J750gGl dsJjkUx85Yq/+B8JyidJMrsj//AZVsd76B9J5cSw47gyowLa++fAT4Lbk1rTCajO FL80pGEA2Mmw4c/HA9qgLvNtMsQWlgQCIObK20d0mQSzvCA5X13SM5U4bhbsoAqW AM3mEWOyFs53MssKBych940sqA2YZKUkS7voL2BzjXANSTAFI2rPiQn3kPaoNtl6 7v9JMDYuhZypj2VdNOWS0NkZGUtBI9RcsLAIUdrrzLIDEQ0tvgOBWHakvS0W/K7H IZOUoBoyRSU573dhGC4WaQMgaaYmk/E+sWngy6Qu6G4FmSZOX/ANeX1NkU8JGBJ7 Ej9FUn9/4nOkYSwspznueXuFsSFEtmBQD9hZ9xV+L8xxyASlT/5dORsIYYkz2xX3 E6yJ5foLuk0xqCXH5tBlHoS/9Wy2ccoOEltYZCXFvvA6vL7izrmXWxOniOPsQ6b8 cOnQBHHXu0ervBD017MgXPfpmjXlc8STlF+oz35TYEZ6K8Q0caCYK7vKHUCVgSev YcAZoIrwEV43nWsSWjK03NnZfLfLCleoTtsyB7rwvokXEZrTErs= =OkPp -END PGP SIGNATURE-
Re: Match ecosystems with limited support in debian-security-support
On Sat, Apr 17, 2021 at 05:42:11PM +0200, Sylvain Beucler wrote: > What approach would you suggest to make users aware that such packages do > not have security support, through default 'check-security-support'? that's a tricky question, I'll pass for now... however I want to respond to the other part of the mail: > stretch however doesn't report the 3 packages I mentioned in my initial > mail. Should we fix it now? because the packages are not listed in sec-support.ended9? if so, sure, please add them, first to the master branch and then cherry pick those into the stretch branch. (and probably buster too). -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ signature.asc Description: PGP signature
Re: FTBFS on i386
Thank you all for the very quick response and help! It is built now successfully! Have a nice weekend. Anton Am Sa., 17. Apr. 2021 um 18:53 Uhr schrieb Utkarsh Gupta : > Hi Salvatore, > > On Sat, Apr 17, 2021 at 10:19 PM Salvatore Bonaccorso > wrote: > > > I have given it back to try a rebuild. > > Should be built now. > > Awesome, thanks a bunch for your help! > > > - u > >
Re: FTBFS on i386
Hi Salvatore, On Sat, Apr 17, 2021 at 10:19 PM Salvatore Bonaccorso wrote: > > I have given it back to try a rebuild. > Should be built now. Awesome, thanks a bunch for your help! - u
Re: FTBFS on i386
Hi, On Sat, Apr 17, 2021 at 05:11:27PM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Sat, Apr 17, 2021 at 08:30:51PM +0530, Utkarsh Gupta wrote: > > Hi Security team, > > > > On Sat, Apr 17, 2021 at 6:29 PM Anton Gladky wrote: > > > I prepared and uploaded python2.7_2.7.13-2+deb9u5, fixing > > > two CVEs. > > > > > > Unfortunately it fails on i386 due to timeout during the network > > > test. I believe that one more try should fix the problem, because > > > most of the other archs are already green. > > > > > > But in the security suite the givebacks from usual users do not work. > > > Do you have tips on how I can trigger the recompilation of the package > > > without doing a new source upload? > > > > Do you think you can help Anton here by giving back the upload on i386? > > I have given it back to try a rebuild. Should be built now. Regards, Salvatore
Re: Match ecosystems with limited support in debian-security-support
Hi, On 17/04/2021 14:44, Holger Levsen wrote: On Fri, Apr 16, 2021 at 03:47:49PM +0200, Moritz Mühlenhoff wrote: These source package sets comes to mind: - node-* That would be super-noisy and will potentially clash with a lot of local package state. I won't hurt to patch debian-security-support to support such globbing, but let's not include that into the default data sets. right. or let's at least first see how this plays out in practice before putting it into a stable release... What approach would you suggest to make users aware that such packages do not have security support, through default 'check-security-support'? e.g. exhaustive list of packages, separate output section, ...? Note: even people in the LTS team weren't aware of support limitations for node* and golang*, so my guess is that most users don't know either. But I think these should be made for after release, they are not in line with the freeze policy. yes, agreed. On the version check: bullseye's list is empty, and buster's only has 1 entry, so no rush on that front. stretch however doesn't report the 3 packages I mentioned in my initial mail. Should we fix it now? Cheers! Sylvain
Re: FTBFS on i386
Hi, On Sat, Apr 17, 2021 at 08:30:51PM +0530, Utkarsh Gupta wrote: > Hi Security team, > > On Sat, Apr 17, 2021 at 6:29 PM Anton Gladky wrote: > > I prepared and uploaded python2.7_2.7.13-2+deb9u5, fixing > > two CVEs. > > > > Unfortunately it fails on i386 due to timeout during the network > > test. I believe that one more try should fix the problem, because > > most of the other archs are already green. > > > > But in the security suite the givebacks from usual users do not work. > > Do you have tips on how I can trigger the recompilation of the package > > without doing a new source upload? > > Do you think you can help Anton here by giving back the upload on i386? I have given it back to try a rebuild. Regards, Salvatore
Re: FTBFS on i386
Hi Security team, On Sat, Apr 17, 2021 at 6:29 PM Anton Gladky wrote: > I prepared and uploaded python2.7_2.7.13-2+deb9u5, fixing > two CVEs. > > Unfortunately it fails on i386 due to timeout during the network > test. I believe that one more try should fix the problem, because > most of the other archs are already green. > > But in the security suite the givebacks from usual users do not work. > Do you have tips on how I can trigger the recompilation of the package > without doing a new source upload? Do you think you can help Anton here by giving back the upload on i386? - u
Re: FTBFS on i386
Hi Anton, On 17/04/2021 14:58, Anton Gladky wrote: Dear LTS team, I prepared and uploaded python2.7_2.7.13-2+deb9u5, fixing two CVEs. Unfortunately it fails on i386 due to timeout during the network test. I believe that one more try should fix the problem, because most of the other archs are already green. But in the security suite the givebacks from usual users do not work. Do you have tips on how I can trigger the recompilation of the package without doing a new source upload? AFAIK you need to request a rebuild to debian-wb-t...@lists.debian.org. Here's my last request for example: https://lists.debian.org/debian-lts/2020/08/msg00038.html (Though in that particular case it turned out I could have made a second upload with a build fix from buster, maybe that's worth checking for python2.7 too.) Cheers! Sylvain
FTBFS on i386
Dear LTS team, I prepared and uploaded python2.7_2.7.13-2+deb9u5, fixing two CVEs. Unfortunately it fails on i386 due to timeout during the network test. I believe that one more try should fix the problem, because most of the other archs are already green. But in the security suite the givebacks from usual users do not work. Do you have tips on how I can trigger the recompilation of the package without doing a new source upload? Thank you Anton
Re: Match ecosystems with limited support in debian-security-support
Hi Moritz, thanks for the review! On Fri, Apr 16, 2021 at 03:47:49PM +0200, Moritz Mühlenhoff wrote: > > These source package sets comes to mind: > > - node-* > That would be super-noisy and will potentially clash with a lot of local > package state. I won't hurt to patch debian-security-support to support > such globbing, but let's not include that into the default data sets. right. or let's at least first see how this plays out in practice before putting it into a stable release... > > The current code considers higher versions as supported, but as discussed in > > the BTS there doesn't seem to be a valid use case for this, so I just > > dropped the version-based check (and adapted the test suite). > Haven't looked at the code, but agreed on dropping the version check, for > a given distro a source package should be tracked as unsupported independent > of the version. yes. > But I think these should be made for after release, they are not in line > with the freeze policy. yes, agreed. -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ Nach wieviel Einzelfällen wird ein Einzelfall zum Normalfall? (Jan Böhmermann) signature.asc Description: PGP signature
Accepted python2.7 2.7.13-2+deb9u5 (source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 16 Apr 2021 16:02:03 +0200 Source: python2.7 Architecture: source Version: 2.7.13-2+deb9u5 Distribution: stretch-security Urgency: medium Maintainer: Matthias Klose Changed-By: Anton Gladky Changes: python2.7 (2.7.13-2+deb9u5) stretch-security; urgency=medium . * Non-maintainer upload by the LTS Security Team. * Update keycert.pem to fix corresponding tests. * Disable some failing tests (see debian/TODO). * CVE-2021-23336: only use '&' as a query string separator. * CVE-2019-16935: Escape the server title of DocXMLRPCServer. * Add debian/.gitlab-ci.yml. Checksums-Sha1: 1f8edcc1e54ea184d3c5390596a30023f0ebdd96 3354 python2.7_2.7.13-2+deb9u5.dsc 6e0315165bd138652f251f681e22e223140d841c 304643 python2.7_2.7.13-2+deb9u5.diff.gz 4bdf785d7d565e068913def7183c6983fbaa3306 7192 python2.7_2.7.13-2+deb9u5_source.buildinfo Checksums-Sha256: 5f2545960641218514c1613d930345b240cee7e09b2a24d4f3afac15cf216488 3354 python2.7_2.7.13-2+deb9u5.dsc 31ce7558f655511278b89a6db05f8c5f7025e7173edf3f1792bdd5acf006a65b 304643 python2.7_2.7.13-2+deb9u5.diff.gz 99afd7b38b1612b40ea917eb655f90e5a0028235dfa4c2d4d3d8141d3c6c1be3 7192 python2.7_2.7.13-2+deb9u5_source.buildinfo Files: 20774c7dc4e1cb69110fbfde636c7b4d 3354 python optional python2.7_2.7.13-2+deb9u5.dsc 30a75bf85d9b6bba5b493e27a5c608b5 304643 python optional python2.7_2.7.13-2+deb9u5.diff.gz d290b66d47a9e8131d2f8d7d3ae96bde 7192 python optional python2.7_2.7.13-2+deb9u5_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmB6lGkACgkQ0+Fzg8+n /waw0BAAlIab4wuDPTPaDbLpjRtXeLTXTDwURQNXYHm2D+4Wb2G70KVCSRfzYChA Lz1l/qQzhf7xdGuBms19kUUH7Dca7wQc6NsQU2gwDmoQhexotOwNWuoiYMKFhKU6 +BBvRScLlkr2siYBKYfcAGmZ6nbhqtcJ8hfVVUG7Sbcoa8d/Ssk6JQVR+TK/wVWY nlHlF+RREdYx40RCPhJOei3P4oKmWDAIsHowGqwxqivoTBb1Uk4kScZpFYt/K8zU XOmjm7KKbe2rFmYbFCgI7R47mFpO40uSgt/duZDYuR6FrBEcU+v7HqkUuLUiRUik KfZnBxJ3lt0qQFKeoOseMGl93hpaY2FSkXedvoSBO96B0Qpxt2QudvsSB74HQF4S ptQeobQFvehyeSbY+yOgpqXugnLWY6Y32iD4906GBxisODjM+j4yaDDlklUpWnfg +Hc1wYZWp3sc7CV4HDX2rWH4C/e9/SakdA5JvSYXDymmXZGsxDYcdKNJ/5LqJ6Fc i3kMETBBrlG6uxWwWgtJcQb5d9Y6ODL/3FOM3t9VAFBSO3dnWC3yUwvdnmJfwg19 NPU03FI5phz6hgAhuXzvIukgVYDvVEhAmUUtwAxzCYtgvntAl9pAWUWNfHvflFND z1osnIkZZiu7lVSLKXYuksGa6wC0sus/kqtZXy+oFVgiM0H+ZCs= =faAt -END PGP SIGNATURE-
