[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib

[Launchpad Bug Tracker]

This bug was fixed in the package python2.7 - 2.7.15-4ubuntu4~18.04.1

---------------
python2.7 (2.7.15-4ubuntu4~18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: incorrect cookie domain check
    - debian/patches/CVE-2018-20852.patch: prefix dot in domain for proper
      subdomain validation in Lib/cookielib.py, Lib/test/test_cookielib.py.
    - CVE-2018-20852
  * SECURITY UPDATE: NULL pointer dereference via X509 certificate
    - debian/patches/CVE-2019-5010.patch: fix segfault in ssl cert parser
      in Lib/test/talos-2019-0758.pem, Lib/test/test_ssl.py,
      Modules/_ssl.c.
    - CVE-2019-5010
  * SECURITY UPDATE: improper handling of unicode encoding
    - debian/patches/CVE-2019-9636-1.patch: add check for characters in
      netloc that normalize to separators in Doc/library/urlparse.rst,
      Lib/test/test_urlparse.py, Lib/urlparse.py.
    - debian/patches/CVE-2019-9636-2.patch: only print test messages when
      verbose in Lib/test/test_urlparse.py.
    - CVE-2019-9636
  * SECURITY UPDATE: HTTP header injection
    - debian/patches/CVE-2019-9740.patch: disallow control chars in http
      URLs in Lib/httplib.py, Lib/test/test_urllib.py,
      Lib/test/test_urllib2.py, Lib/test/test_xmlrpc.py.
    - CVE-2019-9740
    - CVE-2019-9947
  * SECURITY UPDATE: urllib support the local_file: scheme
    - debian/patches/CVE-2019-9948.patch: disallow file reading in
      Lib/urllib.py, Lib/test/test_urllib.py.
    - CVE-2019-9948
  * SECURITY UPDATE: incomplete fix for CVE-2019-9636
    - debian/patches/CVE-2019-10160-1.patch: fix handling of
      pre-normalization characters in urlsplit() in
      Lib/test/test_urlparse.py, Lib/urlparse.py.
    - debian/patches/CVE-2019-10160-2.patch: correct fix to handle
      decomposition in usernames in Lib/test/test_urlparse.py,
      Lib/urlparse.py.
    - debian/patches/CVE-2019-10160-3.patch: fix urlparse.urlsplit() error
      message for Unicode URL in Lib/test/test_urlparse.py,
      Lib/urlparse.py.
    - CVE-2019-10160
  * debian/patches/issue9146.diff: fix FIPS mode environments where MD5
    isn't available in Modules/_hashopenssl.c. (LP: #1835135)

 -- Marc Deslauriers <marc.deslauri...@ubuntu.com>  Tue, 09 Jul 2019
12:51:35 -0400

** Changed in: python2.7 (Ubuntu Bionic)
       Status: In Progress => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20852

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10160

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-5010

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9636

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9740

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9947

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9948

** Changed in: python2.7 (Ubuntu Disco)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835135

Title:
  FIPS OpenSSL crashes Python2 hashlib

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs