This bug was fixed in the package python2.7 - 2.7.16-2ubuntu0.1
---------------
python2.7 (2.7.16-2ubuntu0.1) disco-security; urgency=medium
* SECURITY UPDATE: incorrect cookie domain check
- debian/patches/CVE-2018-20852.patch: prefix dot in domain for proper
subdomain validation in Lib/cookielib.py, Lib/test/test_cookielib.py.
- CVE-2018-20852
* SECURITY UPDATE: HTTP header injection
- debian/patches/CVE-2019-9740.patch: disallow control chars in http
URLs in Lib/httplib.py, Lib/test/test_urllib.py,
Lib/test/test_urllib2.py, Lib/test/test_xmlrpc.py.
- CVE-2019-9740
- CVE-2019-9947
* SECURITY UPDATE: incomplete fix for CVE-2019-9636
- debian/patches/CVE-2019-10160-1.patch: fix handling of
pre-normalization characters in urlsplit() in
Lib/test/test_urlparse.py, Lib/urlparse.py.
- debian/patches/CVE-2019-10160-2.patch: correct fix to handle
decomposition in usernames in Lib/test/test_urlparse.py,
Lib/urlparse.py.
- debian/patches/CVE-2019-10160-3.patch: fix urlparse.urlsplit() error
message for Unicode URL in Lib/test/test_urlparse.py,
Lib/urlparse.py.
- CVE-2019-10160
* debian/patches/issue36216-2.diff: only print test messages when verbose
in Lib/test/test_urlparse.py.
* debian/patches/issue9146.diff: fix FIPS mode environments where MD5
isn't available in Modules/_hashopenssl.c. (LP: #1835135)
-- Marc Deslauriers <[email protected]> Tue, 09 Jul 2019
12:43:02 -0400
** Changed in: python3.5 (Ubuntu Xenial)
Status: In Progress => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20406
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835135
Title:
FIPS OpenSSL crashes Python2 hashlib
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
