[gentoo-announce] [ GLSA 202003-26 ] Python: Multiple vulnerabilities - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 202003-26 ] Python: Multiple vulnerabilities
Date:	Sun, 15 Mar 2020 15:59:10
Message-Id:	`158b4ba2-0301-9f08-4e95-a2cb2c446c75@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 202003-26

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: Python: Multiple vulnerabilities

9

     Date: March 15, 2020

10

     Bugs: #676700, #680246, #680298, #684838, #689822

11

       ID: 202003-26

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in Python, the worst of which

19

could result in a Denial of Service condition.

20

21

Background

22

==========

23

24

Python is an interpreted, interactive, object-oriented programming

25

language.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  dev-lang/python            < 2.7.17:2.7            >= 2.7.17:2.7

34

                              < 3.5.7:3.5/3.5m      >= 3.5.7:3.5/3.5m

35

                              < 3.6.9:3.6/3.6m      >= 3.6.9:3.6/3.6m

36

                              < 3.7.4:3.7/3.7m      >= 3.7.4:3.7/3.7m

37

38

Description

39

===========

40

41

Multiple vulnerabilities have been discovered in Python. Please review

42

the CVE identifiers referenced below for details.

43

44

Impact

45

======

46

47

A remote attacker could possibly perform a CRLF injection attack,

48

obtain sensitive information, trick Python into sending cookies to the

49

wrong domain or cause a Denial of Service condition.

50

51

Workaround

52

==========

53

54

There is no known workaround at this time.

55

56

Resolution

57

==========

58

59

All Python 2.7.x users should upgrade to the latest version:

60

61

  # emerge --sync

62

  # emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.17:2.7"

63

64

All Python 3.5.x users should upgrade to the latest version:

65

66

  # emerge --sync

67

  # emerge --ask --oneshot --verbose ">=dev-lang/python-3.5.7:3.5/3.5m"

68

69

All Python 3.6.x users should upgrade to the latest version:

70

71

  # emerge --sync

72

  # emerge --ask --oneshot --verbose ">=dev-lang/python-3.6.9:3.6/3.6m"

73

74

All Python 3.7x users should upgrade to the latest version:

75

76

  # emerge --sync

77

  # emerge --ask --oneshot --verbose ">=dev-lang/python-3.7.4:3.7/3.7m"

78

79

References

80

==========

81

82

[ 1 ] CVE-2018-20852

83

      https://nvd.nist.gov/vuln/detail/CVE-2018-20852

84

[ 2 ] CVE-2019-5010

85

      https://nvd.nist.gov/vuln/detail/CVE-2019-5010

86

[ 3 ] CVE-2019-9636

87

      https://nvd.nist.gov/vuln/detail/CVE-2019-9636

88

[ 4 ] CVE-2019-9740

89

      https://nvd.nist.gov/vuln/detail/CVE-2019-9740

90

[ 5 ] CVE-2019-9947

91

      https://nvd.nist.gov/vuln/detail/CVE-2019-9947

92

[ 6 ] CVE-2019-9948

93

      https://nvd.nist.gov/vuln/detail/CVE-2019-9948

94

95

Availability

96

============

97

98

This GLSA and any updates to it are available for viewing at

99

the Gentoo Security Website:

100

101

 https://security.gentoo.org/glsa/202003-26

102

103

Concerns?

104

=========

105

106

Security is a primary focus of Gentoo Linux and ensuring the

107

confidentiality and security of our users' machines is of utmost

108

importance to us. Any security concerns should be addressed to

109

security@g.o or alternatively, you may file a bug at

110

https://bugs.gentoo.org.

111

112

License

113

=======

114

115

Copyright 2020 Gentoo Foundation, Inc; referenced text

116

belongs to its owner(s).

117

118

The contents of this document are licensed under the

119

Creative Commons - Attribution / Share Alike license.

120

121

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 202003-26
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Python: Multiple vulnerabilities
9	Date: March 15, 2020
10	Bugs: #676700, #680246, #680298, #684838, #689822
11	ID: 202003-26
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in Python, the worst of which
19	could result in a Denial of Service condition.
20
21	Background
22	==========
23
24	Python is an interpreted, interactive, object-oriented programming
25	language.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 dev-lang/python < 2.7.17:2.7 >= 2.7.17:2.7
34	< 3.5.7:3.5/3.5m >= 3.5.7:3.5/3.5m
35	< 3.6.9:3.6/3.6m >= 3.6.9:3.6/3.6m
36	< 3.7.4:3.7/3.7m >= 3.7.4:3.7/3.7m
37
38	Description
39	===========
40
41	Multiple vulnerabilities have been discovered in Python. Please review
42	the CVE identifiers referenced below for details.
43
44	Impact
45	======
46
47	A remote attacker could possibly perform a CRLF injection attack,
48	obtain sensitive information, trick Python into sending cookies to the
49	wrong domain or cause a Denial of Service condition.
50
51	Workaround
52	==========
53
54	There is no known workaround at this time.
55
56	Resolution
57	==========
58
59	All Python 2.7.x users should upgrade to the latest version:
60
61	# emerge --sync
62	# emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.17:2.7"
63
64	All Python 3.5.x users should upgrade to the latest version:
65
66	# emerge --sync
67	# emerge --ask --oneshot --verbose ">=dev-lang/python-3.5.7:3.5/3.5m"
68
69	All Python 3.6.x users should upgrade to the latest version:
70
71	# emerge --sync
72	# emerge --ask --oneshot --verbose ">=dev-lang/python-3.6.9:3.6/3.6m"
73
74	All Python 3.7x users should upgrade to the latest version:
75
76	# emerge --sync
77	# emerge --ask --oneshot --verbose ">=dev-lang/python-3.7.4:3.7/3.7m"
78
79	References
80	==========
81
82	[ 1 ] CVE-2018-20852
83	https://nvd.nist.gov/vuln/detail/CVE-2018-20852
84	[ 2 ] CVE-2019-5010
85	https://nvd.nist.gov/vuln/detail/CVE-2019-5010
86	[ 3 ] CVE-2019-9636
87	https://nvd.nist.gov/vuln/detail/CVE-2019-9636
88	[ 4 ] CVE-2019-9740
89	https://nvd.nist.gov/vuln/detail/CVE-2019-9740
90	[ 5 ] CVE-2019-9947
91	https://nvd.nist.gov/vuln/detail/CVE-2019-9947
92	[ 6 ] CVE-2019-9948
93	https://nvd.nist.gov/vuln/detail/CVE-2019-9948
94
95	Availability
96	============
97
98	This GLSA and any updates to it are available for viewing at
99	the Gentoo Security Website:
100
101	https://security.gentoo.org/glsa/202003-26
102
103	Concerns?
104	=========
105
106	Security is a primary focus of Gentoo Linux and ensuring the
107	confidentiality and security of our users' machines is of utmost
108	importance to us. Any security concerns should be addressed to
109	security@g.o or alternatively, you may file a bug at
110	https://bugs.gentoo.org.
111
112	License
113	=======
114
115	Copyright 2020 Gentoo Foundation, Inc; referenced text
116	belongs to its owner(s).
117
118	The contents of this document are licensed under the
119	Creative Commons - Attribution / Share Alike license.
120
121	https://creativecommons.org/licenses/by-sa/2.5