Bug 1688169 (CVE-2019-9740)

Summary: CVE-2019-9740 python: CRLF injection via the query part of the url passed to urlopen()
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abergmann, aurelien, bkabrda, carl, cstratak, dmalcolm, hhorak, hvyas, infra-sig, jeremy, jorton, kevin, mcyprian, meissner, mhroncok, pviktori, python-maint, python-sig, rkuska, shcherbina.iryna, TicoTimo, tomspur, torsava
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:50:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1704369, 1688170, 1688657, 1692983, 1692984, 1703458, 1704362, 1704364, 1704365, 1704366, 1704367, 1704368, 1704370, 1704371, 1704372, 1706849, 1706850, 1706851, 1706852, 1706853, 1706854, 1706855, 1709391, 1709407, 1802736, 1802737, 1802738, 1802739, 1802740, 1802741    
Bug Blocks: 1688174    

Description Dhananjay Arunesh 2019-03-13 10:20:06 UTC
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n followed by an HTTP header or a Redis command.

Reference:
https://bugs.python.org/issue36276

Comment 1 Dhananjay Arunesh 2019-03-13 10:20:35 UTC
Created python-urllib3 tracking bugs for this issue:

Affects: fedora-all [bug 1688170]

Comment 2 Hardik Vyas 2019-03-14 07:38:07 UTC
[Deleted]

Comment 7 Riccardo Schirone 2019-04-05 15:19:45 UTC
> Reference:
> https://bugs.python.org/issue36276

This has been marked as duplicate of https://bugs.python.org/issue30458

Comment 10 Hardik Vyas 2019-04-26 14:01:09 UTC
Statement:

This issue affects:
* All current versions of Red Hat OpenStack Platform. However, version 8 is due to retire on the 20th of April 2019, there are no more planned releases prior to this date.

Comment 15 Riccardo Schirone 2019-05-06 11:57:43 UTC
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1706851]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1706855]
Affects: fedora-all [bug 1706852]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1706853]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1706854]
Affects: fedora-29 [bug 1706850]


Created python37 tracking bugs for this issue:

Affects: fedora-28 [bug 1706849]

Comment 16 Riccardo Schirone 2019-05-06 12:00:11 UTC
Upstream patch PR (merged upstream):
https://github.com/python/cpython/pull/12755

Comment 18 errata-xmlrpc 2019-05-22 12:01:51 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1260 https://access.redhat.com/errata/RHSA-2019:1260

Comment 19 Riccardo Schirone 2019-07-05 07:50:52 UTC
This flaw is about CLRF sequences that are not properly handled in python built-in modules urllib/urllib2 in the *query* part of the url parameter of urlopen() function.

Comment 21 errata-xmlrpc 2019-08-06 12:04:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2030 https://access.redhat.com/errata/RHSA-2019:2030

Comment 23 errata-xmlrpc 2019-11-05 20:37:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3335 https://access.redhat.com/errata/RHSA-2019:3335

Comment 24 errata-xmlrpc 2019-11-05 21:06:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3520 https://access.redhat.com/errata/RHSA-2019:3520

Comment 25 errata-xmlrpc 2019-11-06 09:45:20 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:3725 https://access.redhat.com/errata/RHSA-2019:3725

Comment 27 errata-xmlrpc 2020-04-01 08:34:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:1268 https://access.redhat.com/errata/RHSA-2020:1268

Comment 28 errata-xmlrpc 2020-04-07 09:33:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions

Via RHSA-2020:1346 https://access.redhat.com/errata/RHSA-2020:1346

Comment 29 errata-xmlrpc 2020-04-14 17:39:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:1462 https://access.redhat.com/errata/RHSA-2020:1462