Bug 1727276 (CVE-2019-18348)
Summary: | CVE-2019-18348 python: CRLF injection via the host part of the url passed to urlopen() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Riccardo Schirone <rschiron> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | adev88, carl, cstratak, dmalcolm, extras-orphan, hhorak, jeffrey.ness, jorton, kevin, m.cyprian, mhroncok, pviktori, python-maint, python-sig, rkuska, shcherbina.iryna, slavek.kabrda, TicoTimo, tomspur, torsava, vstinner |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A CRLF injection flaw was discovered in python in the way URLs are handled when doing an HTTP/HTTPS connection (e.g. through urlopen() or HTTPConnection). An attacker who can control the url parameter passed to urlopen method in the urllib/urllib2 modules can inject CRLF sequences and HTTP headers by abusing the "host" part of the URL.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-10-19 20:21:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1765139, 1765138, 1765140, 1765141, 1765142, 1765143, 1765144, 1765145, 1765146, 1765147, 1765148, 1765149, 1765150, 1765151, 1765152, 1765153, 1882670 | ||
Bug Blocks: | 1727267 |
Description
Riccardo Schirone
2019-07-05 10:22:43 UTC
I have created a new and separate issue upstream to keep track of this CVE. https://bugs.python.org/issue38576 Created python2 tracking bugs for this issue: Affects: fedora-all [bug 1765145] Created python26 tracking bugs for this issue: Affects: fedora-all [bug 1765146] Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1765138] Created python34 tracking bugs for this issue: Affects: epel-all [bug 1765139] Affects: fedora-all [bug 1765140] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1765141] Created python36 tracking bugs for this issue: Affects: epel-7 [bug 1765142] Affects: fedora-all [bug 1765143] Created python38 tracking bugs for this issue: Affects: fedora-all [bug 1765144] This flaw can be exploited only when glibc flaw CVE-2016-10739 is not fixed, as it requires getaddrinfo() function to resolve an invalid hostname, containing control characters like the CRLF sequence, as a valid one. The new Python issue is https://bugs.python.org/issue38576 FEDORA-2020-8bdd3fd7a4 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-ea5bdbcc90 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-18348 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4273 https://access.redhat.com/errata/RHSA-2020:4273 Statement: This issue does not affect the versions of python and python3 as shipped with Red Hat Enterprise Linux 7.7 and above because glibc flaw CVE-2016-10739 was fixed in RHSA-2019:2118-03, which makes this bug not exploitable. This issue does not affect the versions of python and python3 as shipped with Red Hat Enterprise Linux 8 because glibc is not vulnerable to CVE-2016-10739, making this bug not exploitable. |