Bug 2173917 (CVE-2023-24329)
| Summary: | CVE-2023-24329 python: urllib.parse url blocklisting bypass | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | arachman, chmays, cstratak, derrick.roach.ctr, gabriele.gattari, hhorak, jorton, jskacel, lbalhar, lveyde, marat.abrarov, michal.skrivanek, mperina, mvanderw, pibanezr, python-maint, thoger, torsava |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | python 3.11 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the Python package. An issue in the urllib.parse component could allow attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.This may lead to compromised Integrity.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2174009, 2174010, 2174011, 2174012, 2174013, 2174014, 2174015, 2174016, 2174017, 2174018, 2174019, 2174020, 2174024, 2174025, 2174026, 2174027, 2174028, 2174029, 2174030, 2174031, 2174032, 2174033, 2174034, 2174035, 2174036, 2174037, 2174038, 2174039, 2174040, 2174041, 2174042, 2174043, 2174044, 2174045, 2174046, 2174047, 2174048, 2174049, 2174050, 2174051, 2174052, 2174053, 2174054, 2174055, 2174056, 2174057, 2174058, 2174059, 2174060, 2174061, 2174062, 2174063, 2174064, 2174065, 2174066, 2174067, 2174068, 2174069, 2174070, 2174071, 2174072, 2174073, 2174074, 2174075, 2174076, 2174077, 2174078, 2174079, 2174080, 2174081, 2174082, 2174083, 2174084, 2174085, 2174086, 2174087, 2174088, 2174089, 2174090, 2174091, 2174092, 2174093, 2178009, 2210774, 2210775, 2210776, 2210777, 2210778, 2210779, 2210780, 2210781, 2210782, 2210783, 2210784, 2210785 | ||
| Bug Blocks: | 2171900 | ||
|
Description
Marian Rehak
2023-02-28 12:13:06 UTC
Created mingw-python3 tracking bugs for this issue: Affects: fedora-all [bug 2174012] Created pypy tracking bugs for this issue: Affects: epel-7 [bug 2174017] Affects: fedora-all [bug 2174018] Created pypy3.8 tracking bugs for this issue: Affects: fedora-all [bug 2174019] Created pypy3.9 tracking bugs for this issue: Affects: fedora-all [bug 2174020] Created python2.7 tracking bugs for this issue: Affects: fedora-all [bug 2174011] Created python3.10 tracking bugs for this issue: Affects: fedora-all [bug 2174010] Created python3.6 tracking bugs for this issue: Affects: fedora-all [bug 2174013] Created python3.7 tracking bugs for this issue: Affects: fedora-all [bug 2174014] Created python3.8 tracking bugs for this issue: Affects: fedora-all [bug 2174015] Created python3.9 tracking bugs for this issue: Affects: fedora-all [bug 2174016] Created python34 tracking bugs for this issue: Affects: epel-all [bug 2174009] There are still discussions upstream about the issue here: https://github.com/python/cpython/issues/102153 This bug is currently listed as being fixed in 3.11, however the link above (https://github.com/python/cpython/issues/102153) indicates that the alleged fix had zero affect. Can/Should this be updated? affects RHEL 8.7 I'm sorry it takes so long. There is no easy way out. The problem is very similar to the tarfile CVE (CVE-2007-4559). The behavior of urlparse and urlsplit functions is documented well and those functions are not intended to validate URLs. Therefore the upstream point of view is that the vulnerability is not in Python but might be in apps using these functions incorrectly. Because the urllib module does not strictly follow any standard or RFC, it's almost impossible to do any backward-incompatible changes there. We are trying to come up with a plan how to improve urllib module in Python in a way that would be future-proof, won't break backward compatibility, will be easily backportable into our systems and components and will be acceptable to upstream. I'm also gonna open a discussion with the product security team about the severity and our point of view. The fix is available in: 3.12 (merged, will be part of the first beta release): https://github.com/python/cpython/commit/2f630e1ce18ad2e07428296532a68b11dc66ad10 3.11 (merged, bugfix release 3.11.4 expected in June): https://github.com/python/cpython/commit/610cc0ab1b760b2abaac92bd256b96191c46b941 3.10 (merged, security release 3.10.12 without date assigned): https://github.com/python/cpython/commit/f48a96a28012d28ae37a2f4587a780a5eb779946 3.9: (WIP): https://github.com/python/cpython/pull/104593 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2023:3550 https://access.redhat.com/errata/RHSA-2023:3550 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:3556 https://access.redhat.com/errata/RHSA-2023:3556 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:3555 https://access.redhat.com/errata/RHSA-2023:3555 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3585 https://access.redhat.com/errata/RHSA-2023:3585 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3591 https://access.redhat.com/errata/RHSA-2023:3591 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3595 https://access.redhat.com/errata/RHSA-2023:3595 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3594 https://access.redhat.com/errata/RHSA-2023:3594 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:3776 https://access.redhat.com/errata/RHSA-2023:3776 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:3777 https://access.redhat.com/errata/RHSA-2023:3777 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3780 https://access.redhat.com/errata/RHSA-2023:3780 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3781 https://access.redhat.com/errata/RHSA-2023:3781 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:3796 https://access.redhat.com/errata/RHSA-2023:3796 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:3810 https://access.redhat.com/errata/RHSA-2023:3810 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3811 https://access.redhat.com/errata/RHSA-2023:3811 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:3931 https://access.redhat.com/errata/RHSA-2023:3931 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:3932 https://access.redhat.com/errata/RHSA-2023:3932 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:3934 https://access.redhat.com/errata/RHSA-2023:3934 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:3935 https://access.redhat.com/errata/RHSA-2023:3935 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:3936 https://access.redhat.com/errata/RHSA-2023:3936 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:4004 https://access.redhat.com/errata/RHSA-2023:4004 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:4008 https://access.redhat.com/errata/RHSA-2023:4008 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:4038 https://access.redhat.com/errata/RHSA-2023:4038 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:4032 https://access.redhat.com/errata/RHSA-2023:4032 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:4203 https://access.redhat.com/errata/RHSA-2023:4203 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2023:4282 https://access.redhat.com/errata/RHSA-2023:4282 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2023:6793 https://access.redhat.com/errata/RHSA-2023:6793 |