Bug 1688169 (CVE-2019-9740) - CVE-2019-9740 python: improper neutralization of CRLF sequences in urllib module
Summary: CVE-2019-9740 python: improper neutralization of CRLF sequences in urllib module
Status: CLOSED ERRATA
Alias: CVE-2019-9740
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190313,repor...
Keywords: Security
Depends On: 1704362 1704364 1704365 1704367 1704369 1704371 1706850 1706853 1706854 1706855 1709391 1688170 1688657 1692983 1692984 1703458 1704366 1704368 1704370 1704372 1706849 1706851 1706852 1709407
Blocks: 1688174
TreeView+ depends on / blocked
 
Reported: 2019-03-13 10:20 UTC by Dhananjay Arunesh
Modified: 2019-06-18 14:28 UTC (History)
23 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2019-06-10 10:50:42 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1260 None None None 2019-05-22 12:01 UTC

Description Dhananjay Arunesh 2019-03-13 10:20:06 UTC
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n followed by an HTTP header or a Redis command.

Reference:
https://bugs.python.org/issue36276

Comment 1 Dhananjay Arunesh 2019-03-13 10:20:35 UTC
Created python-urllib3 tracking bugs for this issue:

Affects: fedora-all [bug 1688170]

Comment 2 Hardik Vyas 2019-03-14 07:38:07 UTC
[Deleted]

Comment 7 Riccardo Schirone 2019-04-05 15:19:45 UTC
> Reference:
> https://bugs.python.org/issue36276

This has been marked as duplicate of https://bugs.python.org/issue30458

Comment 10 Hardik Vyas 2019-04-26 14:01:09 UTC
Statement:

This issue affects:
* All current versions of Red Hat OpenStack Platform. However, version 8 is due to retire on the 20th of April 2019, there are no more planned releases prior to this date.

Comment 15 Riccardo Schirone 2019-05-06 11:57:43 UTC
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1706851]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1706855]
Affects: fedora-all [bug 1706852]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1706853]


Created python36 tracking bugs for this issue:

Affects: epel-7 [bug 1706854]
Affects: fedora-29 [bug 1706850]


Created python37 tracking bugs for this issue:

Affects: fedora-28 [bug 1706849]

Comment 16 Riccardo Schirone 2019-05-06 12:00:11 UTC
Upstream patch PR (merged upstream):
https://github.com/python/cpython/pull/12755

Comment 18 errata-xmlrpc 2019-05-22 12:01:51 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1260 https://access.redhat.com/errata/RHSA-2019:1260


Note You need to log in before you can comment on or make changes to this bug.