An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. https://pointernull.com/security/python-url-parse-problem.html https://github.com/python/cpython/pull/99421
Created mingw-python3 tracking bugs for this issue: Affects: fedora-all [bug 2174012] Created pypy tracking bugs for this issue: Affects: epel-7 [bug 2174017] Affects: fedora-all [bug 2174018] Created pypy3.8 tracking bugs for this issue: Affects: fedora-all [bug 2174019] Created pypy3.9 tracking bugs for this issue: Affects: fedora-all [bug 2174020] Created python2.7 tracking bugs for this issue: Affects: fedora-all [bug 2174011] Created python3.10 tracking bugs for this issue: Affects: fedora-all [bug 2174010] Created python3.6 tracking bugs for this issue: Affects: fedora-all [bug 2174013] Created python3.7 tracking bugs for this issue: Affects: fedora-all [bug 2174014] Created python3.8 tracking bugs for this issue: Affects: fedora-all [bug 2174015] Created python3.9 tracking bugs for this issue: Affects: fedora-all [bug 2174016] Created python34 tracking bugs for this issue: Affects: epel-all [bug 2174009]
There are still discussions upstream about the issue here: https://github.com/python/cpython/issues/102153
This bug is currently listed as being fixed in 3.11, however the link above (https://github.com/python/cpython/issues/102153) indicates that the alleged fix had zero affect. Can/Should this be updated?
affects RHEL 8.7
I'm sorry it takes so long. There is no easy way out. The problem is very similar to the tarfile CVE (CVE-2007-4559). The behavior of urlparse and urlsplit functions is documented well and those functions are not intended to validate URLs. Therefore the upstream point of view is that the vulnerability is not in Python but might be in apps using these functions incorrectly. Because the urllib module does not strictly follow any standard or RFC, it's almost impossible to do any backward-incompatible changes there. We are trying to come up with a plan how to improve urllib module in Python in a way that would be future-proof, won't break backward compatibility, will be easily backportable into our systems and components and will be acceptable to upstream. I'm also gonna open a discussion with the product security team about the severity and our point of view.
The fix is available in: 3.12 (merged, will be part of the first beta release): https://github.com/python/cpython/commit/2f630e1ce18ad2e07428296532a68b11dc66ad10 3.11 (merged, bugfix release 3.11.4 expected in June): https://github.com/python/cpython/commit/610cc0ab1b760b2abaac92bd256b96191c46b941 3.10 (merged, security release 3.10.12 without date assigned): https://github.com/python/cpython/commit/f48a96a28012d28ae37a2f4587a780a5eb779946 3.9: (WIP): https://github.com/python/cpython/pull/104593
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2023:3550 https://access.redhat.com/errata/RHSA-2023:3550
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:3556 https://access.redhat.com/errata/RHSA-2023:3556
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:3555 https://access.redhat.com/errata/RHSA-2023:3555
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3585 https://access.redhat.com/errata/RHSA-2023:3585
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3591 https://access.redhat.com/errata/RHSA-2023:3591
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3595 https://access.redhat.com/errata/RHSA-2023:3595
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3594 https://access.redhat.com/errata/RHSA-2023:3594
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:3776 https://access.redhat.com/errata/RHSA-2023:3776
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:3777 https://access.redhat.com/errata/RHSA-2023:3777
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3780 https://access.redhat.com/errata/RHSA-2023:3780
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3781 https://access.redhat.com/errata/RHSA-2023:3781
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:3796 https://access.redhat.com/errata/RHSA-2023:3796
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:3810 https://access.redhat.com/errata/RHSA-2023:3810
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3811 https://access.redhat.com/errata/RHSA-2023:3811
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:3931 https://access.redhat.com/errata/RHSA-2023:3931
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:3932 https://access.redhat.com/errata/RHSA-2023:3932
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:3934 https://access.redhat.com/errata/RHSA-2023:3934
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:3935 https://access.redhat.com/errata/RHSA-2023:3935
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:3936 https://access.redhat.com/errata/RHSA-2023:3936
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:4004 https://access.redhat.com/errata/RHSA-2023:4004
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:4008 https://access.redhat.com/errata/RHSA-2023:4008
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:4038 https://access.redhat.com/errata/RHSA-2023:4038
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:4032 https://access.redhat.com/errata/RHSA-2023:4032
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:4203 https://access.redhat.com/errata/RHSA-2023:4203
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2023:4282 https://access.redhat.com/errata/RHSA-2023:4282
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2023:6793 https://access.redhat.com/errata/RHSA-2023:6793