CVE-2019-9636

Published: 08 March 2019

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
python2.7
Launchpad, Ubuntu, Debian
Upstream
Released (2.7.16-2)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(2.7.16-2)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(2.7.16-2)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.7.16-2)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.7.15-4ubuntu4~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.7.12-1ubuntu0~16.04.8)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.7.6-8ubuntu0.6+esm2)
Patches:
Upstream: https://github.com/python/cpython/commit/e37ef41289b77e0f0bb9a6aedb0360664c55bdd5
Upstream: https://github.com/python/cpython/commit/507bd8cde60ced74d13a1ffa883bb9b0e73c38be
python3.4
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (3.4.3-1ubuntu1~14.04.7+esm2)
Patches:
Upstream: https://github.com/python/cpython/commit/62d36547f97210a26cc6051da78714fd078e158c
python3.5
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (3.5.2-2ubuntu0~16.04.8)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: https://github.com/python/cpython/commit/c0d95113b070799679bcb9dc49d4960d82e8bb08
python3.6
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.6.8-1~18.04.2)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/python/cpython/commit/23fc0416454c4ad5b9b23d520fbe6d89be3efc24
python3.7
Launchpad, Ubuntu, Debian
Upstream
Released (3.7.3~rc1-1)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(3.7.3~rc1-1)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/python/cpython/commit/daad2c482c91de32d8305abbccc76a5de8b3a8be