Your submission was sent successfully! Close

CVE-2019-9636

Published: 8 March 2019

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
python2.7
Launchpad, Ubuntu, Debian
bionic
Released (2.7.15-4ubuntu4~18.04.1)
cosmic
Released (2.7.16-2~18.10)
disco Not vulnerable
(2.7.16-2)
eoan Not vulnerable
(2.7.16-2)
focal Not vulnerable
(2.7.16-2)
groovy Not vulnerable
(2.7.16-2)
hirsute Not vulnerable
(2.7.16-2)
impish Not vulnerable
(2.7.16-2)
jammy Not vulnerable
(2.7.16-2)
precise
Released (2.7.3-0ubuntu3.14)
trusty
Released (2.7.6-8ubuntu0.6+esm2)
upstream
Released (2.7.16-2)
xenial
Released (2.7.12-1ubuntu0~16.04.8)
Patches:
upstream: https://github.com/python/cpython/commit/e37ef41289b77e0f0bb9a6aedb0360664c55bdd5
upstream: https://github.com/python/cpython/commit/507bd8cde60ced74d13a1ffa883bb9b0e73c38be




python3.4
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty
Released (3.4.3-1ubuntu1~14.04.7+esm2)
upstream Needs triage

xenial Does not exist

Patches:


upstream: https://github.com/python/cpython/commit/62d36547f97210a26cc6051da78714fd078e158c



python3.5
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Needed

upstream Needs triage

xenial
Released (3.5.2-2ubuntu0~16.04.8)
Patches:



upstream: https://github.com/python/cpython/commit/c0d95113b070799679bcb9dc49d4960d82e8bb08


python3.6
Launchpad, Ubuntu, Debian
bionic
Released (3.6.8-1~18.04.2)
cosmic Ignored
(reached end-of-life)
disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

Patches:




upstream: https://github.com/python/cpython/commit/23fc0416454c4ad5b9b23d520fbe6d89be3efc24

python3.7
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(3.7.3~rc1-1)
cosmic Not vulnerable
(3.7.3~rc1-1)
disco Not vulnerable
(3.7.3-2)
eoan Not vulnerable
(3.7.3-2)
focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (3.7.3~rc1-1)
xenial Does not exist

Patches:





upstream: https://github.com/python/cpython/commit/daad2c482c91de32d8305abbccc76a5de8b3a8be