Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2019-9636

Published: 8 March 2019

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Priority

Medium

Cvss 3 Severity Score

9.8

Score breakdown

Status

Package Release Status
python2.7
Launchpad, Ubuntu, Debian
bionic
Released (2.7.15-4ubuntu4~18.04.1)
cosmic
Released (2.7.16-2~18.10)
disco Not vulnerable
(2.7.16-2)
eoan Not vulnerable
(2.7.16-2)
focal Not vulnerable
(2.7.16-2)
groovy Not vulnerable
(2.7.16-2)
hirsute Not vulnerable
(2.7.16-2)
impish Not vulnerable
(2.7.16-2)
jammy Not vulnerable
(2.7.16-2)
kinetic Not vulnerable
(2.7.16-2)
lunar Does not exist

mantic Does not exist

noble Does not exist

trusty
Released (2.7.6-8ubuntu0.6+esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
upstream
Released (2.7.16-2)
xenial
Released (2.7.12-1ubuntu0~16.04.8)
Patches:
upstream: https://github.com/python/cpython/commit/e37ef41289b77e0f0bb9a6aedb0360664c55bdd5
upstream: https://github.com/python/cpython/commit/507bd8cde60ced74d13a1ffa883bb9b0e73c38be




python3.4
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

lunar Does not exist

mantic Does not exist

noble Does not exist

trusty
Released (3.4.3-1ubuntu1~14.04.7+esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
upstream Needs triage

xenial Does not exist

Patches:


upstream: https://github.com/python/cpython/commit/62d36547f97210a26cc6051da78714fd078e158c



python3.5
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

lunar Does not exist

mantic Does not exist

noble Does not exist

trusty Needed

upstream Needs triage

xenial
Released (3.5.2-2ubuntu0~16.04.8)
Patches:



upstream: https://github.com/python/cpython/commit/c0d95113b070799679bcb9dc49d4960d82e8bb08


python3.6
Launchpad, Ubuntu, Debian
bionic
Released (3.6.8-1~18.04.2)
cosmic Ignored
(end of life)
disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

lunar Does not exist

mantic Does not exist

noble Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

Patches:




upstream: https://github.com/python/cpython/commit/23fc0416454c4ad5b9b23d520fbe6d89be3efc24

python3.7
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(3.7.3~rc1-1)
cosmic Not vulnerable
(3.7.3~rc1-1)
disco Not vulnerable
(3.7.3-2)
eoan Not vulnerable
(3.7.3-2)
focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

lunar Does not exist

mantic Does not exist

noble Does not exist

trusty Does not exist

upstream
Released (3.7.3~rc1-1)
xenial Does not exist

Patches:





upstream: https://github.com/python/cpython/commit/daad2c482c91de32d8305abbccc76a5de8b3a8be

Severity score breakdown

Parameter Value
Base score 9.8
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H