6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
71.7%
Debian LTS Advisory DLA-2337-1 [email protected]
https://www.debian.org/lts/security/ Thorsten Alteholz
August 22, 2020 https://wiki.debian.org/LTS
Package : python2.7
Version : 2.7.13-2+deb9u4
CVE ID : CVE-2018-20852 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740
CVE-2019-9947 CVE-2019-9948 CVE-2019-10160 CVE-2019-16056
CVE-2019-20907
Multiple vulnerabilities were discovered in Python2.7, an interactive
high-level object-oriented language.
CVE-2018-20852
By using a malicious server an attacker might steal cookies that are
meant for other domains.
CVE-2019-5010
NULL pointer dereference using a specially crafted X509 certificate.
CVE-2019-9636
Improper Handling of Unicode Encoding (with an incorrect netloc)
during NFKC normalization resulting in information disclosure
(credentials, cookies, etc. that are cached against a given
hostname). A specially crafted URL could be incorrectly parsed to
locate cookies or authentication data and send that information to
a different host than when parsed correctly.
CVE-2019-9740
An issue was discovered in urllib2 where CRLF injection is possible
if the attacker controls a url parameter, as demonstrated by the
first argument to urllib.request.urlopen with \r\n (specifically in
the query string after a ? character) followed by an HTTP header or
a Redis command.
CVE-2019-9947
An issue was discovered in urllib2 where CRLF injection is possible
if the attacker controls a url parameter, as demonstrated by the
first argument to urllib.request.urlopen with \r\n (specifically in
the path component of a URL that lacks a ? character) followed by an
HTTP header or a Redis command. This is similar to the CVE-2019-9740
query string issue.
CVE-2019-9948
urllib supports the local_file: scheme, which makes it easier for
remote attackers to bypass protection mechanisms that blacklist
file: URIs, as demonstrated by triggering a
urllib.urlopen('local_file:///etc/passwd') call.
CVE-2019-10160
A security regression of CVE-2019-9636 was discovered which still
allows an attacker to exploit CVE-2019-9636 by abusing the user and
password parts of a URL. When an application parses user-supplied
URLs to store cookies, authentication credentials, or other kind of
information, it is possible for an attacker to provide specially
crafted URLs to make the application locate host-related information
(e.g. cookies, authentication data) and send them to a different
host than where it should, unlike if the URLs had been correctly
parsed. The result of an attack may vary based on the application.
CVE-2019-16056
The email module wrongly parses email addresses that contain
multiple @ characters. An application that uses the email module and
implements some kind of checks on the From/To headers of a message
could be tricked into accepting an email address that should be
denied.
CVE-2019-20907
Opening a crafted tar file could result in an infinite loop due to
missing header validation.
For Debian 9 stretch, these problems have been fixed in version
2.7.13-2+deb9u4.
We recommend that you upgrade your python2.7 packages.
For the detailed security status of python2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python2.7
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 8 | armel | libpython3.4-stdlib | < 3.4.2-1+deb8u3 | libpython3.4-stdlib_3.4.2-1+deb8u3_armel.deb |
Debian | 10 | i386 | libpython3.7-stdlib | < 3.7.3-2+deb10u1 | libpython3.7-stdlib_3.7.3-2+deb10u1_i386.deb |
Debian | 10 | s390x | python3.7-dbg | < 3.7.3-2+deb10u1 | python3.7-dbg_3.7.3-2+deb10u1_s390x.deb |
Debian | 10 | mipsel | libpython3.7-minimal | < 3.7.3-2+deb10u1 | libpython3.7-minimal_3.7.3-2+deb10u1_mipsel.deb |
Debian | 10 | armel | python3.7-minimal | < 3.7.3-2+deb10u1 | python3.7-minimal_3.7.3-2+deb10u1_armel.deb |
Debian | 9 | all | idle-python3.5 | < 3.5.3-1+deb9u2 | idle-python3.5_3.5.3-1+deb9u2_all.deb |
Debian | 10 | armhf | python2.7 | < 2.7.16-2+deb10u1 | python2.7_2.7.16-2+deb10u1_armhf.deb |
Debian | 10 | all | python2.7-doc | < 2.7.16-2+deb10u1 | python2.7-doc_2.7.16-2+deb10u1_all.deb |
Debian | 8 | armel | libpython2.7-minimal | < 2.7.9-2+deb8u3 | libpython2.7-minimal_2.7.9-2+deb8u3_armel.deb |
Debian | 9 | armhf | python2.7-dbg | < 2.7.13-2+deb9u4 | python2.7-dbg_2.7.13-2+deb9u4_armhf.deb |
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
71.7%