PublicDateAtUSN: 2019-06-07
Candidate: CVE-2019-10160
PublicDate: 2019-06-07 18:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160
 https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html
 https://ubuntu.com/security/notices/USN-4127-1
 https://ubuntu.com/security/notices/USN-4127-2
Description:
 A security regression of CVE-2019-9636 was discovered in python since
 commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7,
 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an
 attacker to exploit CVE-2019-9636 by abusing the user and password parts of
 a URL. When an application parses user-supplied URLs to store cookies,
 authentication credentials, or other kind of information, it is possible
 for an attacker to provide specially crafted URLs to make the application
 locate host-related information (e.g. cookies, authentication data) and
 send them to a different host than where it should, unlike if the URLs had
 been correctly parsed. The result of an attack may vary based on the
 application.
Ubuntu-Description:
Notes:
Bugs:
 https://bugs.python.org/issue36742
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_python2.7:
 upstream: https://github.com/python/cpython/commit/98a4dcefbbc3bce5ab07e7c0830a183157250259
 upstream: https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de
 upstream: https://github.com/python/cpython/commit/2b578479b96aa3deeeb8bac313a02b5cf3cb1aff
upstream_python2.7: needs-triage
precise/esm_python2.7: released (2.7.3-0ubuntu3.14)
trusty_python2.7: ignored (out of standard support)
trusty/esm_python2.7: released (2.7.6-8ubuntu0.6+esm2)
xenial_python2.7: released (2.7.12-1ubuntu0~16.04.8)
esm-infra/xenial_python2.7: released (2.7.12-1ubuntu0~16.04.8)
bionic_python2.7: released (2.7.15-4ubuntu4~18.04.1)
cosmic_python2.7: ignored (reached end-of-life)
disco_python2.7: released (2.7.16-2ubuntu0.1)
eoan_python2.7: not-affected (2.7.16-3)
focal_python2.7: not-affected (2.7.16-3)
groovy_python2.7: not-affected (2.7.16-3)
hirsute_python2.7: not-affected (2.7.16-3)
impish_python2.7: not-affected (2.7.16-3)
jammy_python2.7: not-affected (2.7.16-3)
devel_python2.7: not-affected (2.7.16-3)

Patches_python3.4:
upstream_python3.4: needs-triage
precise/esm_python3.4: DNE
trusty_python3.4: ignored (out of standard support)
trusty/esm_python3.4: released (3.4.3-1ubuntu1~14.04.7+esm2)
xenial_python3.4: DNE
bionic_python3.4: DNE
cosmic_python3.4: DNE
disco_python3.4: DNE
eoan_python3.4: DNE
focal_python3.4: DNE
groovy_python3.4: DNE
hirsute_python3.4: DNE
impish_python3.4: DNE
jammy_python3.4: DNE
devel_python3.4: DNE

Patches_python3.5:
upstream_python3.5: needs-triage
precise/esm_python3.5: DNE
trusty_python3.5: ignored (out of standard support)
trusty/esm_python3.5: needed
xenial_python3.5: released (3.5.2-2ubuntu0~16.04.8)
esm-infra/xenial_python3.5: released (3.5.2-2ubuntu0~16.04.8)
bionic_python3.5: DNE
cosmic_python3.5: DNE
disco_python3.5: DNE
eoan_python3.5: DNE
focal_python3.5: DNE
groovy_python3.5: DNE
hirsute_python3.5: DNE
impish_python3.5: DNE
jammy_python3.5: DNE
devel_python3.5: DNE

Patches_python3.6:
 upstream: https://github.com/python/cpython/commit/e5f9f4adb95233c66578e6f7ea176687af2f78ca
 upstream: https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468
upstream_python3.6: needs-triage
precise/esm_python3.6: DNE
trusty_python3.6: ignored (out of standard support)
trusty/esm_python3.6: DNE
xenial_python3.6: DNE
bionic_python3.6: released (3.6.8-1~18.04.2)
cosmic_python3.6: ignored (reached end-of-life)
disco_python3.6: DNE
eoan_python3.6: DNE
focal_python3.6: DNE
groovy_python3.6: DNE
hirsute_python3.6: DNE
impish_python3.6: DNE
jammy_python3.6: DNE
devel_python3.6: DNE

Patches_python3.7:
 upstream: https://github.com/python/cpython/commit/4d723e76e1ad17e9e7d5e828e59bb47e76f2174b
 upstream: https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09
upstream_python3.7: needs-triage
precise/esm_python3.7: DNE
trusty_python3.7: ignored (out of standard support)
trusty/esm_python3.7: DNE
xenial_python3.7: DNE
bionic_python3.7: needed
cosmic_python3.7: ignored (reached end-of-life)
disco_python3.7: released (3.7.3-2ubuntu0.1)
eoan_python3.7: not-affected (3.7.4~rc2-1)
focal_python3.7: DNE
groovy_python3.7: DNE
hirsute_python3.7: DNE
impish_python3.7: DNE
jammy_python3.7: DNE
devel_python3.7: DNE