PublicDateAtUSN: 2019-09-06 18:15:00 UTC Candidate: CVE-2019-16056 PublicDate: 2019-09-06 18:15:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056 https://ubuntu.com/security/notices/USN-4151-1 https://ubuntu.com/security/notices/USN-4151-2 Description: An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally. Ubuntu-Description: Notes: seth-arnold> This has a very high risk of regression. Email addresses should not be validated beyond making sure there's at least one byte on both sides of an '@' sign. Legal email addresses are significantly more complicated than what is easy to express in regex. seth-arnold> Whatever validation this module provides is in my opinion suspect. Mitigation: Bugs: https://bugs.python.org/issue34155 Priority: medium Discovered-by: Assigned-to: mdeslaur CVSS: nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH] Patches_python2.7: upstream: https://github.com/python/cpython/commit/4cbcd2f8c4e12b912e4d21fd892eedf7a3813d8e upstream_python2.7: needs-triage precise/esm_python2.7: released (2.7.3-0ubuntu3.15) trusty_python2.7: ignored (out of standard support) trusty/esm_python2.7: released (2.7.6-8ubuntu0.6+esm3) xenial_python2.7: released (2.7.12-1ubuntu0~16.04.9) esm-infra/xenial_python2.7: released (2.7.12-1ubuntu0~16.04.9) bionic_python2.7: released (2.7.15-4ubuntu4~18.04.2) disco_python2.7: released (2.7.16-2ubuntu0.2) eoan_python2.7: not-affected (2.7.17~rc1-1) focal_python2.7: not-affected (2.7.17~rc1-1) groovy_python2.7: not-affected (2.7.17~rc1-1) hirsute_python2.7: not-affected (2.7.17~rc1-1) impish_python2.7: not-affected (2.7.17~rc1-1) jammy_python2.7: not-affected (2.7.17~rc1-1) devel_python2.7: not-affected (2.7.17~rc1-1) Patches_python3.4: upstream_python3.4: needs-triage precise/esm_python3.4: DNE trusty_python3.4: ignored (out of standard support) trusty/esm_python3.4: released (3.4.3-1ubuntu1~14.04.7+esm4) xenial_python3.4: DNE bionic_python3.4: DNE disco_python3.4: DNE eoan_python3.4: DNE focal_python3.4: DNE groovy_python3.4: DNE hirsute_python3.4: DNE impish_python3.4: DNE jammy_python3.4: DNE devel_python3.4: DNE Patches_python3.5: upstream: https://github.com/python/cpython/commit/063eba280a11d3c9a5dd9ee5abe4de640907951b upstream_python3.5: needs-triage precise/esm_python3.5: DNE trusty_python3.5: ignored (out of standard support) trusty/esm_python3.5: needs-triage xenial_python3.5: released (3.5.2-2ubuntu0~16.04.9) esm-infra/xenial_python3.5: released (3.5.2-2ubuntu0~16.04.9) bionic_python3.5: DNE disco_python3.5: DNE eoan_python3.5: DNE focal_python3.5: DNE groovy_python3.5: DNE hirsute_python3.5: DNE impish_python3.5: DNE jammy_python3.5: DNE devel_python3.5: DNE Patches_python3.6: upstream: https://github.com/python/cpython/commit/13a19139b5e76175bc95294d54afc9425e4f36c9 upstream_python3.6: needs-triage precise/esm_python3.6: DNE trusty_python3.6: DNE trusty/esm_python3.6: DNE xenial_python3.6: DNE bionic_python3.6: released (3.6.8-1~18.04.3) disco_python3.6: DNE eoan_python3.6: DNE focal_python3.6: DNE groovy_python3.6: DNE hirsute_python3.6: DNE impish_python3.6: DNE jammy_python3.6: DNE devel_python3.6: DNE Patches_python3.7: upstream: https://github.com/python/cpython/commit/c48d606adcef395e59fd555496c42203b01dd3e8 upstream_python3.7: released (3.7.4-4) precise/esm_python3.7: DNE trusty_python3.7: DNE trusty/esm_python3.7: DNE xenial_python3.7: DNE bionic_python3.7: needs-triage disco_python3.7: released (3.7.3-2ubuntu0.2) eoan_python3.7: not-affected (3.7.4-4) focal_python3.7: DNE groovy_python3.7: DNE hirsute_python3.7: DNE impish_python3.7: DNE jammy_python3.7: DNE devel_python3.7: DNE