PublicDateAtUSN: 2019-03-12 Candidate: CVE-2019-9740 PublicDate: 2019-03-13 03:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740 https://python-security.readthedocs.io/vuln/http-header-injection2.html https://ubuntu.com/security/notices/USN-4127-1 https://ubuntu.com/security/notices/USN-4127-2 Description: An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9. Ubuntu-Description: Notes: Bugs: https://bugs.python.org/issue36276 (marked as dupe) https://bugs.python.org/issue30458 Priority: medium Discovered-by: Assigned-to: mdeslaur CVSS: nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM] Patches_python2.7: upstream: https://github.com/python/cpython/commit/bb8071a4cae5ab3fe321481dd3d73662ffb26052 upstream_python2.7: needs-triage precise/esm_python2.7: released (2.7.3-0ubuntu3.14) trusty_python2.7: ignored (reached end-of-life) trusty/esm_python2.7: released (2.7.6-8ubuntu0.6+esm2) xenial_python2.7: released (2.7.12-1ubuntu0~16.04.8) esm-infra/xenial_python2.7: released (2.7.12-1ubuntu0~16.04.8) bionic_python2.7: released (2.7.15-4ubuntu4~18.04.1) cosmic_python2.7: ignored (reached end-of-life) disco_python2.7: released (2.7.16-2ubuntu0.1) eoan_python2.7: not-affected (2.7.16-3) focal_python2.7: not-affected (2.7.16-3) groovy_python2.7: not-affected (2.7.16-3) hirsute_python2.7: not-affected (2.7.16-3) impish_python2.7: not-affected (2.7.16-3) jammy_python2.7: not-affected (2.7.16-3) devel_python2.7: not-affected (2.7.16-3) Patches_python3.4: upstream_python3.4: needs-triage precise/esm_python3.4: DNE trusty_python3.4: ignored (reached end-of-life) trusty/esm_python3.4: released (3.4.3-1ubuntu1~14.04.7+esm2) xenial_python3.4: DNE bionic_python3.4: DNE cosmic_python3.4: DNE disco_python3.4: DNE eoan_python3.4: DNE focal_python3.4: DNE groovy_python3.4: DNE hirsute_python3.4: DNE impish_python3.4: DNE jammy_python3.4: DNE devel_python3.4: DNE Patches_python3.5: upstream: https://github.com/python/cpython/commit/afe3a4975cf93c97e5d6eb8800e48f368011d37a upstream_python3.5: needs-triage precise/esm_python3.5: DNE trusty_python3.5: ignored (out of standard support) trusty/esm_python3.5: deferred (2019-04-10) xenial_python3.5: released (3.5.2-2ubuntu0~16.04.8) esm-infra/xenial_python3.5: released (3.5.2-2ubuntu0~16.04.8) bionic_python3.5: DNE cosmic_python3.5: DNE disco_python3.5: DNE eoan_python3.5: DNE focal_python3.5: DNE groovy_python3.5: DNE hirsute_python3.5: DNE impish_python3.5: DNE jammy_python3.5: DNE devel_python3.5: DNE Patches_python3.6: upstream: https://github.com/python/cpython/commit/c50d437e942d4c4c45c8cd76329b05340c02eb31 upstream_python3.6: needs-triage precise/esm_python3.6: DNE trusty_python3.6: DNE trusty/esm_python3.6: DNE xenial_python3.6: DNE bionic_python3.6: released (3.6.8-1~18.04.2) cosmic_python3.6: ignored (reached end-of-life) disco_python3.6: DNE eoan_python3.6: DNE focal_python3.6: DNE groovy_python3.6: DNE hirsute_python3.6: DNE impish_python3.6: DNE jammy_python3.6: DNE devel_python3.6: DNE Patches_python3.7: upstream: https://github.com/python/cpython/commit/7e200e0763f5b71c199aaf98bd5588f291585619 upstream_python3.7: needs-triage precise/esm_python3.7: DNE trusty_python3.7: DNE trusty/esm_python3.7: DNE xenial_python3.7: DNE bionic_python3.7: needed cosmic_python3.7: ignored (reached end-of-life) disco_python3.7: released (3.7.3-2ubuntu0.1) eoan_python3.7: not-affected (3.7.4-2ubuntu1) focal_python3.7: DNE groovy_python3.7: DNE hirsute_python3.7: DNE impish_python3.7: DNE jammy_python3.7: DNE devel_python3.7: DNE