CVE-2019-16056

Priority
Description
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x
through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses
email addresses that contain multiple @ characters. An application that
uses the email module and implements some kind of checks on the From/To
headers of a message could be tricked into accepting an email address that
should be denied. An attack may be the same as in CVE-2019-11340; however,
this CVE applies to Python more generally.
Assigned-to
mdeslaur
Notes
sarnoldThis has a very high risk of regression. Email addresses should
not be validated beyond making sure there's at least one byte on both
sides of an '@' sign. Legal email addresses are significantly more
complicated than what is easy to express in regex.
Whatever validation this module provides is in my opinion suspect.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):released (2.7.3-0ubuntu3.15)
Ubuntu 14.04 ESM (Trusty Tahr):released (2.7.6-8ubuntu0.6+esm3)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.7.12-1ubuntu0~16.04.9)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.7.15-4ubuntu4~18.04.2)
Ubuntu 19.04 (Disco Dingo):released (2.7.16-2ubuntu0.2)
Ubuntu 19.10 (Eoan):not-affected (2.7.17~rc1-1)
Patches:
Upstream:https://github.com/python/cpython/commit/4cbcd2f8c4e12b912e4d21fd892eedf7a3813d8e
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):released (3.4.3-1ubuntu1~14.04.7+esm4)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):released (3.5.2-2ubuntu0~16.04.9)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Patches:
Upstream:https://github.com/python/cpython/commit/063eba280a11d3c9a5dd9ee5abe4de640907951b
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):released (3.6.8-1~18.04.3)
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Patches:
Upstream:https://github.com/python/cpython/commit/13a19139b5e76175bc95294d54afc9425e4f36c9
Package
Upstream:released (3.7.4-4)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.04 (Disco Dingo):released (3.7.3-2ubuntu0.2)
Ubuntu 19.10 (Eoan):not-affected (3.7.4-4)
Patches:
Upstream:https://github.com/python/cpython/commit/c48d606adcef395e59fd555496c42203b01dd3e8
More Information

Updated: 2019-10-11 17:14:27 UTC (commit 8f123d177c2af8a79c99a947d8da99e2f8d24686)