Source: python3.7 Version: 3.7.2-3 Severity: important Tags: security upstream Forwarded: https://bugs.python.org/issue36216 Control: clone -1 -2 Control: found -1 3.7.2-2 Control: reassign -2 src:python2.7 2.7.16-1 Control: retitle -2 python2.7: CVE-2019-9636: urlsplit does not handle NFKC normalization Control: found -2 2.7.16~rc1-1 Control: found -2 2.7.13-2+deb9u3 Control: found -2 2.7.13-2
Hi, The following vulnerability was published for python3.7. CVE-2019-9636[0]: | Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: | Improper Handling of Unicode Encoding (with an incorrect netloc) during | NFKC normalization. The impact is: Information disclosure (credentials, | cookies, etc. that are cached against a given hostname). The components | are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector | is: A specially crafted URL could be incorrectly parsed to locate | cookies or authentication data and send that information to a different | host than when parsed correctly. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-9636 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636 [1] https://bugs.python.org/issue36216 [2] https://github.com/python/cpython/commit/e37ef41289b77e0f0bb9a6aedb0360664c55bdd5 (2.7.x) [3] https://github.com/python/cpython/commit/daad2c482c91de32d8305abbccc76a5de8b3a8be (3.7.x) Please adjust the affected versions in the BTS as needed. Regards, Salvatore
