Bugzilla – Bug 1155094
VUL-0: CVE-2019-18348: python,python36,python3,python27: CRLF injection via the host part of the url passed to urlopen()
Last modified: 2022-06-10 08:40:59 UTC
CVE-2019-18348 An issue was discovered in urllib/urllib2 in Python. CRLF injection is possible if the attacker controls the host part of the url parameter passed to urlopen(). The fix for CVE-2019-9947 is ineffective if the glibc version used by python is still affected by CVE-2016-10739. The original fix for CVE-2019-9947 only checked the part of the URL after the port (e.g. in "http://server:7777/my/path?query" only "/my/path?query" was checked for invalid characters) so if an attacker can control the hostname part he is still able to inject HTTP headers. Due to CVE-2016-10739, getaddrinfo() resolves an invalid hostname as a valid one, so the URL can contain CLRF sequences and, at the same time, it can be resolved to a valid host. Reference: https://bugs.python.org/issue30458#msg347282 References: https://bugzilla.redhat.com/show_bug.cgi?id=1727276 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18348 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18348.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18348 https://bugs.python.org/issue30458#msg347282
A separate issue just for this CVE has been opened upstream https://bugs.python.org/issue38576 .
See https://bugzilla.redhat.com/show_bug.cgi?id=1727276#c6 (comments 6 and 7): > This issue affects the versions of python and python3 as shipped with Red Hat Enterprise Linux 7, however users running Red Hat Enterprise Linux 7.7 and above are not vulnerable because glibc flaw CVE-2016-10739 was fixed in RHSA-2019:2118-03, which makes this bug not exploitable. > This flaw can be exploited only when glibc flaw CVE-2016-10739 is not fixed, as it requires getaddrinfo() function to resolve an invalid hostname, containing control characters like the CRLF sequence, as a valid one. What is the status of CVE-2016-10739 in the individual SUSE distributions, and which exact channels are affected by this?
Upstream patch is https://github.com/python/cpython/pull/18995 (backported to 2.7 by me on https://github.com/python/cpython/pull/19052).
SUSE-SU-2020:0750-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1155094 CVE References: CVE-2019-18348 Sources used: SUSE Linux Enterprise Server 12-SP5 (src): python36-3.6.10-4.9.1, python36-base-3.6.10-4.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:0854-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1155094,1162224,1162367,1162825,1165894 CVE References: CVE-2019-18348,CVE-2019-9674,CVE-2020-8492 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 SUSE OpenStack Cloud 8 (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 SUSE OpenStack Cloud 7 (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 SUSE Linux Enterprise Server 12-SP5 (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 SUSE Linux Enterprise Server 12-SP4 (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 SUSE Enterprise Storage 5 (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 HPE Helion Openstack 8 (src): python3-3.4.10-25.45.1, python3-base-3.4.10-25.45.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SLE-10-SP3 has Python 2.4, it is too far away from the base to make port working, so WONTFIX there.
SUSE-SU-2020:1339-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1155094,1162825 CVE References: CVE-2019-18348,CVE-2019-9674 Sources used: SUSE Linux Enterprise Module for Python2 15-SP1 (src): python-2.7.17-7.38.1, python-base-2.7.17-7.38.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): python-2.7.17-7.38.1, python-base-2.7.17-7.38.1, python-doc-2.7.17-7.38.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): python-2.7.17-7.38.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): python-2.7.17-7.38.1, python-base-2.7.17-7.38.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0696-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1155094,1162825 CVE References: CVE-2019-18348,CVE-2019-9674 Sources used: openSUSE Leap 15.1 (src): python-2.7.17-lp151.10.17.1, python-base-2.7.17-lp151.10.17.1, python-doc-2.7.17-lp151.10.17.1
SUSE-SU-2020:1524-1: An update that solves three vulnerabilities and has 18 fixes is now available. Category: security (moderate) Bug References: 1027282,1041090,1042670,1073269,1073748,1078326,1078485,1081750,1084650,1086001,1149792,1153830,1155094,1159035,1162224,1162367,1162825,1165894,1170411,1171561,945401 CVE References: CVE-2019-18348,CVE-2019-9674,CVE-2020-8492 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1 SUSE OpenStack Cloud 8 (src): python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1 SUSE OpenStack Cloud 7 (src): python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1 SUSE Linux Enterprise Workstation Extension 12-SP5 (src): python-base-2.7.17-28.42.1 SUSE Linux Enterprise Workstation Extension 12-SP4 (src): python-base-2.7.17-28.42.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): python-rpm-macros-20200207.5feb6c1-3.19.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): python-base-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1 SUSE Linux Enterprise Server 12-SP5 (src): python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1 SUSE Linux Enterprise Server 12-SP4 (src): python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1 SUSE Enterprise Storage 5 (src): python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1 HPE Helion Openstack 8 (src): python-2.7.17-28.42.1, python-base-2.7.17-28.42.1, python-doc-2.7.17-28.42.1, python-rpm-macros-20200207.5feb6c1-3.19.1, shared-python-startup-0.1-1.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Update has been released, this bug can be closed.
Done
This is an autogenerated message for OBS integration: This bug (1155094) was mentioned in https://build.opensuse.org/request/show/851167 Factory / python36
This is an autogenerated message for OBS integration: This bug (1155094) was mentioned in https://build.opensuse.org/request/show/851367 Factory / python36
This is an autogenerated message for OBS integration: This bug (1155094) was mentioned in https://build.opensuse.org/request/show/852415 Factory / python36
This is an autogenerated message for OBS integration: This bug (1155094) was mentioned in https://build.opensuse.org/request/show/853277 Factory / python36
This is an autogenerated message for OBS integration: This bug (1155094) was mentioned in https://build.opensuse.org/request/show/853314 Factory / python36
SUSE-SU-2020:3865-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1155094,1162367,1174571,1176262,1178009,1179630 CVE References: CVE-2019-18348,CVE-2019-20916,CVE-2020-27619,CVE-2020-8492 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP5 (src): python36-3.6.12-4.25.1, python36-core-3.6.12-4.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1155094) was mentioned in https://build.opensuse.org/request/show/856737 Factory / python36
SUSE-SU-2020:3930-1: An update that fixes 8 vulnerabilities, contains two features is now available. Category: security (important) Bug References: 1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630 CVE References: CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492 JIRA References: ECO-2799,SLE-13738 Sources used: SUSE Linux Enterprise Server for SAP 15 (src): python3-3.6.12-3.67.2, python3-core-3.6.12-3.67.2 SUSE Linux Enterprise Server 15-LTSS (src): python3-3.6.12-3.67.2, python3-core-3.6.12-3.67.2 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): python3-core-3.6.12-3.67.2 SUSE Linux Enterprise Module for Development Tools 15-SP2 (src): python3-core-3.6.12-3.67.2 SUSE Linux Enterprise Module for Development Tools 15-SP1 (src): python3-core-3.6.12-3.67.2 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): python3-3.6.12-3.67.2, python3-core-3.6.12-3.67.2 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): python3-3.6.12-3.67.2, python3-core-3.6.12-3.67.2 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): python3-3.6.12-3.67.2, python3-core-3.6.12-3.67.2 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): python3-3.6.12-3.67.2, python3-core-3.6.12-3.67.2 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): python3-3.6.12-3.67.2, python3-core-3.6.12-3.67.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:2332-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630 CVE References: CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492 JIRA References: Sources used: openSUSE Leap 15.2 (src): python3-3.6.12-lp152.4.12.2, python3-core-3.6.12-lp152.4.12.2, python3-documentation-3.6.12-lp152.4.12.2
openSUSE-SU-2020:2333-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630 CVE References: CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492 JIRA References: Sources used: openSUSE Leap 15.1 (src): python3-3.6.12-lp151.6.30.1, python3-core-3.6.12-lp151.6.30.1, python3-documentation-3.6.12-lp151.6.30.1
This is an autogenerated message for OBS integration: This bug (1155094) was mentioned in https://build.opensuse.org/request/show/919877 Factory / python
This is an autogenerated message for OBS integration: This bug (1155094) was mentioned in https://build.opensuse.org/request/show/923499 Factory / python36
This is an autogenerated message for OBS integration: This bug (1155094) was mentioned in https://build.opensuse.org/request/show/926876 Factory / python36
This is an autogenerated message for OBS integration: This bug (1155094) was mentioned in https://build.opensuse.org/request/show/951983 Factory / python
This is an autogenerated message for OBS integration: This bug (1155094) was mentioned in https://build.opensuse.org/request/show/953031 Factory / python
This is an autogenerated message for OBS integration: This bug (1155094) was mentioned in https://build.opensuse.org/request/show/981989 Factory / python