Bug 1130847 - (CVE-2019-9948) VUL-1: CVE-2019-9948: python,python3,python27: support of the local_file: scheme makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs
(CVE-2019-9948)
VUL-1: CVE-2019-9948: python,python3,python27: support of the local_file: sch...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/226977/
CVSSv3:SUSE:CVE-2019-9948:3.3:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-28 13:44 UTC by Karol Babioch
Modified: 2022-06-10 08:40 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2019-03-28 13:44:11 UTC
CVE-2019-9948

urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes
it easier for remote attackers to bypass protection mechanisms that blacklist
file: URIs, as demonstrated by triggering a
urllib.urlopen('local_file:///etc/passwd') call.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9948
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948
http://www.securityfocus.com/bid/107549
https://bugs.python.org/issue35907
https://github.com/python/cpython/pull/11842
Comment 3 Swamp Workflow Management 2019-04-15 19:10:08 UTC
SUSE-SU-2019:14018-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1129346,1130847
CVE References: CVE-2019-9636,CVE-2019-9948
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    python-2.6.9-40.24.1, python-base-2.6.9-40.24.1, python-doc-2.6-8.40.24.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    python-2.6.9-40.24.1, python-base-2.6.9-40.24.1, python-doc-2.6-8.40.24.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    python-2.6.9-40.24.1, python-base-2.6.9-40.24.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    python-2.6.9-40.24.1, python-base-2.6.9-40.24.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2019-04-17 19:10:06 UTC
SUSE-SU-2019:0972-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1129346,1130847
CVE References: CVE-2019-9636,CVE-2019-9948
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-2.7.14-7.11.1, python-doc-2.7.14-7.11.2
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    python-2.7.14-7.11.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-2.7.14-7.11.1, python-base-2.7.14-7.11.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2019-04-25 19:10:01 UTC
openSUSE-SU-2019:1273-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1129346,1130847
CVE References: CVE-2019-9636,CVE-2019-9948
Sources used:
openSUSE Leap 15.0 (src):    python-2.7.14-lp150.6.10.1
Comment 6 Swamp Workflow Management 2019-06-06 19:12:28 UTC
SUSE-SU-2019:1439-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1129346,1130847
CVE References: CVE-2019-9636,CVE-2019-9948
Sources used:
SUSE OpenStack Cloud 7 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    python-base-2.7.13-28.26.1
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    python-base-2.7.13-28.26.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    python-base-2.7.13-28.26.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    python-base-2.7.13-28.26.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE Linux Enterprise Server 12-SP4 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE Linux Enterprise Server 12-SP3 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1
SUSE Enterprise Storage 5 (src):    python-2.7.13-28.26.1
SUSE Enterprise Storage 4 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1, python-doc-2.7.13-28.26.1
SUSE CaaS Platform ALL (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1
SUSE CaaS Platform 3.0 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1
OpenStack Cloud Magnum Orchestration 7 (src):    python-2.7.13-28.26.1, python-base-2.7.13-28.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-06-18 23:13:26 UTC
openSUSE-SU-2019:1580-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1129346,1130847
CVE References: CVE-2019-9636,CVE-2019-9948
Sources used:
openSUSE Leap 42.3 (src):    python-2.7.13-27.15.1, python-base-2.7.13-27.15.1, python-doc-2.7.13-27.15.1
Comment 9 Swamp Workflow Management 2020-01-24 20:13:52 UTC
SUSE-SU-2020:0234-1: An update that solves 37 vulnerabilities and has 50 fixes is now available.

Category: security (important)
Bug References: 1027282,1041090,1042670,1068664,1073269,1073748,1078326,1078485,1079300,1081750,1083507,1084650,1086001,1088004,1088009,1109847,1111793,1113755,1122191,1129346,1130840,1130847,1138459,1141853,1149792,1149955,1153238,1153830,1159035,214983,298378,346490,367853,379534,380942,399190,406051,425138,426563,430761,432677,436966,437293,441088,462375,525295,534721,551715,572673,577032,581765,603255,617751,637176,638233,658604,673071,682554,697251,707667,718009,747125,747794,751718,754447,766778,794139,804978,827982,831442,834601,836739,856835,856836,857470,863741,885882,898572,901715,935856,945401,964182,984751,985177,985348,989523,997436
CVE References: CVE-2007-2052,CVE-2008-1721,CVE-2008-2315,CVE-2008-2316,CVE-2008-3142,CVE-2008-3143,CVE-2008-3144,CVE-2011-1521,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2014-1912,CVE-2014-4650,CVE-2014-7185,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-1000158,CVE-2017-18207,CVE-2018-1000030,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20852,CVE-2019-10160,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947,CVE-2019-9948
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-2.7.17-7.32.2, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Robert Frohl 2020-09-30 08:38:35 UTC
released
Comment 12 OBSbugzilla Bot 2022-02-06 22:30:42 UTC
This is an autogenerated message for OBS integration:
This bug (1130847) was mentioned in
https://build.opensuse.org/request/show/951983 Factory / python
Comment 13 OBSbugzilla Bot 2022-02-09 19:10:50 UTC
This is an autogenerated message for OBS integration:
This bug (1130847) was mentioned in
https://build.opensuse.org/request/show/953031 Factory / python
Comment 14 OBSbugzilla Bot 2022-06-10 08:40:44 UTC
This is an autogenerated message for OBS integration:
This bug (1130847) was mentioned in
https://build.opensuse.org/request/show/981989 Factory / python