python2: Multiple vulnerabilities (CVE-2019-9740, CVE-2019-9947, CVE-2019-16056)

CVE-2019-9740: Python urllib CRLF injection vulnerability

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-9740
• https://bugs.python.org/issue36276

CVE-2019-9947: Header Injection in urllib

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-9947
• https://bugs.python.org/issue35906

CVE-2019-16056: email.utils.parseaddr mistakenly parse an email

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied.

References:

• https://bugs.python.org/issue34155
• https://nvd.nist.gov/vuln/detail/CVE-2019-16056

Affected branches:

• master
• 3.10-stable
• 3.9-stable
• 3.8-stable
• 3.7-stable