python3: urllib basic auth regex denial of service (CVE-2020-8492)

Python 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

References:

https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html
https://nvd.nist.gov/vuln/detail/CVE-2020-8492

Patches:

https://github.com/python/cpython/commit/69cdeeb93e0830004a495ed854022425b93b3f3e (3.6)
https://github.com/python/cpython/commit/b57a73694e26e8b2391731b5ee0b1be59437388e (3.7)

Affected branches:

master (99c19536)
3.11-stable (b98b6bd7)
3.10-stable
3.9-stable

Edited May 30, 2020 by Leo

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information