[3.8] python2: Multiple vulnerabilities (CVE-2018-14647, CVE-2019-9636, CVE-2019-9948)
CVE-2018-14647: Missing salt initialization in _elementtree.c module
A flaw was found in python’s _elementtree.c module, a wrapper for
libexpat XML parser. xml.etree C accelerator don’t call
XML_SetHashSalt(), failing to properly
initiate the random hash seed from a good CSPRNG source and making hash collision attacks with carefully crafted XML data easier.
Fixed In Version:
python 3.7.1, python 3.6.7, python 2.7.16
CVE-2019-9636: Information Disclosure due to urlsplit improper NFKC normalization
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by:
Improper Handling of Unicode Encoding (with an incorrect netloc) during
The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse.
The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than
when parsed correctly.
CVE-2019-9948: local_file allows remote attackers to bypass protection mechanisms
urllib in Python 2.x through 2.7.16 supports the local_file: scheme,
which makes it easier for remote attackers to bypass
protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen(‘local_file:///etc/passwd’) call.
(from redmine: issue id 10294, created on 2019-04-18)
- parent #10291