[3.6] python3: Multiple vulnerabilities (CVE-2018-14647, CVE-2018-20406, CVE-2019-9636)
CVE-2018-14647: Missing salt initialization in _elementtree.c module
A flaw was found in python’s _elementtree.c module, a wrapper for
libexpat XML parser. xml.etree C accelerator don’t call
XML_SetHashSalt(), failing to properly initiate
the random hash seed from a good CSPRNG source and making hash collision attacks with carefully crafted XML data easier.
Fixed In Version:
python 3.7.1, python 3.6.7, python 2.7.16
CVE-2018-20406: Integer overflow in Modules/_pickle.c allows for memory exhaustion if serializing gigabytes of data
Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a
large LONG_BINPUT value that is mishandled during a “resize to twice
the size” attempt.
This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data.
CVE-2019-9636: Information Disclosure due to urlsplit improper NFKC normalization
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by:
Improper Handling of Unicode Encoding (with an incorrect netloc) during
The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse.
The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
(from redmine: issue id 10300, created on 2019-04-18, closed on 2019-04-23)
- parent #10297 (closed)
- Revision 47b45e64 by Natanael Copa on 2019-04-22T10:25:00Z:
main/python3: security upgrade to 3.6.8 - CVE-2018-14647 - CVE-2018-20406 - CVE-2019-9636 fixes #10300