Launchpad.net

CVE 2018-20852

http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.

Related bugs and status

CVE-2018-20852 (Candidate) is related to these bugs:

Bug #1835135: FIPS OpenSSL crashes Python2 hashlib

		In	Importance	Status
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu)	High	Triaged
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu Bionic)	Medium	Fix Released
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu Xenial)	Medium	Fix Released
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu Cosmic)	Undecided	Won't Fix
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu Eoan)	High	Won't Fix
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu Disco)	Medium	Fix Released
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu)	Undecided	Invalid
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu Bionic)	Undecided	Invalid
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu Cosmic)	Undecided	Invalid
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu Disco)	Undecided	Invalid
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu Eoan)	Undecided	Invalid
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu Xenial)	Medium	Fix Released

Bug #1835738: SRU: Update Python interpreter to 3.6.9 and 3.7.5

		In	Importance	Status
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3.7 (Ubuntu)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3-stdlib-extensions (Ubuntu)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3-stdlib-extensions (Ubuntu Disco)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3.7 (Ubuntu Disco)	Undecided	Won't Fix
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3-stdlib-extensions (Ubuntu Eoan)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3.7 (Ubuntu Eoan)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3-stdlib-extensions (Ubuntu Bionic)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3.6 (Ubuntu Bionic)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3.7 (Ubuntu Bionic)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2018-20852

Related bugs and status

Related bugs

References