Launchpad CVE tracker

CVE 2019-9636

Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Related bugs and status

CVE-2019-9636 (Candidate) is related to these bugs:

Bug #1808476: Please bump libssl1.1 dependency to at least >= 1.1.1, as headers leak constants

		In	Importance	Status
1808476	Please bump libssl1.1 dependency to at least >= 1.1.1, as headers leak constants	python2.7 (Ubuntu)	Undecided	Fix Released
1808476	Please bump libssl1.1 dependency to at least >= 1.1.1, as headers leak constants	python2.7 (Ubuntu Disco)	Undecided	Fix Released
1808476	Please bump libssl1.1 dependency to at least >= 1.1.1, as headers leak constants	python2.7 (Ubuntu Cosmic)	Undecided	Fix Released
1808476	Please bump libssl1.1 dependency to at least >= 1.1.1, as headers leak constants	python2.7 (Ubuntu Bionic)	Undecided	Fix Released

Bug #1821869: bus error in test_gil test on armhf with 64bit kernel

		In	Importance	Status
1821869	bus error in test_gil test on armhf with 64bit kernel	python3.7 (Ubuntu)	High	Fix Released
1821869	bus error in test_gil test on armhf with 64bit kernel	Python	Unknown	Fix Released
1821869	bus error in test_gil test on armhf with 64bit kernel	python3.7 (Ubuntu Disco)	High	Fix Released
1821869	bus error in test_gil test on armhf with 64bit kernel	python3.6 (Ubuntu Cosmic)	Undecided	Fix Released
1821869	bus error in test_gil test on armhf with 64bit kernel	python3.7 (Ubuntu Cosmic)	Undecided	Fix Released
1821869	bus error in test_gil test on armhf with 64bit kernel	python3.6 (Ubuntu Bionic)	Undecided	Triaged
1821869	bus error in test_gil test on armhf with 64bit kernel	python3.7 (Ubuntu Bionic)	Undecided	Fix Released

Bug #1822993: SRU: update Python 2.7 to 2.7.16, Python 3.7 to 3.7.3 and 3.6 to 3.6.8

		In	Importance	Status
1822993	SRU: update Python 2.7 to 2.7.16, Python 3.7 to 3.7.3 and 3.6 to 3.6.8	python3-stdlib-extensions (Ubuntu)	Undecided	Fix Released
1822993	SRU: update Python 2.7 to 2.7.16, Python 3.7 to 3.7.3 and 3.6 to 3.6.8	python3.7 (Ubuntu)	Undecided	Fix Released
1822993	SRU: update Python 2.7 to 2.7.16, Python 3.7 to 3.7.3 and 3.6 to 3.6.8	python-stdlib-extensions (Ubuntu)	Undecided	Fix Released
1822993	SRU: update Python 2.7 to 2.7.16, Python 3.7 to 3.7.3 and 3.6 to 3.6.8	python2.7 (Ubuntu)	Undecided	Fix Released
1822993	SRU: update Python 2.7 to 2.7.16, Python 3.7 to 3.7.3 and 3.6 to 3.6.8	python2.7 (Ubuntu Cosmic)	Undecided	Fix Released
1822993	SRU: update Python 2.7 to 2.7.16, Python 3.7 to 3.7.3 and 3.6 to 3.6.8	python-stdlib-extensions (Ubuntu Cosmic)	Undecided	Fix Released
1822993	SRU: update Python 2.7 to 2.7.16, Python 3.7 to 3.7.3 and 3.6 to 3.6.8	python3.7 (Ubuntu Cosmic)	Undecided	Fix Released
1822993	SRU: update Python 2.7 to 2.7.16, Python 3.7 to 3.7.3 and 3.6 to 3.6.8	python3.6 (Ubuntu Cosmic)	Undecided	Fix Released
1822993	SRU: update Python 2.7 to 2.7.16, Python 3.7 to 3.7.3 and 3.6 to 3.6.8	python3-stdlib-extensions (Ubuntu Cosmic)	Undecided	Fix Released
1822993	SRU: update Python 2.7 to 2.7.16, Python 3.7 to 3.7.3 and 3.6 to 3.6.8	python3-stdlib-extensions (Ubuntu Bionic)	Undecided	Fix Released
1822993	SRU: update Python 2.7 to 2.7.16, Python 3.7 to 3.7.3 and 3.6 to 3.6.8	python-stdlib-extensions (Ubuntu Bionic)	Undecided	Fix Released

Bug #1835135: FIPS OpenSSL crashes Python2 hashlib

		In	Importance	Status
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu)	High	Triaged
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu Bionic)	Medium	Fix Released
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu Xenial)	Medium	Fix Released
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu Cosmic)	Undecided	Won't Fix
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu Eoan)	High	Won't Fix
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu Disco)	Medium	Fix Released
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu)	Undecided	Invalid
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu Bionic)	Undecided	Invalid
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu Cosmic)	Undecided	Invalid
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu Disco)	Undecided	Invalid
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu Eoan)	Undecided	Invalid
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu Xenial)	Medium	Fix Released

Bug #1835738: SRU: Update Python interpreter to 3.6.9 and 3.7.5

		In	Importance	Status
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3.7 (Ubuntu)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3-stdlib-extensions (Ubuntu)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3-stdlib-extensions (Ubuntu Disco)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3.7 (Ubuntu Disco)	Undecided	Won't Fix
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3-stdlib-extensions (Ubuntu Eoan)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3.7 (Ubuntu Eoan)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3-stdlib-extensions (Ubuntu Bionic)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3.6 (Ubuntu Bionic)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3.7 (Ubuntu Bionic)	Undecided	Fix Released

Bug #1855133: SRU: update python2.7 to the 2.7.17 release

		In	Importance	Status
1855133	SRU: update python2.7 to the 2.7.17 release	python2.7 (Ubuntu)	Undecided	Fix Released
1855133	SRU: update python2.7 to the 2.7.17 release	python2.7 (Ubuntu Bionic)	Undecided	Fix Released
1855133	SRU: update python2.7 to the 2.7.17 release	python-stdlib-extensions (Ubuntu)	Undecided	Fix Released
1855133	SRU: update python2.7 to the 2.7.17 release	python-stdlib-extensions (Ubuntu Bionic)	Undecided	Fix Released
1855133	SRU: update python2.7 to the 2.7.17 release	python-stdlib-extensions (Ubuntu Eoan)	Undecided	Fix Released
1855133	SRU: update python2.7 to the 2.7.17 release	python2.7 (Ubuntu Eoan)	Undecided	Fix Released

Bug #1887438: Controller-0 Not Ready after force rebooting active controller (Controller-1)

Summary				In	Importance	Status
	1887438	Controller-0 Not Ready after force rebooting active controller (Controller-1)		StarlingX	Medium	Fix Released

Bug #1906470: CVE-2019-11068: libxslt: bypass of protection mechanism

Summary				In	Importance	Status
	1906470	CVE-2019-11068: libxslt: bypass of protection mechanism		StarlingX	High	Fix Released

Bug #1906471: CVE-2019-17006: nss: crypto primitives missing length checks

Summary				In	Importance	Status
	1906471	CVE-2019-17006: nss: crypto primitives missing length checks		StarlingX	High	Fix Released

Bug #1908088: stx-tools: yum fails in Docker with misleading error messages

Summary				In	Importance	Status
	1908088	stx-tools: yum fails in Docker with misleading error messages		StarlingX	Low	Fix Released

Bug #1908297: populate_downloads.sh doesn't clean/backup old content

Summary				In	Importance	Status
	1908297	populate_downloads.sh doesn't clean/backup old content		StarlingX	Low	Fix Released

Bug #1908751: mirror-check.sh failes for layered build

Summary				In	Importance	Status
	1908751	mirror-check.sh failes for layered build		StarlingX	Low	Triaged

Bug #1910130: Build of 'compile' layer fails due to missing python3 dependencies

Summary				In	Importance	Status
	1910130	Build of 'compile' layer fails due to missing python3 dependencies		StarlingX	Critical	Fix Released

Bug #1912139: CVE-2018-19519: tcpdump: a stack-based buffer over-read

Summary				In	Importance	Status
	1912139	CVE-2018-19519: tcpdump: a stack-based buffer over-read		StarlingX	Medium	Fix Released

Bug #1912682: tools: Dockerfile: yum install silently ignores errors

Summary				In	Importance	Status
	1912682	tools: Dockerfile: yum install silently ignores errors		StarlingX	Low	Fix Released

Bug #1915050: IPv6: All hosts remain offline after booting off the controller-0

Summary				In	Importance	Status
	1915050	IPv6: All hosts remain offline after booting off the controller-0		StarlingX	Critical	Fix Released

Bug #1917864: bash: shell commands are no longer logged to /var/log/bash.log

Summary				In	Importance	Status
	1917864	bash: shell commands are no longer logged to /var/log/bash.log		StarlingX	High	Fix Released

Bug #1917901: tb.sh create fails on rmdir /var/lib/mock

Summary				In	Importance	Status
	1917901	tb.sh create fails on rmdir /var/lib/mock		StarlingX	High	Fix Released

Bug #1918154: CVE-2020-10878: perl: perl before 5.30.3 has an integer overflow

Summary				In	Importance	Status
	1918154	CVE-2020-10878: perl: perl before 5.30.3 has an integer overflow		StarlingX	High	Fix Released

Bug #1918477: download_mirror.sh is slow

Summary				In	Importance	Status
	1918477	download_mirror.sh is slow		StarlingX	High	Fix Released

Bug #1920024: linuxsoft.cern.ch is no longer responding

Summary				In	Importance	Status
	1920024	linuxsoft.cern.ch is no longer responding		StarlingX	High	Fix Released

Bug #1923458: basearch not always set

Summary				In	Importance	Status
	1923458	basearch not always set		StarlingX	Medium	Fix Released

Bug #1924691: systemd sends tons of useless PropertiesChanged messages when a mount happens

Summary				In	Importance	Status
	1924691	systemd sends tons of useless PropertiesChanged messages when a mount happens		StarlingX	Medium	Fix Released

Bug #1926372: CVE-2021-26937 screen segfault

Summary				In	Importance	Status
	1926372	CVE-2021-26937 screen segfault		StarlingX	High	Fix Released

Bug #1926987: Download_mirror.sh fails on 'flockflock'

Summary				In	Importance	Status
	1926987	Download_mirror.sh fails on 'flockflock'		StarlingX	Critical	Fix Released

Bug #1927137: Docker build env fails on git-review

Summary				In	Importance	Status
	1927137	Docker build env fails on git-review		StarlingX	Critical	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2019-9636

References