From ${URL} : A vulnerability was found in Python 2.7.x through 2.7.16 and 3.x through 3.7.2. An improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization could lead to an Information Disclosure (credentials, cookies, etc. that are cached against a given hostname) in the urllib.parse.urlsplit, urllib.parse.urlparse components. A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. References: https://bugs.python.org/issue36216 https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html Uptream Patch: https://github.com/python/cpython/pull/12201 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e3fcda6cbf3533091102bc3c7272d0bcf357fb9 commit 1e3fcda6cbf3533091102bc3c7272d0bcf357fb9 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-03-29 12:27:40 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-03-29 12:59:12 +0000 dev-lang/python: Bump to 3.7.3 Bug: https://bugs.gentoo.org/676700 Bug: https://bugs.gentoo.org/680298 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 2 + dev-lang/python/python-3.7.3.ebuild | 325 ++++++++++++++++++++++++++++++++++++ 2 files changed, 327 insertions(+)
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Fixed in 2.7.17 which is not yet available in Gentoo repository.
All affected versions should be gone now.
Added to an existing GLSA.
This issue was resolved and addressed in GLSA 202003-26 at https://security.gentoo.org/glsa/202003-26 by GLSA coordinator Thomas Deutschmann (whissi).
