CVE-2019-9948 (https://nvd.nist.gov/vuln/detail/CVE-2019-9948): urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. CVE-2019-9947 (https://nvd.nist.gov/vuln/detail/CVE-2019-9947): An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string or PATH_INFO) followed by an HTTP header or a Redis command. This is similar to CVE-2019-9740.
CVE-2019-9947 is handled in bug 680246. CVE-2019-9948: 2.7: Fixed in 2.7.17 which is not yet available in Gentoo repository. 3.5.8rc1: https://github.com/python/cpython/commit/4fe82a8eef7aed60de05bfca0f2c322730ea921e
All affected versions should be gone now.
Added to an existing GLSA.
This issue was resolved and addressed in GLSA 202003-26 at https://security.gentoo.org/glsa/202003-26 by GLSA coordinator Thomas Deutschmann (whissi).
