Comment 1 GLSAMaker/CVETool Bot 2020-03-02 07:10:59 UTC

CVE-2020-8492 (https://nvd.nist.gov/vuln/detail/CVE-2020-8492):
  Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7
  through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct
  Regular Expression Denial of Service (ReDoS) attacks against a client
  because of urllib.request.AbstractBasicAuthHandler catastrophic
  backtracking.

Comment 2 Michał Górny 2020-03-02 09:12:40 UTC

So apparently 3.8.2 is the only good version now.

Comment 3 Michał Górny 2020-03-02 09:22:00 UTC

Hmm, no, apparently the CVE didn't account for 3.8.2.  Upstream did not merge a fix yet ;-/.

Comment 4 Sam James 2020-04-21 08:44:52 UTC

(In reply to Michał Górny from comment #3)
> Hmm, no, apparently the CVE didn't account for 3.8.2.  Upstream did not
> merge a fix yet ;-/.

Patched in 2.7.18: https://github.com/python/cpython/commit/e6499033032d5b647e43a3b49da0c1c64b151743

3.6: https://github.com/python/cpython/commit/69cdeeb93e0830004a495ed854022425b93b3f3e

3.7: https://github.com/python/cpython/commit/b57a73694e26e8b2391731b5ee0b1be59437388e

3.8: https://github.com/python/cpython/commit/ea9e240aa02372440be8024acb110371f69c9d41

master (3.9?): https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4

PR: https://github.com/python/cpython/pull/18284

Comment 5 Larry the Git Cow 2020-04-22 13:32:36 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d0962541c4227d11c9fbcc5373104676680859f

commit 4d0962541c4227d11c9fbcc5373104676680859f
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-04-22 12:20:35 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-04-22 13:32:28 +0000

    dev-lang/python: Backport secfixes to 3.9.0a5, redo patchset
    
    Bug: https://bugs.gentoo.org/707822
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                      |   2 +
 dev-lang/python/python-3.9.0_alpha5-r1.ebuild | 329 ++++++++++++++++++++++++++
 2 files changed, 331 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d24d55c6519197b1f7f70c9233aac9d06823a0cc

commit d24d55c6519197b1f7f70c9233aac9d06823a0cc
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-04-22 12:16:04 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-04-22 13:32:26 +0000

    dev-lang/python: Backport secfixes to 3.8.2, redo patchset
    
    Bug: https://bugs.gentoo.org/707822
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest               |   2 +-
 dev-lang/python/python-3.8.2-r2.ebuild | 348 +++++++++++++++++++++++++++++++++
 2 files changed, 349 insertions(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=84738a6394aa497ed0cc14c1cca27cf2f3a42030

commit 84738a6394aa497ed0cc14c1cca27cf2f3a42030
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-04-22 12:11:25 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-04-22 13:32:25 +0000

    dev-lang/python: Backport secfixes to 3.7.7, redo patchset
    
    Bug: https://bugs.gentoo.org/707822
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest               |   1 +
 dev-lang/python/python-3.7.7-r2.ebuild | 345 +++++++++++++++++++++++++++++++++
 2 files changed, 346 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f79755dbf44b79c2f5b99e9f3258b656d2d99ebb

commit f79755dbf44b79c2f5b99e9f3258b656d2d99ebb
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-04-22 11:57:16 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-04-22 13:32:24 +0000

    dev-lang/python: Backport secfixes to 3.6.10, redo patchset
    
    Bug: https://bugs.gentoo.org/707822
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.6.10-r2.ebuild | 359 ++++++++++++++++++++++++++++++++
 2 files changed, 360 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ca57e96ecbcd060e4f70aa24ccd83470ccb8a434

commit ca57e96ecbcd060e4f70aa24ccd83470ccb8a434
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-04-22 11:33:10 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-04-22 13:32:23 +0000

    dev-lang/python: Bump to 2.7.18
    
    Bug: https://bugs.gentoo.org/707822
    Closes: https://bugs.gentoo.org/716332
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest             |   2 +
 dev-lang/python/python-2.7.18.ebuild | 366 +++++++++++++++++++++++++++++++++++
 2 files changed, 368 insertions(+)

Comment 6 Mikle Kolyada (RETIRED) 2020-04-25 10:47:48 UTC

amd64 stable

Comment 7 Agostino Sarubbo 2020-04-26 18:15:47 UTC

arm stable

Comment 8 Thomas Deutschmann (RETIRED) 2020-04-26 23:48:33 UTC

x86 stable

Comment 9 Sam James 2020-04-28 23:29:55 UTC

arm64 stable

Comment 10 Agostino Sarubbo 2020-04-30 15:59:01 UTC

s390 stable

Comment 11 Agostino Sarubbo 2020-05-01 13:59:10 UTC

ppc stable

Comment 12 Agostino Sarubbo 2020-05-01 14:01:02 UTC

ppc64 stable

Comment 13 GLSAMaker/CVETool Bot 2020-05-14 22:19:57 UTC

This issue was resolved and addressed in
 GLSA 202005-09 at https://security.gentoo.org/glsa/202005-09
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 14 Thomas Deutschmann (RETIRED) 2020-05-14 22:21:02 UTC

Re-opening for cleanup and remaining architectures.

Comment 15 Sam James 2020-06-08 04:02:12 UTC

@hppa, sparc: ping

Comment 16 Rolf Eike Beer 2020-06-09 17:11:28 UTC

sparc stable

Comment 17 Rolf Eike Beer 2020-06-20 19:17:56 UTC

hppa stable

Comment 18 Sam James 2020-06-22 20:42:40 UTC

@maintainer(s), please cleanup

Comment 19 Michał Górny 2020-07-15 04:50:37 UTC

Cleanup was done here.

Comment 20 NATTkA bot 2020-08-02 02:49:00 UTC

Unable to check for sanity:

> no match for package: dev-lang/python-2.7.18

Comment 21 Aaron Bauman (RETIRED) 2020-08-02 02:51:13 UTC

tree is clean

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6b56771127f16adedc71c66627bd4a5b7804af9