Summary: | <dev-lang/python-{2.7.17,3.6.9,3.7.4}: CRLF injection in urllib (CVE-2019-9740) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | mgorny, python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1688169 | ||
Whiteboard: | A3 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 689822, 689832, 701116 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2019-03-13 14:06:33 UTC
According to the upstream bug version 1.24.3 now fixes this: https://github.com/urllib3/urllib3/issues/1553 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cd1842cd013485101789106c7b25c8999cff9e9 commit 1cd1842cd013485101789106c7b25c8999cff9e9 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-07-14 12:46:56 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-07-14 12:48:20 +0000 dev-lang/python: Bump to 3.6.9 Bug: https://bugs.gentoo.org/689822 Bug: https://bugs.gentoo.org/680246 Bug: https://bugs.gentoo.org/676700 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.6.9.ebuild | 349 ++++++++++++++++++++++++++++++++++++ 2 files changed, 350 insertions(+) Patch included in 2.7.17 which is not yet in repository. 3.5.8rc1: https://github.com/python/cpython/commit/afe3a4975cf93c97e5d6eb8800e48f368011d37a All affected versions should be gone now. Added to an existing GLSA request. This issue was resolved and addressed in GLSA 202003-26 at https://security.gentoo.org/glsa/202003-26 by GLSA coordinator Thomas Deutschmann (whissi). |