Summary: | <dev-lang/python-{3.6.11-r1, 3.7.8-r1, 3.8.3-r1}: Multiple vulnerabilities (CVE-2020-14422) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | mgorny, python |
Priority: | Normal | Keywords: | CC-ARCHES |
Version: | unspecified | Flags: | nattka:
sanity-check-
|
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.python.org/issue41004 | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=707822 https://bugs.gentoo.org/show_bug.cgi?id=730662 |
||
Whiteboard: | A3 [glsa+ cve] | ||
Package list: |
dev-lang/python-3.6.11-r1
dev-lang/python-3.7.8-r1
dev-lang/python-3.8.3-r1
|
Runtime testing required: | --- |
Bug Depends on: | 732498 | ||
Bug Blocks: |
Description
Sam James
2020-06-18 14:50:43 UTC
Another vulnerability has been reported. "Email module incorrect handling of CR and LF newline characters in Address objects." Bug: https://bugs.python.org/issue39073 Python 3.6 patch: https://github.com/python/cpython/commit/7df32f844efed33ca781a016017eab7050263b90 Python 3.7 patch: https://github.com/python/cpython/commit/a93bf82980d7c02217a088bafa193f32a4d13abb Python 3.8 patch: https://github.com/python/cpython/commit/75635c6095bcfbb9fccc239115d3d03ae20a307f Both are resolved in 3.9.0b4. Both are queued for 3.8.4 final, I'll backport them in the meantime. CRLF bug is fixed already in 3.7.8 and 3.6.11, I'll backport the ipaddress fix. ipaddress does not exist in 2.7, and the relevant email class doesn't seem to exist either. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3095f51cda2c13d8289c53966bd9f4ac354e5d73 commit 3095f51cda2c13d8289c53966bd9f4ac354e5d73 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-07-04 19:49:43 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-07-04 19:50:56 +0000 dev-lang/python: Backport CVE-2020-14422 & emailaddr CRLF fixes Bug: https://bugs.gentoo.org/728668 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 6 +++--- dev-lang/python/{python-3.6.11.ebuild => python-3.6.11-r1.ebuild} | 2 +- dev-lang/python/{python-3.7.8.ebuild => python-3.7.8-r1.ebuild} | 2 +- dev-lang/python/{python-3.8.3.ebuild => python-3.8.3-r1.ebuild} | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) amd64 done ppc64 stable sparc stable ppc stable x86 stable arm64 stable arm stable s390 stable Fixed versions: * dev-lang/python-3.6.11-r1 * dev-lang/python-3.7.8-r1 * dev-lang/python-3.8.3-r1 Python 2.x unclear if affected. Finishing stabilisation in bug 732498. Unable to check for sanity:
> dependent bug #732498 is missing keywords
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6b56771127f16adedc71c66627bd4a5b7804af9 commit b6b56771127f16adedc71c66627bd4a5b7804af9 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-08-02 02:45:31 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-08-02 02:46:01 +0000 dev-lang/python: drop vulnerable Bug: https://bugs.gentoo.org/732498 Bug: https://bugs.gentoo.org/728668 Signed-off-by: Aaron Bauman <bman@gentoo.org> dev-lang/python/Manifest | 12 -- dev-lang/python/python-2.7.18.ebuild | 366 -------------------------------- dev-lang/python/python-3.6.10-r2.ebuild | 357 ------------------------------- dev-lang/python/python-3.6.11-r1.ebuild | 357 ------------------------------- dev-lang/python/python-3.7.7-r2.ebuild | 343 ------------------------------ dev-lang/python/python-3.7.8-r1.ebuild | 343 ------------------------------ dev-lang/python/python-3.8.2-r2.ebuild | 346 ------------------------------ dev-lang/python/python-3.8.3-r1.ebuild | 346 ------------------------------ dev-lang/python/python-3.8.4.ebuild | 346 ------------------------------ 9 files changed, 2816 deletions(-) Unable to check for sanity:
> no match for package: dev-lang/python-3.6.11-r1
This issue was resolved and addressed in GLSA 202008-01 at https://security.gentoo.org/glsa/202008-01 by GLSA coordinator Sam James (sam_c). (hppa did the newer bug). |