(https://nvd.nist.gov/vuln/detail/CVE-2018-20852): http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. Gentoo Security Padawan (domhnall)
[?] dev-lang/python Available versions: (2.7) 2.7.15 (~)2.7.16{xpak} (3.5) 3.5.5(3.5/3.5m)^t (~)3.5.7(3.5/3.5m)^t{xpak} (3.6) 3.6.5(3.6/3.6m)^t (~)3.6.8(3.6/3.6m)^t{xpak} (3.7) (~)3.7.2(3.7/3.7m)^t (~)3.7.3(3.7/3.7m)^t{xpak} So we need to stabilize new versions of 2.7, 3.5, 3.7 and bump+stabilize 3.6.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cd1842cd013485101789106c7b25c8999cff9e9 commit 1cd1842cd013485101789106c7b25c8999cff9e9 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-07-14 12:46:56 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-07-14 12:48:20 +0000 dev-lang/python: Bump to 3.6.9 Bug: https://bugs.gentoo.org/689822 Bug: https://bugs.gentoo.org/680246 Bug: https://bugs.gentoo.org/676700 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.6.9.ebuild | 349 ++++++++++++++++++++++++++++++++++++ 2 files changed, 350 insertions(+)
@ maintainer(s): You still need to fix 2.7.x branch (https://github.com/python/cpython/commit/979daae300916adb399ab5b51410b6ebd0888f13) or bump to 2.7.17!
Let's use this one for stabilization. @ maintainer(s): Please call for stabilization!
All affected versions should be gone now.
New GLSA request filed.
This issue was resolved and addressed in GLSA 202003-26 at https://security.gentoo.org/glsa/202003-26 by GLSA coordinator Thomas Deutschmann (whissi).