Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 689822 (CVE-2018-20852) - <dev-lang/python-{2.7.17,3.5.7,3.6.9,3.7.3}: validation flaw in Lib/http/ (CVE-2018-20852)
Summary: <dev-lang/python-{2.7.17,3.5.7,3.6.9,3.7.3}: validation flaw in Lib/http/cook...
Alias: CVE-2018-20852
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: A4 [glsa+ cve]
Depends on: 701116
Blocks: CVE-2019-5010 CVE-2019-9740 CVE-2019-9636 CVE-2019-9947, CVE-2019-9948
  Show dependency tree
Reported: 2019-07-14 07:45 UTC by D'juan McDonald (domhnall)
Modified: 2020-03-15 15:59 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-07-14 07:45:14 UTC

http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/ in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., to steal cookies for When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.

Gentoo Security Padawan
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-07-14 08:04:33 UTC
[?] dev-lang/python
     Available versions:  
     (2.7)  2.7.15 (~)2.7.16{xpak}
     (3.5)  3.5.5(3.5/3.5m)^t (~)3.5.7(3.5/3.5m)^t{xpak}
     (3.6)  3.6.5(3.6/3.6m)^t (~)3.6.8(3.6/3.6m)^t{xpak}
     (3.7)  (~)3.7.2(3.7/3.7m)^t (~)3.7.3(3.7/3.7m)^t{xpak}

So we need to stabilize new versions of 2.7, 3.5, 3.7 and bump+stabilize 3.6.
Comment 2 Larry the Git Cow gentoo-dev 2019-07-14 13:05:06 UTC
The bug has been referenced in the following commit(s):

commit 1cd1842cd013485101789106c7b25c8999cff9e9
Author:     Michał Górny <>
AuthorDate: 2019-07-14 12:46:56 +0000
Commit:     Michał Górny <>
CommitDate: 2019-07-14 12:48:20 +0000

    dev-lang/python: Bump to 3.6.9
    Signed-off-by: Michał Górny <>

 dev-lang/python/Manifest            |   1 +
 dev-lang/python/python-3.6.9.ebuild | 349 ++++++++++++++++++++++++++++++++++++
 2 files changed, 350 insertions(+)
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 13:46:46 UTC
@ maintainer(s): You still need to fix 2.7.x branch ( or bump to 2.7.17!
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-12-07 01:21:19 UTC
Let's use this one for stabilization.

@ maintainer(s): Please call for stabilization!
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-01-03 08:31:03 UTC
All affected versions should be gone now.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 15:43:29 UTC
New GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 15:59:17 UTC
This issue was resolved and addressed in
 GLSA 202003-26 at
by GLSA coordinator Thomas Deutschmann (whissi).