Date: Sun, 07 Jun 2020 01:43:05 +0000 From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: [Bug 246984] lang/python36,37: Fix CVE-2020-8492 Message-ID: <bug-246984-21822-bHN636pQYB@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-246984-21822@https.bugs.freebsd.org/bugzilla/> References: <bug-246984-21822@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D246984 Danilo G. Baio <dbaio@freebsd.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dbaio@freebsd.org --- Comment #4 from Danilo G. Baio <dbaio@freebsd.org> --- Hi. Taking a look at this PR I noticed we have issues in CVE-2019-18348 as well. And vuxml is currently wrong in both CVE's. Simple table to explain: ---------------------------------------------------------------------------= ---- 2.7: 2.7.18 April 20, 2020 CVE-2019-18348 OK / CVE-2020-8492 = OK 3.5: 3.5.9 Nov. 2, 2019 CVE-2019-18348 MS / CVE-2020-8492 = MS 3.6: 3.6.9 (3.6.10) July 2, 2019 CVE-2019-18348 NR / CVE-2020-8492 = NR 3.7: 3.7.7 March 10, 2020 CVE-2019-18348 NR / CVE-2020-8492 = NR=20=20=20 3.8: 3.8.3 May 13, 2020 CVE-2019-18348 OK / CVE-2020-8492 = OK MS - Missing commit in upstream branch (PR open) NR - Next Release, commit is in the branch ---------------------------------------------------------------------------= ---- So we have to patch Python 3.7, update Python 3.6 to 3.6.10+patch and patch Python 3.5 for both CVE's. And fix vuxml ASAP: CVE-2019-18348, needs to add 3.5, 3.6 and 3.7 packages, they are all affec= ted in this moment. CVE-2020-8492, 3.7, needs to update the range, it's informing that 3.7.7 = is not affected. There is a misunderstanding about CVE-2020-8492, in the CVE text it says "3= .7 through 3.7.6", but they applied the fix after 3.7.7 and it's on the branch waiting next release. https://python-security.readthedocs.io/vuln/urlopen-host-http-header-inject= ion.html (CVE-2019-18348) https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html= =20=20 (CVE-2020-8492) 3.5 - https://github.com/python/cpython/pull/19300 (CVE-2019-18348) PR open 3.5 - https://github.com/python/cpython/pull/19305 (CVE-2020-8492) PR open Both patches for 3.5 applied cleanly, but the PRs are still open, should we test it and already add to the ports tree? So in addition to Dani's patch, we need to also address CVE-2019-18348, I t= hink we can do this together. --=20 You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-246984-21822-bHN636pQYB>