From owner-freebsd-python@freebsd.org Sun Jun 7 01:43:07 2020 Return-Path: Delivered-To: freebsd-python@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9396D34493A for ; Sun, 7 Jun 2020 01:43:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 49ffKR3R1Mz4QNb for ; Sun, 7 Jun 2020 01:43:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 75BAB3448E6; Sun, 7 Jun 2020 01:43:07 +0000 (UTC) Delivered-To: python@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 757E8344AC8 for ; Sun, 7 Jun 2020 01:43:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49ffKR2b1yz4Qfh for ; Sun, 7 Jun 2020 01:43:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 39E41B6E0 for ; Sun, 7 Jun 2020 01:43:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 0571h7fs073921 for ; Sun, 7 Jun 2020 01:43:07 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 0571h745073920 for python@FreeBSD.org; Sun, 7 Jun 2020 01:43:07 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: [Bug 246984] lang/python36,37: Fix CVE-2020-8492 Date: Sun, 07 Jun 2020 01:43:05 +0000 X-Bugzilla-Reason: CC AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: needs-qa, security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: dbaio@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: python@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? merge-quarterly? X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-python@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: FreeBSD-specific Python issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Jun 2020 01:43:07 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D246984 Danilo G. Baio changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dbaio@freebsd.org --- Comment #4 from Danilo G. Baio --- Hi. Taking a look at this PR I noticed we have issues in CVE-2019-18348 as well. And vuxml is currently wrong in both CVE's. Simple table to explain: ---------------------------------------------------------------------------= ---- 2.7: 2.7.18 April 20, 2020 CVE-2019-18348 OK / CVE-2020-8492 = OK 3.5: 3.5.9 Nov. 2, 2019 CVE-2019-18348 MS / CVE-2020-8492 = MS 3.6: 3.6.9 (3.6.10) July 2, 2019 CVE-2019-18348 NR / CVE-2020-8492 = NR 3.7: 3.7.7 March 10, 2020 CVE-2019-18348 NR / CVE-2020-8492 = NR=20=20=20 3.8: 3.8.3 May 13, 2020 CVE-2019-18348 OK / CVE-2020-8492 = OK MS - Missing commit in upstream branch (PR open) NR - Next Release, commit is in the branch ---------------------------------------------------------------------------= ---- So we have to patch Python 3.7, update Python 3.6 to 3.6.10+patch and patch Python 3.5 for both CVE's. And fix vuxml ASAP: CVE-2019-18348, needs to add 3.5, 3.6 and 3.7 packages, they are all affec= ted in this moment. CVE-2020-8492, 3.7, needs to update the range, it's informing that 3.7.7 = is not affected. There is a misunderstanding about CVE-2020-8492, in the CVE text it says "3= .7 through 3.7.6", but they applied the fix after 3.7.7 and it's on the branch waiting next release. https://python-security.readthedocs.io/vuln/urlopen-host-http-header-inject= ion.html (CVE-2019-18348) https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html= =20=20 (CVE-2020-8492) 3.5 - https://github.com/python/cpython/pull/19300 (CVE-2019-18348) PR open 3.5 - https://github.com/python/cpython/pull/19305 (CVE-2020-8492) PR open Both patches for 3.5 applied cleanly, but the PRs are still open, should we test it and already add to the ports tree? So in addition to Dani's patch, we need to also address CVE-2019-18348, I t= hink we can do this together. --=20 You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug.=