Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 07 Jun 2020 01:43:05 +0000
From:      bugzilla-noreply@freebsd.org
To:        python@FreeBSD.org
Subject:   [Bug 246984] lang/python36,37: Fix CVE-2020-8492
Message-ID:  <bug-246984-21822-bHN636pQYB@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-246984-21822@https.bugs.freebsd.org/bugzilla/>
References:  <bug-246984-21822@https.bugs.freebsd.org/bugzilla/>

next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D246984

Danilo G. Baio <dbaio@freebsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dbaio@freebsd.org

--- Comment #4 from Danilo G. Baio <dbaio@freebsd.org> ---
Hi.

Taking a look at this PR I noticed we have issues in CVE-2019-18348 as well.

And vuxml is currently wrong in both CVE's.

Simple table to explain:
---------------------------------------------------------------------------=
----
  2.7: 2.7.18         April 20, 2020   CVE-2019-18348 OK  /  CVE-2020-8492 =
OK
  3.5: 3.5.9          Nov. 2, 2019     CVE-2019-18348 MS  /  CVE-2020-8492 =
MS
  3.6: 3.6.9 (3.6.10) July 2, 2019     CVE-2019-18348 NR  /  CVE-2020-8492 =
NR
  3.7: 3.7.7          March 10, 2020   CVE-2019-18348 NR  /  CVE-2020-8492 =
NR=20=20=20
  3.8: 3.8.3          May 13, 2020     CVE-2019-18348 OK  /  CVE-2020-8492 =
OK

  MS - Missing commit in upstream branch (PR open)
  NR - Next Release, commit is in the branch
---------------------------------------------------------------------------=
----

So we have to patch Python 3.7, update Python 3.6 to 3.6.10+patch and patch
Python 3.5 for both CVE's.

And fix vuxml ASAP:
 CVE-2019-18348, needs to add 3.5, 3.6 and 3.7 packages, they are all affec=
ted
in this moment.
 CVE-2020-8492,  3.7, needs to update the range, it's informing that 3.7.7 =
is
not affected.

There is a misunderstanding about CVE-2020-8492, in the CVE text it says "3=
.7
through 3.7.6", but they applied the fix after 3.7.7 and it's on the branch
waiting next release.


https://python-security.readthedocs.io/vuln/urlopen-host-http-header-inject=
ion.html
 (CVE-2019-18348)
 https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html=
=20=20
(CVE-2020-8492)

3.5 - https://github.com/python/cpython/pull/19300  (CVE-2019-18348) PR open
3.5 - https://github.com/python/cpython/pull/19305  (CVE-2020-8492)  PR open

Both patches for 3.5 applied cleanly, but the PRs are still open, should we
test it and already add to the ports tree?

So in addition to Dani's patch, we need to also address CVE-2019-18348, I t=
hink
we can do this together.

--=20
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-246984-21822-bHN636pQYB>