Debian 8: DLA-1834-1 Critical: Python2.7 DoS and Data Leakage
debian lts
June 24, 2019
Multiple vulnerabilities were discovered in Python, an interactive high-level object-oriented language, including
Topics Covered
Summary
CVE-2018-14647
Python's elementtree C accelerator failed to initialise Expat's hash
salt during initialization. This could make it easy to conduct
denial of service attacks against Expat by constructing an XML
document that would cause pathological hash collisions in Expat's
internal data structures, consuming large amounts CPU and RAM.
CVE-2019-5010
NULL pointer dereference using a specially crafted X509 certificate.
CVE-2019-9636
Improper Handling of Unicode Encoding (with an incorrect netloc)
during NFKC normalization resulting in information disclosure
(credentials, cookies, etc. that are cached against a given
hostname). A specially crafted URL could be incorrectly parsed to
locate cookies or authentication data and send that information to
a different host than when parsed correctly.
CVE-2019-9740
An issue was discovered in urllib2 where CRLF injection is possible
if the attacker controls a url parameter, as demonstrated by the
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
<pre><font face="Courier">Package: python2.7
Version: 2.7.9-2+deb8u3
CVE ID: CVE-2018-14647 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740
Debian Bug: 921039 921040 924073
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!