Debian 9 DLA-2628-1 Critical: Python2.7 XSS And Cache Poisoning

CVE-2019-16935

The documentation XML-RPC server in Python 2.7 has XSS via the server_title
field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in
Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with
untrusted input, arbitrary JavaScript can be delivered to clients that
visit the http URL for this server.

CVE-2021-23336

The Python2.7 vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl
and urllib.parse.parse_qs by using a vector called parameter cloaking. When
the attacker can separate query parameters using a semicolon (;), they can
cause a difference in the interpretation of the request between the proxy
(running with default configuration) and the server. This can result in malicious
requests being cached as completely safe ones, as the proxy would usually not
see the semicolon as a separator, and therefore would not include it in a cache
key of an unkeyed parameter.

**Attention, API-change!**