https://bugs.python.org/issue41944

https://github.com/python/cpython/commit/2ef5caa58febc8968e670e39e3d37cf8eef3cab8

https://github.com/python/cpython/commit/43e523103886af66d6c27cd72431b5d9d14cd2a9

https://github.com/python/cpython/commit/6c6c256df3636ff6f6136820afaefa5a10a3ac33

https://github.com/python/cpython/commit/b664a1df4ee71d3760ab937653b10997081b1794

https://github.com/python/cpython/commit/e912e945f2960029d039d3390ea08835ad39374b

[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar

https://security.netapp.com/advisory/ntap-20201123-0004/

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4754-3 advisory.

  - Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource     consumption) via a ZIP bomb. (CVE-2019-9674)

  - library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information     about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects     of this documentation cross application domains, and thus it is likely that security-relevant code     elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR     researchers were specifically relying on library/glob.html. In other words, because the older     documentation stated finds all the pathnames matching a specified pattern according to the rules used by     the Unix shell, one might have incorrectly inferred that the sorting that occurs in a Unix shell also     occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py     and nmr-data_compilation-p3.py, which call sort() directly. (CVE-2019-17514)

  - In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an     infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (CVE-2019-20907)

  - Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1     allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client     because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. (CVE-2020-8492)

  - http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5     allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR     and LF control characters in the first argument of HTTPConnection.request. (CVE-2020-26116)

  - In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content     retrieved via HTTP. (CVE-2020-27619)

  - Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to     remote code execution in certain Python applications that accept floating-point numbers as untrusted     input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used     unsafely. (CVE-2021-3177)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4754-1 advisory.

  - In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content     retrieved via HTTP. (CVE-2020-27619)

  - Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to     remote code execution in certain Python applications that accept floating-point numbers as untrusted     input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used     unsafely. (CVE-2021-3177)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the python3 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In Python 3 through 3.9.0, the     Lib/test/multibytecodec_support.py CJK codec tests call     eval() on content retrieved via HTTP.(CVE-2020-27619)

  - http.client in Python 3.x before 3.5.10, 3.6.x before     3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5     allows CRLF injection if the attacker controls the HTTP     request method, as demonstrated by inserting CR and LF     control characters in the first argument of     HTTPConnection.request.(CVE-2020-26116)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the python3 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In Python 3 through 3.9.0, the     Lib/test/multibytecodec_support.py CJK codec tests call     eval() on content retrieved via HTTP.(CVE-2020-27619)

  - http.client in Python 3.x before 3.5.10, 3.6.x before     3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5     allows CRLF injection if the attacker controls the HTTP     request method, as demonstrated by inserting CR and LF     control characters in the first argument of     HTTPConnection.request.(CVE-2020-26116)

  - Lib/ipaddress.py in Python through 3.8.3 improperly     computes hash values in the IPv4Interface and     IPv6Interface classes, which might allow a remote     attacker to cause a denial of service if an application     is affected by the performance of a dictionary     containing IPv4Interface or IPv6Interface objects, and     this attacker can cause many dictionary entries to be     created.(CVE-2020-14422)

  - In Lib/tarfile.py in Python through 3.8.3, an attacker     is able to craft a TAR archive leading to an infinite     loop when opened by tarfile.open, because _proc_pax     lacks header validation.(CVE-2019-20907)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the python3 packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - http.client in Python 3.x before 3.5.10, 3.6.x before     3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5     allows CRLF injection if the attacker controls the HTTP     request method, as demonstrated by inserting CR and LF     control characters in the first argument of     HTTPConnection.request.(CVE-2020-26116)

  - In Python 3 through 3.9.0, the     Lib/test/multibytecodec_support.py CJK codec tests call     eval() on content retrieved via HTTP.(CVE-2020-27619)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the python packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In Python 3 through 3.9.0, the     Lib/test/multibytecodec_support.py CJK codec tests call     eval() on content retrieved via HTTP.(CVE-2020-27619)

  - http.client in Python 3.x before 3.5.10, 3.6.x before     3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5     allows CRLF injection if the attacker controls the HTTP     request method, as demonstrated by inserting CR and LF     control characters in the first argument of     HTTPConnection.request.(CVE-2020-26116)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the python2 packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - http.client in Python 3.x before 3.5.10, 3.6.x before     3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5     allows CRLF injection if the attacker controls the HTTP     request method, as demonstrated by inserting CR and LF     control characters in the first argument of     HTTPConnection.request.(CVE-2020-26116)

  - In Python 3 through 3.9.0, the     Lib/test/multibytecodec_support.py CJK codec tests call     eval() on content retrieved via HTTP.(CVE-2020-27619)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - In Python 3 through 3.9.0, the     Lib/test/multibytecodec_support.py CJK codec tests call     eval() on content retrieved via HTTP.(CVE-2020-27619)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In Python 3 through 3.9.0, the     Lib/test/multibytecodec_support.py CJK codec tests call     eval() on content retrieved via HTTP.(CVE-2020-27619)

  - http.client in Python 3.x before 3.5.10, 3.6.x before     3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5     allows CRLF injection if the attacker controls the HTTP     request method, as demonstrated by inserting CR and LF     control characters in the first argument of     HTTPConnection.request.(CVE-2020-26116)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for python3 fixes the following issues :

  - Fixed CVE-2020-27619 (bsc#1178009), where     Lib/test/multibytecodec_support calls eval() on content     retrieved via HTTP.

  - Change setuptools and pip version numbers according to     new wheels

  - Handful of changes to make python36 compatible with     SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738)

  - add triplets for mips-r6 and riscv

  - RISC-V needs CTYPES_PASS_BY_REF_HACK

Update to 3.6.12 (bsc#1179193)

  - Ensure python3.dll is loaded from correct locations when     Python is embedded

  - The __hash__() methods of ipaddress.IPv4Interface and     ipaddress.IPv6Interface incorrectly generated constant     hash values of 32 and 128 respectively. This resulted in     always causing hash collisions. The fix uses hash() to     generate hash values for the tuple of (address, mask     length, network address).

  - Prevent http header injection by rejecting control     characters in http.client.putrequest(&hellip;).

  - Unpickling invalid NEWOBJ_EX opcode with the C     implementation raises now UnpicklingError instead of     crashing.

  - Avoid infinite loop when reading specially crafted TAR     files using the tarfile module

  - This release also fixes CVE-2020-26116 (bsc#1177211) and     CVE-2019-20907 (bsc#1174091).

Update to 3.6.11 :

  - Disallow CR or LF in email.headerregistry. Address     arguments to guard against header injection attacks.

  - Disallow control characters in hostnames in http.client,     addressing CVE-2019-18348. Such potentially malicious     header injection URLs now cause a InvalidURL to be     raised. (bsc#1155094)

  - CVE-2020-8492: The AbstractBasicAuthHandler class of the     urllib.request module uses an inefficient regular     expression which can be exploited by an attacker to     cause a denial of service. Fix the regex to prevent the     catastrophic backtracking. Vulnerability reported by Ben     Caller and Matt Schwager.

This update was imported from the SUSE:SLE-15:Update update project.

This update for python3 fixes the following issues :

Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP.

Change setuptools and pip version numbers according to new wheels

Handful of changes to make python36 compatible with SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738)

add triplets for mips-r6 and riscv

RISC-V needs CTYPES_PASS_BY_REF_HACK

Update to 3.6.12 (bsc#1179193)

Ensure python3.dll is loaded from correct locations when Python is embedded

The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).

Prevent http header injection by rejecting control characters in http.client.putrequest(&acirc;&#128;&brvbar;).

Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing.

Avoid infinite loop when reading specially crafted TAR files using the tarfile module

This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091).

Update to 3.6.11 :

Disallow CR or LF in email.headerregistry. Address arguments to guard against header injection attacks.

Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. (bsc#1155094)

CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for python36 fixes the following issues :

CVE-2019-18348: Fixed a CRLF injection via the host part of the url passed to urlopen() (bsc#1155094)

CVE-2019-20916: Fixed a directory traversal in _download_http_url() (bsc#1176262).

CVE-2020-27619: Fixed an issue where the CJK codec tests call eval() on content retrieved via HTTP (bsc#1178009).

CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367).

Working-around missing python-packaging dependency in python-Sphinx is not necessary anymore (bsc#1174571).

Build of python3 documentation is not independent on the version of Sphinx(bsc#1179630).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the python2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - In Python 3 through 3.9.0, the     Lib/test/multibytecodec_support.py CJK codec tests call     eval() on content retrieved via HTTP.(CVE-2020-27619)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the python3 packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - In Python 3 through 3.9.0, the     Lib/test/multibytecodec_support.py CJK codec tests call     eval() on content retrieved via HTTP.(CVE-2020-27619)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the python3 package has been released.

ID	Name	Product	Family	Severity
148008	Ubuntu 18.04 LTS / 20.04 LTS : Python vulnerabilities (USN-4754-3)	Nessus	Ubuntu Local Security Checks	high
147997	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : Python vulnerabilities (USN-4754-1)	Nessus	Ubuntu Local Security Checks	high
147696	EulerOS Virtualization 2.9.0 : python3 (EulerOS-SA-2021-1649)	Nessus	Huawei Local Security Checks	high
147485	EulerOS Virtualization 2.9.1 : python3 (EulerOS-SA-2021-1623)	Nessus	Huawei Local Security Checks	high
147120	EulerOS Virtualization for ARM 64 3.0.6.0 : python3 (EulerOS-SA-2021-1560)	Nessus	Huawei Local Security Checks	high
147105	EulerOS Virtualization 3.0.6.6 : python (EulerOS-SA-2021-1512)	Nessus	Huawei Local Security Checks	high
147031	EulerOS Virtualization for ARM 64 3.0.6.0 : python2 (EulerOS-SA-2021-1543)	Nessus	Huawei Local Security Checks	high
146714	EulerOS 2.0 SP2 : python (EulerOS-SA-2021-1350)	Nessus	Huawei Local Security Checks	high
146127	EulerOS 2.0 SP5 : python (EulerOS-SA-2021-1226)	Nessus	Huawei Local Security Checks	high
145389	openSUSE Security Update : python3 (openSUSE-2020-2333)	Nessus	SuSE Local Security Checks	high
145326	openSUSE Security Update : python3 (openSUSE-2020-2332)	Nessus	SuSE Local Security Checks	high
145144	EulerOS 2.0 SP3 : python (EulerOS-SA-2021-1114)	Nessus	Huawei Local Security Checks	high
144586	SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:3930-1)	Nessus	SuSE Local Security Checks	high
144443	SUSE SLES12 Security Update : python36 (SUSE-SU-2020:3865-1)	Nessus	SuSE Local Security Checks	high
144142	EulerOS 2.0 SP8 : python2 (EulerOS-SA-2020-2527)	Nessus	Huawei Local Security Checks	high
144139	EulerOS 2.0 SP8 : python3 (EulerOS-SA-2020-2528)	Nessus	Huawei Local Security Checks	high
143417	EulerOS 2.0 SP9 : python3 (EulerOS-SA-2020-2502)	Nessus	Huawei Local Security Checks	high
143396	EulerOS 2.0 SP9 : python3 (EulerOS-SA-2020-2489)	Nessus	Huawei Local Security Checks	high
143064	Photon OS 1.0: Python3 PHSA-2020-1.0-0338	Nessus	PhotonOS Local Security Checks	high
142987	Photon OS 2.0: Python3 PHSA-2020-2.0-0295	Nessus	PhotonOS Local Security Checks	high
142654	Photon OS 3.0: Python3 PHSA-2020-3.0-0161	Nessus	PhotonOS Local Security Checks	high

CVE-2020-27619

HIGH

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high