Your message dated Wed, 13 Mar 2019 12:19:57 +0000
with message-id <[email protected]>
and subject line Bug#924072: fixed in python3.7 3.7.3~rc1-1
has caused the Debian Bug report #924072,
regarding python3.7: CVE-2019-9636: urlsplit does not handle NFKC normalization
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
924072: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924072
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python3.7
Version: 3.7.2-3
Severity: important
Tags: security upstream
Forwarded: https://bugs.python.org/issue36216
Control: clone -1 -2
Control: found -1 3.7.2-2
Control: reassign -2 src:python2.7 2.7.16-1
Control: retitle -2 python2.7: CVE-2019-9636: urlsplit does not handle NFKC
normalization
Control: found -2 2.7.16~rc1-1
Control: found -2 2.7.13-2+deb9u3
Control: found -2 2.7.13-2
Hi,
The following vulnerability was published for python3.7.
CVE-2019-9636[0]:
| Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by:
| Improper Handling of Unicode Encoding (with an incorrect netloc) during
| NFKC normalization. The impact is: Information disclosure (credentials,
| cookies, etc. that are cached against a given hostname). The components
| are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector
| is: A specially crafted URL could be incorrectly parsed to locate
| cookies or authentication data and send that information to a different
| host than when parsed correctly.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-9636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636
[1] https://bugs.python.org/issue36216
[2]
https://github.com/python/cpython/commit/e37ef41289b77e0f0bb9a6aedb0360664c55bdd5
(2.7.x)
[3]
https://github.com/python/cpython/commit/daad2c482c91de32d8305abbccc76a5de8b3a8be
(3.7.x)
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python3.7
Source-Version: 3.7.3~rc1-1
We believe that the bug you reported is fixed in the latest version of
python3.7, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <[email protected]> (supplier of updated python3.7 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 13 Mar 2019 12:01:15 +0100
Source: python3.7
Architecture: source
Version: 3.7.3~rc1-1
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <[email protected]>
Changed-By: Matthias Klose <[email protected]>
Closes: 924072
Changes:
python3.7 (3.7.3~rc1-1) unstable; urgency=medium
.
* Python 3.7.3 release candidate 1.
* CVE-2019-9636. Fix issue #36216: Add check for characters in netloc that
normalize to separators. Closes: #924072.
* Use a build profile for libbluetooth-dev (<!pkg.python3.7.nobluetooth>).
Checksums-Sha1:
1555adc813e73bcba2d8c4d362bbdaf5b7589b59 3464 python3.7_3.7.3~rc1-1.dsc
32663d679846802f6173ba77581b642fe5ee00e4 17106464
python3.7_3.7.3~rc1.orig.tar.xz
c370b1b0652b4d154e18001e006034a73f1c3e4b 209784
python3.7_3.7.3~rc1-1.debian.tar.xz
54869574471d465d9602e76b315b5b5ab50806cf 9454
python3.7_3.7.3~rc1-1_source.buildinfo
Checksums-Sha256:
025f09abc026f1d6a6e4524b5926a39e41cf2c9a1e931999655fedc4c793c67d 3464
python3.7_3.7.3~rc1-1.dsc
d184af1fc8a1559f5cea0ea99bbfa5b34ce410033775eeacd9b90cd1eb756f72 17106464
python3.7_3.7.3~rc1.orig.tar.xz
7e014c5f6c1c7116663494e71e2ea389cd3ec2cee73ddf19cf0940b381dd09ca 209784
python3.7_3.7.3~rc1-1.debian.tar.xz
4100ba3f0b39ad196746ad0b1a01421bf9db0480b5a1e61820f8fb131f90f685 9454
python3.7_3.7.3~rc1-1_source.buildinfo
Files:
ae2004fc7657281422a531ba92b247bf 3464 python optional python3.7_3.7.3~rc1-1.dsc
0f829f6257e32e6fa807f26bc7db4018 17106464 python optional
python3.7_3.7.3~rc1.orig.tar.xz
2e7633daf7468fc51543636d67c428ce 209784 python optional
python3.7_3.7.3~rc1-1.debian.tar.xz
ca41efe838dcf3e14a18daeb96e07f59 9454 python optional
python3.7_3.7.3~rc1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAlyI8YcQHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9ZyqD/4q64hbixtD/nxFS+eoJ0Fc9hoNG68a7OQ/
+HTnB+boxuuMdaHYLxYz1cfMZTz2JrGhiV9KhnAmbqS7hW1M3qzl0tuFbzkWd3tm
S+DX7ya128Iilvk9vnsEITYJ1OUEOjSRMdU5JiEh8+bc47I5x69T4261J+jCobRu
dwpv71IBqbsofkLqJE64iCkoM0RiOwYhaIGL8JoInwNuerL7KiliHGE7CfO1He7j
UC8Z1P+9zza8GN8E69i5mzQ8XnhHhUmrwH6MYKvd2jK+y8maq+PHBd0RNqigsxSG
IPsIkY8ldk/mRFTeMkubZO+pjiypnrb3uz97JDr3Dy6JXDSbkTQ6k8G3IBzNtdhV
DFIO8AHnlVPCixj7cKzT8yW9aKVsBiMKbE7Bx7YUy2FpNUK5NY7BVmKzj2i/YQhq
Shw6RHDSn7wo6z8seGYMiI1VpMieRFzUS3JhlpvftwNm0LFvOS5mMYRlYZdjsCbB
BJlu5hC7XghpwZKb0dP4uNiR2cmnjBb4LxgvXQaH6YRewZ1FCmgnedSCK7P5jm98
RJPosjSEfesDVvm+eEOTk+q7EBP6ijKeg/OSf0fDIctAuIokfV6xuy8cHjZl8HH7
9rbT4fIW95Z/5RrdH/KWzNDE4hoc/nfaVtH0K2eT6teBBXNLMqpfSAwjZXUsSWB0
8U3+kOpLYQ==
=YqI4
-----END PGP SIGNATURE-----
--- End Message ---
