SB2019070328 - Fedora 30 update for python36
Published: July 3, 2019 Updated: April 25, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2019-9636)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input when processing data in Unicode encoding with an incorrect netloc during NFKC normalization. A remote attacker can gain access to sensitive information.
2) CRLF injection (CVE-ID: CVE-2019-9740)
The vulnerability allows a remote attacker to perform CRLF injection attacks.
The vulnerability exists within urllib2 implementation for Python 2.x and urllib3 implementation for Python 3.x when processing the path component of a URL after the "?" character within the urllib.request.urlopen() call. A remote attacker with ability to control URL, passed to the application, can use CRLF sequences to split the HTTP request and inject arbitrary HTTP headers into request, made by the application.
3) Input validation error (CVE-ID: CVE-2019-10160)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user and password parts of a URL. This issue exists due to incorrect patch for previous issue described in SB2019030811 (CVE-2019-9636). A remote attacker can gain access to sensitive information.
4) Improper input validation (CVE-ID: CVE-2018-1060)
The vulnerability allows a remote attacker to cause DoS condition on he target system.The weakness exists due to the way catastrophic backtracking was implemented in apop() method in pop3lib. A remote attacker can cause the service to crash.
Remediation
Install update from vendor's website.