Vulnerabilities > CVE-2019-10160

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH

Summary

A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

Vulnerable Configurations

Part Description Count
Application
Python
145
Application
Redhat
1
Application
Netapp
2
OS
Redhat
7
OS
Debian
2
OS
Opensuse
2
OS
Fedoraproject
3
OS
Canonical
5

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0302-1.NASL
    descriptionThis update for python36 to version 3.6.10 fixes the following issues : CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ signs (bsc#1149955). CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133448
    published2020-02-04
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133448
    titleSUSE SLES12 Security Update : python36 (SUSE-SU-2020:0302-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2020:0302-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133448);
      script_version("1.2");
      script_cvs_date("Date: 2020/02/06");
    
      script_cve_id("CVE-2017-18207", "CVE-2018-1000802", "CVE-2018-1060", "CVE-2018-20852", "CVE-2019-10160", "CVE-2019-15903", "CVE-2019-16056", "CVE-2019-5010", "CVE-2019-9636", "CVE-2019-9947");
    
      script_name(english:"SUSE SLES12 Security Update : python36 (SUSE-SU-2020:0302-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for python36 to version 3.6.10 fixes the following 
    issues :
    
    CVE-2017-18207: Fixed a denial of service in
    Wave_read._read_fmt_chunk() (bsc#1083507).
    
    CVE-2019-16056: Fixed an issue where email parsing could fail for
    multiple @ signs (bsc#1149955).
    
    CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat
    (bsc#1149429).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1027282"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1029377"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081750"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083507"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1086001"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1088009"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1094814"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1109663"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1137942"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1138459"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141853"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1149121"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1149429"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1149792"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1149955"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1151490"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1159035"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1159622"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=709442"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=951166"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=983582"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-18207/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1000802/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1060/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-20852/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-10160/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15903/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-16056/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-5010/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-9636/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-9947/"
      );
      # https://www.suse.com/support/update/announcement/2020/suse-su-20200302-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?68a41617"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 12-SP5 :
    
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-302=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libpython3_6m1_0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libpython3_6m1_0-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python36");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python36-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python36-base-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python36-base-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python36-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python36-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/02/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/04");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(5)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP5", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"5", reference:"libpython3_6m1_0-3.6.10-4.3.5")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"libpython3_6m1_0-debuginfo-3.6.10-4.3.5")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"python36-3.6.10-4.3.5")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"python36-base-3.6.10-4.3.5")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"python36-base-debuginfo-3.6.10-4.3.5")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"python36-base-debugsource-3.6.10-4.3.5")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"python36-debuginfo-3.6.10-4.3.5")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"python36-debugsource-3.6.10-4.3.5")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python36");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-B06EC6159B.NASL
    descriptionPython 3.5 has now entered
    last seen2020-06-01
    modified2020-06-02
    plugin id130793
    published2019-11-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130793
    titleFedora 30 : python35 (2019-b06ec6159b)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1834.NASL
    descriptionMultiple vulnerabilities were discovered in Python, an interactive high-level object-oriented language, including CVE-2018-14647 Python
    last seen2020-06-01
    modified2020-06-02
    plugin id126222
    published2019-06-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126222
    titleDebian DLA-1834-1 : python2.7 security update
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1258.NASL
    descriptionA security regression of CVE-2019-9636 was discovered in python, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. (CVE-2019-10160)
    last seen2020-06-01
    modified2020-06-02
    plugin id127462
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127462
    titleAmazon Linux 2 : python (ALAS-2019-1258)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0160_PYTHON.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has python packages installed that are affected by a vulnerability: - A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. (CVE-2019-10160) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127440
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127440
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : python Vulnerability (NS-SA-2019-0160)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-1_0-0240_PYTHON2.NASL
    descriptionAn update of the python2 package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id126177
    published2019-06-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126177
    titlePhoton OS 1.0: Python2 PHSA-2019-1.0-0240
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2064-1.NASL
    descriptionThis update for python fixes the following issues : Security issue fixed : CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id127770
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127770
    titleSUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2019:2064-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4127-1.NASL
    descriptionIt was discovered that Python incorrectly handled certain pickle files. An attacker could possibly use this issue to consume memory, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-20406) It was discovered that Python incorrectly validated the domain when handling cookies. An attacker could possibly trick Python into sending cookies to the wrong domain. (CVE-2018-20852) Jonathan Birch and Panayiotis Panayiotou discovered that Python incorrectly handled Unicode encoding during NFKC normalization. An attacker could possibly use this issue to obtain sensitive information. (CVE-2019-9636, CVE-2019-10160) Colin Read and Nicolas Edet discovered that Python incorrectly handled parsing certain X509 certificates. An attacker could possibly use this issue to cause Python to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-5010) It was discovered that Python incorrectly handled certain urls. A remote attacker could possibly use this issue to perform CRLF injection attacks. (CVE-2019-9740, CVE-2019-9947) Sihoon Lee discovered that Python incorrectly handled the local_file: scheme. A remote attacker could possibly use this issue to bypass blacklist meschanisms. (CVE-2019-9948). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128631
    published2019-09-10
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128631
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.04 : python2.7, python3.5, python3.6, python3.7 vulnerabilities (USN-4127-1)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1259.NASL
    descriptionA security regression of CVE-2019-9636 was discovered in python, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. (CVE-2019-10160)
    last seen2020-06-01
    modified2020-06-02
    plugin id127463
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127463
    titleAmazon Linux 2 : python3 (ALAS-2019-1259)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1771.NASL
    descriptionAccording to the version of the python2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-03
    modified2019-07-25
    plugin id127008
    published2019-07-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127008
    titleEulerOS 2.0 SP8 : python2 (EulerOS-SA-2019-1771)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-5DC275C9F2.NASL
    descriptionFix CVE-2019-16056 (rhbz#1750457) ---- Fix CVE-2019-10160 (rhbz#1718867) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129029
    published2019-09-19
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129029
    titleFedora 29 : python34 (2019-5dc275c9f2)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-1587.NASL
    descriptionFrom Red Hat Security Advisory 2019:1587 : An update for python is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es) : * python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126142
    published2019-06-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126142
    titleOracle Linux 7 : python (ELSA-2019-1587)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-9BFB4A3E4B.NASL
    description[Python 3.7.4](https://www.python.org/downloads/release/python-374/) is the fourth and most recent maintenance release of Python 3.7. [Changelog for final](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7- 4-final), [3.7.4 release candidate 2](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-re lease-candidate-2) and [3.7.4 release candidate 1](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-re lease-candidate-1). Contains security fixes for CVE-2019-9948 and CVE-2019-10160. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id127105
    published2019-07-29
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127105
    titleFedora 30 : python3 / python3-docs (2019-9bfb4a3e4b)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2019-1324.NASL
    descriptionA security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. (CVE-2019-10160) An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. (CVE-2019-9740) urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen(
    last seen2020-06-01
    modified2020-06-02
    plugin id131244
    published2019-11-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131244
    titleAmazon Linux AMI : python34 (ALAS-2019-1324)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2050-1.NASL
    descriptionThis update for python3 fixes the following issues : Security issue fixed : CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459). CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853). Non-security issue fixed: Fixed an issue where the SIGINT signal was ignored or not handled (bsc#1094814). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id127766
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127766
    titleSUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2019:2050-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190620_PYTHON_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)
    last seen2020-03-18
    modified2019-06-24
    plugin id126145
    published2019-06-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126145
    titleScientific Linux Security Update : python on SL7.x x86_64 (20190620)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2019-1258.NASL
    descriptionA security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160) urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen(
    last seen2020-06-01
    modified2020-06-02
    plugin id127814
    published2019-08-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127814
    titleAmazon Linux AMI : python27 (ALAS-2019-1258)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-D202CDA4F8.NASL
    descriptionPython 3.5 has now entered
    last seen2020-06-01
    modified2020-06-02
    plugin id130797
    published2019-11-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130797
    titleFedora 29 : python35 (2019-d202cda4f8)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-2_0-0165_PYTHON2.NASL
    descriptionAn update of the python2 package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id126108
    published2019-06-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126108
    titlePhoton OS 2.0: Python2 PHSA-2019-2.0-0165
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-60A1DEFCD1.NASL
    description[Python 3.7.4](https://www.python.org/downloads/release/python-374/) is the fourth and most recent maintenance release of Python 3.7. [Changelog for final](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7- 4-final), [3.7.4 release candidate 2](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-re lease-candidate-2) and [3.7.4 release candidate 1](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-re lease-candidate-1). Contains security fixes for CVE-2019-9948 and CVE-2019-10160. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id127514
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127514
    titleFedora 29 : python3 / python3-docs (2019-60a1defcd1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1866.NASL
    descriptionAccording to the versions of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160) - urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen(
    last seen2020-05-08
    modified2019-09-17
    plugin id128918
    published2019-09-17
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128918
    titleEulerOS 2.0 SP2 : python (EulerOS-SA-2019-1866)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1906.NASL
    descriptionThis update for python fixes the following issues : Security issue fixed : - CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id127998
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127998
    titleopenSUSE Security Update : python (openSUSE-2019-1906)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-1587.NASL
    descriptionAn update for python is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es) : * python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126089
    published2019-06-21
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126089
    titleRHEL 7 : python (RHSA-2019:1587)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-57462FA10D.NASL
    descriptionPython 3.5 has now entered
    last seen2020-06-01
    modified2020-06-02
    plugin id130784
    published2019-11-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130784
    titleFedora 31 : python35 (2019-57462fa10d)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-7DF59302E0.NASL
    descriptionUpdate Python 3.6 to [3.6.9](https://www.python.org/downloads/release/python-369/), the latest security release of the 3.6 branch. [Changelog for 3.6.9 final](https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6- 9-final) and [3.6.9 release candidate 1](https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-9-re lease-candidate-1). Includes security fixes for CVE-2019-9636, CVE-2019-9740, CVE-2019-10160. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id126659
    published2019-07-15
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126659
    titleFedora 29 : python36 (2019-7df59302e0)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0163_PYTHON.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has python packages installed that are affected by a vulnerability: - A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. (CVE-2019-10160) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127446
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127446
    titleNewStart CGSL CORE 5.05 / MAIN 5.05 : python Vulnerability (NS-SA-2019-0163)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2437.NASL
    descriptionAn update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host
    last seen2020-06-01
    modified2020-06-02
    plugin id127986
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127986
    titleRHEL 7 : Virtualization Manager (RHSA-2019:2437)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-2_0-0165_PYTHON3.NASL
    descriptionAn update of the python3 package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id126109
    published2019-06-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126109
    titlePhoton OS 2.0: Python3 PHSA-2019-2.0-0165
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2091-1.NASL
    descriptionThis update for python fixes the following issues : CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459). CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id127783
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127783
    titleSUSE SLED12 / SLES12 Security Update : python (SUSE-SU-2019:2091-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0234-1.NASL
    descriptionThis update for python fixes the following issues : Updated to version 2.7.17 to unify packages among openSUSE:Factory and SLE versions (bsc#1159035). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133259
    published2020-01-27
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133259
    titleSUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:0234-1) (BEAST) (httpoxy)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2019.NASL
    descriptionAccording to the versions of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160) - urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen(
    last seen2020-05-08
    modified2019-09-24
    plugin id129212
    published2019-09-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129212
    titleEulerOS 2.0 SP3 : python (EulerOS-SA-2019-2019)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0114-1.NASL
    descriptionThis update for python3 to version 3.6.10 fixes the following issues : CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133036
    published2020-01-17
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133036
    titleSUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:0114-1) (BEAST) (httpoxy)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1778.NASL
    descriptionAccording to the version of the python3 packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-03
    modified2019-07-25
    plugin id127015
    published2019-07-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127015
    titleEulerOS 2.0 SP8 : python3 (EulerOS-SA-2019-1778)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1934.NASL
    descriptionAccording to the version of the python packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128937
    published2019-09-17
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128937
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : python (EulerOS-SA-2019-1934)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-1587.NASL
    descriptionAn update for python is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es) : * python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id126219
    published2019-06-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126219
    titleCentOS 7 : python (CESA-2019:1587)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-86.NASL
    descriptionThis update for python3 to version 3.6.10 fixes the following issues : - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). - CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id133172
    published2020-01-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133172
    titleopenSUSE Security Update : python3 (openSUSE-2020-86) (BEAST) (httpoxy)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2053-1.NASL
    descriptionThis update for python3 fixes the following issues : CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459). CVE-2018-14647: Fixed a denial of service vulnerability caused by a crafted XML document (bsc#1109847). CVE-2018-1000802: Fixed a command injection in the shutil module (bsc#1109663). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id127768
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127768
    titleSUSE SLED12 / SLES12 Security Update : python3 (SUSE-SU-2019:2053-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-2B1F72899A.NASL
    descriptionFix CVE-2019-16056 (rhbz#1750457) ---- Fix CVE-2019-10160 (rhbz#1718867) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129027
    published2019-09-19
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129027
    titleFedora 30 : python34 (2019-2b1f72899a)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2053-2.NASL
    descriptionThis update for python3 fixes the following issues : CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459). CVE-2018-14647: Fixed a denial of service vulnerability caused by a crafted XML document (bsc#1109847). CVE-2018-1000802: Fixed a command injection in the shutil module (bsc#1109663). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128019
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128019
    titleSUSE SLES12 Security Update : python3 (SUSE-SU-2019:2053-2)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1797.NASL
    descriptionAccording to the version of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-08-23
    plugin id128089
    published2019-08-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128089
    titleEulerOS 2.0 SP5 : python (EulerOS-SA-2019-1797)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-1_0-0240_PYTHON3.NASL
    descriptionAn update of the python3 package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id126178
    published2019-06-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126178
    titlePhoton OS 1.0: Python3 PHSA-2019-1.0-0240
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-7723D4774A.NASL
    descriptionUpdate Python 3.6 to [3.6.9](https://www.python.org/downloads/release/python-369/), the latest security release of the 3.6 branch. [Changelog for 3.6.9 final](https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6- 9-final) and [3.6.9 release candidate 1](https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-9-re lease-candidate-1). Includes security fixes for CVE-2019-9636, CVE-2019-9740, CVE-2019-10160. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id126658
    published2019-07-15
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126658
    titleFedora 30 : python36 (2019-7723d4774a)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-50772CF122.NASL
    descriptionFix CVE-2019-16056 (rhbz#1750457) ---- Fix CVE-2019-10160 (rhbz#1718867) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129618
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129618
    titleFedora 31 : python34 (2019-50772cf122)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2019-1259.NASL
    descriptionA security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160)
    last seen2020-06-01
    modified2020-06-02
    plugin id127815
    published2019-08-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127815
    titleAmazon Linux AMI : python34 / python35,python36 (ALAS-2019-1259)

Redhat

advisories
  • bugzilla
    id1718388
    titleCVE-2019-10160 python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentpython-tools is earlier than 0:2.7.5-80.el7_6
            ovaloval:com.redhat.rhsa:tst:20191587001
          • commentpython-tools is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110554008
        • AND
          • commentpython-debug is earlier than 0:2.7.5-80.el7_6
            ovaloval:com.redhat.rhsa:tst:20191587003
          • commentpython-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152101008
        • AND
          • commentpython-devel is earlier than 0:2.7.5-80.el7_6
            ovaloval:com.redhat.rhsa:tst:20191587005
          • commentpython-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110554010
        • AND
          • commenttkinter is earlier than 0:2.7.5-80.el7_6
            ovaloval:com.redhat.rhsa:tst:20191587007
          • commenttkinter is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110554004
        • AND
          • commentpython-test is earlier than 0:2.7.5-80.el7_6
            ovaloval:com.redhat.rhsa:tst:20191587009
          • commentpython-test is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110554006
        • AND
          • commentpython-libs is earlier than 0:2.7.5-80.el7_6
            ovaloval:com.redhat.rhsa:tst:20191587011
          • commentpython-libs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110554014
        • AND
          • commentpython is earlier than 0:2.7.5-80.el7_6
            ovaloval:com.redhat.rhsa:tst:20191587013
          • commentpython is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110554012
    rhsa
    idRHSA-2019:1587
    released2019-06-20
    severityImportant
    titleRHSA-2019:1587: python security update (Important)
  • rhsa
    idRHSA-2019:1700
  • rhsa
    idRHSA-2019:2437
rpms
  • python-0:2.7.5-80.el7_6
  • python-debug-0:2.7.5-80.el7_6
  • python-debuginfo-0:2.7.5-80.el7_6
  • python-devel-0:2.7.5-80.el7_6
  • python-libs-0:2.7.5-80.el7_6
  • python-test-0:2.7.5-80.el7_6
  • python-tools-0:2.7.5-80.el7_6
  • tkinter-0:2.7.5-80.el7_6
  • python27-python-0:2.7.16-6.el6
  • python27-python-0:2.7.16-6.el7
  • python27-python-debug-0:2.7.16-6.el6
  • python27-python-debug-0:2.7.16-6.el7
  • python27-python-debuginfo-0:2.7.16-6.el6
  • python27-python-debuginfo-0:2.7.16-6.el7
  • python27-python-devel-0:2.7.16-6.el6
  • python27-python-devel-0:2.7.16-6.el7
  • python27-python-libs-0:2.7.16-6.el6
  • python27-python-libs-0:2.7.16-6.el7
  • python27-python-test-0:2.7.16-6.el6
  • python27-python-test-0:2.7.16-6.el7
  • python27-python-tools-0:2.7.16-6.el6
  • python27-python-tools-0:2.7.16-6.el7
  • python27-tkinter-0:2.7.16-6.el6
  • python27-tkinter-0:2.7.16-6.el7
  • imgbased-0:1.1.9-0.1.el7ev
  • ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev
  • python-imgbased-0:1.1.9-0.1.el7ev
  • python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev
  • redhat-release-virtualization-host-0:4.3.5-2.el7ev
  • redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7
  • redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev

References