USN-4127-1: Python vulnerabilities
First published: Mon Sep 09 2019(Updated: )
It was discovered that Python incorrectly handled certain pickle files. An attacker could possibly use this issue to consume memory, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-20406) It was discovered that Python incorrectly validated the domain when handling cookies. An attacker could possibly trick Python into sending cookies to the wrong domain. (CVE-2018-20852) Jonathan Birch and Panayiotis Panayiotou discovered that Python incorrectly handled Unicode encoding during NFKC normalization. An attacker could possibly use this issue to obtain sensitive information. (CVE-2019-9636, CVE-2019-10160) Colin Read and Nicolas Edet discovered that Python incorrectly handled parsing certain X509 certificates. An attacker could possibly use this issue to cause Python to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-5010) It was discovered that Python incorrectly handled certain urls. A remote attacker could possibly use this issue to perform CRLF injection attacks. (CVE-2019-9740, CVE-2019-9947) Sihoon Lee discovered that Python incorrectly handled the local_file: scheme. A remote attacker could possibly use this issue to bypass blocklist meschanisms. (CVE-2019-9948)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/python2.7 | <2.7.16-2ubuntu0.1 | 2.7.16-2ubuntu0.1 |
| Ubuntu Ubuntu | =19.04 | |
| All of | ||
| ubuntu/python2.7-minimal | <2.7.16-2ubuntu0.1 | 2.7.16-2ubuntu0.1 |
| Ubuntu Ubuntu | =19.04 | |
| All of | ||
| ubuntu/python3.7 | <3.7.3-2ubuntu0.1 | 3.7.3-2ubuntu0.1 |
| Ubuntu Ubuntu | =19.04 | |
| All of | ||
| ubuntu/python3.7-minimal | <3.7.3-2ubuntu0.1 | 3.7.3-2ubuntu0.1 |
| Ubuntu Ubuntu | =19.04 | |
| All of | ||
| ubuntu/python2.7 | <2.7.15-4ubuntu4~18.04.1 | 2.7.15-4ubuntu4~18.04.1 |
| Ubuntu Ubuntu | =18.04 | |
| All of | ||
| ubuntu/python2.7-minimal | <2.7.15-4ubuntu4~18.04.1 | 2.7.15-4ubuntu4~18.04.1 |
| Ubuntu Ubuntu | =18.04 | |
| All of | ||
| ubuntu/python3.6 | <3.6.8-1~18.04.2 | 3.6.8-1~18.04.2 |
| Ubuntu Ubuntu | =18.04 | |
| All of | ||
| ubuntu/python3.6-minimal | <3.6.8-1~18.04.2 | 3.6.8-1~18.04.2 |
| Ubuntu Ubuntu | =18.04 | |
| All of | ||
| ubuntu/python2.7 | <2.7.12-1ubuntu0~16.04.8 | 2.7.12-1ubuntu0~16.04.8 |
| Ubuntu Ubuntu | =16.04 | |
| All of | ||
| ubuntu/python2.7-minimal | <2.7.12-1ubuntu0~16.04.8 | 2.7.12-1ubuntu0~16.04.8 |
| Ubuntu Ubuntu | =16.04 | |
| All of | ||
| ubuntu/python3.5 | <3.5.2-2ubuntu0~16.04.8 | 3.5.2-2ubuntu0~16.04.8 |
| Ubuntu Ubuntu | =16.04 | |
| All of | ||
| ubuntu/python3.5-minimal | <3.5.2-2ubuntu0~16.04.8 | 3.5.2-2ubuntu0~16.04.8 |
| Ubuntu Ubuntu | =16.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ubuntu.com/security/CVE-2018-20406
- https://ubuntu.com/security/CVE-2018-20852
- https://ubuntu.com/security/CVE-2019-10160
- https://ubuntu.com/security/CVE-2019-5010
- https://ubuntu.com/security/CVE-2019-9636
- https://ubuntu.com/security/CVE-2019-9740
- https://ubuntu.com/security/CVE-2019-9947
- https://ubuntu.com/security/CVE-2019-9948
- https://ubuntu.com/security/notices/USN-4127-2
- https://launchpad.net/ubuntu/+source/python2.7/2.7.16-2ubuntu0.1
- https://launchpad.net/ubuntu/+source/python3.7/3.7.3-2ubuntu0.1
- https://launchpad.net/ubuntu/+source/python2.7/2.7.15-4ubuntu4~18.04.1
- https://launchpad.net/ubuntu/+source/python3.6/3.6.8-1~18.04.2
- https://launchpad.net/ubuntu/+source/python2.7/2.7.12-1ubuntu0~16.04.8
- https://launchpad.net/ubuntu/+source/python3.5/3.5.2-2ubuntu0~16.04.8
- https://ubuntu.com/security/notices/USN-4127-1 (Advisory)
Child vulnerabilities
(Contains the following vulnerabilities)
Frequently Asked Questions
What is the vulnerability ID for the Python vulnerabilities?
The vulnerability ID for the Python vulnerabilities is CVE-2018-20406.
Which versions of Ubuntu are affected by the Python vulnerabilities?
The Python vulnerabilities only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
What is the remedy for the Python vulnerabilities in Python 2.7?
The remedy for the Python vulnerabilities in Python 2.7 is version 2.7.16-2ubuntu0.1.
What is the remedy for the Python vulnerabilities in Python 3.7?
The remedy for the Python vulnerabilities in Python 3.7 is version 3.7.3-2ubuntu0.1.
Are there any known references for the Python vulnerabilities?
Yes, there are references available for the Python vulnerabilities. You can refer to the following links: [CVE-2018-20406](https://ubuntu.com/security/CVE-2018-20406), [CVE-2018-20852](https://ubuntu.com/security/CVE-2018-20852), [CVE-2019-10160](https://ubuntu.com/security/CVE-2019-10160).
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/usn
- source/Ubuntu
- anchor-related/USN-4127-2
- agent/software-canonical-lookup
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu ubuntu
- version/ubuntu ubuntu/19.04
- version/ubuntu ubuntu/18.04
- version/ubuntu ubuntu/16.04