stable
FEDORA-2020-8bdd3fd7a4 created by churchyard 2 years ago for Fedora 32

Python 3.6.11

Python 3.6.11 is the latest security fix release of Python 3.6.

  • bpo-39073: Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.
  • bpo-38576: Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised.
  • bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.

Also fix a regression with distutils.sysconfig.get_config_var('LIBPL') value in Fedora specific patches.

How to install

sudo dnf upgrade --refresh --advisory=FEDORA-2020-8bdd3fd7a4

This update has been submitted for testing by churchyard.

2 years ago

This update's test gating status has been changed to 'ignored'.

2 years ago

This update's test gating status has been changed to 'waiting'.

2 years ago

This update's test gating status has been changed to 'ignored'.

2 years ago

This update has been pushed to testing.

2 years ago
User Icon vstinner commented & provided feedback 2 years ago
karma

I confirm that python36-3.6.11-1.fc32.x86_64 fix the AbstractBasicAuthHandler vulnerability. I checked with https://pypi.org/project/check-python-vuln/ tool (which now says that all checked vulnerabilities are fixed).

I also confirm that LIBPL is fixed:

$ python3.6 -c "import distutils.sysconfig; print(distutils.sysconfig.get_config_var('LIBPL'))" /usr/lib64/python3.6/config-3.6m-x86_64-linux-gnu

$ python3.6 -c "import sysconfig; print(sysconfig.get_config_var('LIBPL'))" /usr/lib64/python3.6/config-3.6m-x86_64-linux-gnu

Note: I installed the package using "sudo dnf install https://kojipkgs.fedoraproject.org//packages/python36/3.6.11/1.fc32/x86_64/python36-3.6.11-1.fc32.x86_64.rpm". The dnf update didn't work yet.

BZ#1809065 CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS
BZ#1851008 distutils module: sysconfig.get_config_var('LIBPL') returns non existing directory
User Icon frantisekz commented & provided feedback 2 years ago
karma

Works fine (through tox for tests of my projects)

This update has been submitted for stable by bodhi.

2 years ago

This update has been pushed to stable.

2 years ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
2
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-1
Stable by Karma
2
Stable by Time
7 days
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
BZ#1727276 CVE-2019-18348 python: CRLF injection via the host part of the url passed to urlopen()
0
0
BZ#1809065 CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS
0
1
BZ#1851008 distutils module: sysconfig.get_config_var('LIBPL') returns non existing directory
0
1

Automated Test Results