Riccardo Schirone added the comment:
Will the flaw outlined in https://bugs.python.org/issue30458#msg347282 be fixed
in python itself? If so, I think a CVE for python should be requested to MITRE
(I can request one, in that case).
Moreover, does it make sense to create a new bug to track
Riccardo Schirone added the comment:
CVE-2019-16056 has been assigned to this issue.
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056 .
--
nosy: +rschiron
___
Python tracker
<https://bugs.python.org/issue34
Riccardo Schirone added the comment:
CVE-2019-18348 has been assigned to the issue explained in
https://bugs.python.org/issue30458#msg347282 . Maybe a separate bug for it
would be better though. CVE-2019-18348 is about injecting CRLF in HTTP requests
through the *host* part of a URL
New submission from Riccardo Schirone :
Copy-pasted from https://bugs.python.org/issue30458#msg347282
The commit b7378d77289c911ca6a0c0afaf513879002df7d5 is incomplete: it doesn't
seem to check for control characters in the "host" part of the URL, only in the
Riccardo Schirone added the comment:
I have created https://bugs.python.org/issue38576 to address CVE-2019-18348.
@gregory.p.smith if you have particular complains about these CVEs feel free to
let me know (even privately). I think the security impact of these flaws is: an
application that
Riccardo Schirone added the comment:
The glibc issue mentioned in the first comment is CVE-2016-10739 .
--
___
Python tracker
<https://bugs.python.org/issue38
Riccardo Schirone added the comment:
I agree I don't see a clear vulnerability here.
--
nosy: +rschiron
___
Python tracker
<https://bugs.python.org/is
Riccardo Schirone added the comment:
This CVE was reported against Python, however it does not seem to be Python's
fault for supporting the `;` separator, which was a valid separator for older
standards.
@AdamGold for this issue to become a real security problem, it seems that the
Riccardo Schirone added the comment:
> So far, we at openSUSE had to package at least SQLAlchemy, Twisted, yarl and
> furl. The author of the first one acknowledged use of semicolon as a bug. I
> don't think it was so bad.
Did you upstream fixes for those packages?
Asking b
Riccardo Schirone added the comment:
The fix for python-2.7
(https://github.com/python/cpython/pull/13815/files#diff-b577545d73dd0cdb2c337a4c5f89e1d7R183)
causes errors when netloc contains characters that can't be encoded by 'ascii'
codec.
You can see it by do
Riccardo Schirone added the comment:
> CVE-2019-10160 has been assigned by Red Hat to this flaw.
For clarity, CVE-2019-10160 has been assigned to the bug introduced with the
fix for the functional regression mentioned in this bug, and not to the bug
itself explained in the first comm
Riccardo Schirone added the comment:
Did anybody request a CVE for this issue? I think it deserves one as it is a
security issue and it may leak cookies to wrong domains. Does anybody have
anything against assigning a CVE to this issue? If not, I would try to get one
from MITRE
Riccardo Schirone added the comment:
As far as I know you can't request a hostname with spaces in it (which seems to
be a precondition to trigger this bug) so I think an attacker cannot even
create a malicious CA that would be mistakenly accepted by match_hostname.
--
Riccardo Schirone added the comment:
> > A second problem comes into the game. Some C libraries like glibc strip the
> > end of the hostname (strip at the first newline character) and so HTTP
> > Header injection is still possible is this case:
> > https://bugzilla
Riccardo Schirone added the comment:
CVE-2018-20852 has been assigned to this flaw.
--
___
Python tracker
<https://bugs.python.org/issue35121>
___
___
Python-bug
15 matches
Mail list logo
