Launchpad CVE tracker

CVE 2019-10160

A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

Related bugs and status

CVE-2019-10160 (Candidate) is related to these bugs:

Bug #1835135: FIPS OpenSSL crashes Python2 hashlib

		In	Importance	Status
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu)	High	Triaged
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu Bionic)	Medium	Fix Released
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu Xenial)	Medium	Fix Released
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu Cosmic)	Undecided	Won't Fix
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu Eoan)	High	Won't Fix
1835135	FIPS OpenSSL crashes Python2 hashlib	python2.7 (Ubuntu Disco)	Medium	Fix Released
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu)	Undecided	Invalid
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu Bionic)	Undecided	Invalid
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu Cosmic)	Undecided	Invalid
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu Disco)	Undecided	Invalid
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu Eoan)	Undecided	Invalid
1835135	FIPS OpenSSL crashes Python2 hashlib	python3.5 (Ubuntu Xenial)	Medium	Fix Released

Bug #1835738: SRU: Update Python interpreter to 3.6.9 and 3.7.5

		In	Importance	Status
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3.7 (Ubuntu)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3-stdlib-extensions (Ubuntu)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3-stdlib-extensions (Ubuntu Disco)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3.7 (Ubuntu Disco)	Undecided	Won't Fix
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3-stdlib-extensions (Ubuntu Eoan)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3.7 (Ubuntu Eoan)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3-stdlib-extensions (Ubuntu Bionic)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3.6 (Ubuntu Bionic)	Undecided	Fix Released
1835738	SRU: Update Python interpreter to 3.6.9 and 3.7.5	python3.7 (Ubuntu Bionic)	Undecided	Fix Released

Bug #1887438: Controller-0 Not Ready after force rebooting active controller (Controller-1)

Summary				In	Importance	Status
	1887438	Controller-0 Not Ready after force rebooting active controller (Controller-1)		StarlingX	Medium	Fix Released

Bug #1906470: CVE-2019-11068: libxslt: bypass of protection mechanism

Summary				In	Importance	Status
	1906470	CVE-2019-11068: libxslt: bypass of protection mechanism		StarlingX	High	Fix Released

Bug #1906471: CVE-2019-17006: nss: crypto primitives missing length checks

Summary				In	Importance	Status
	1906471	CVE-2019-17006: nss: crypto primitives missing length checks		StarlingX	High	Fix Released

Bug #1908088: stx-tools: yum fails in Docker with misleading error messages

Summary				In	Importance	Status
	1908088	stx-tools: yum fails in Docker with misleading error messages		StarlingX	Low	Fix Released

Bug #1908297: populate_downloads.sh doesn't clean/backup old content

Summary				In	Importance	Status
	1908297	populate_downloads.sh doesn't clean/backup old content		StarlingX	Low	Fix Released

Bug #1908751: mirror-check.sh failes for layered build

Summary				In	Importance	Status
	1908751	mirror-check.sh failes for layered build		StarlingX	Low	Triaged

Bug #1910130: Build of 'compile' layer fails due to missing python3 dependencies

Summary				In	Importance	Status
	1910130	Build of 'compile' layer fails due to missing python3 dependencies		StarlingX	Critical	Fix Released

Bug #1912139: CVE-2018-19519: tcpdump: a stack-based buffer over-read

Summary				In	Importance	Status
	1912139	CVE-2018-19519: tcpdump: a stack-based buffer over-read		StarlingX	Medium	Fix Released

Bug #1912682: tools: Dockerfile: yum install silently ignores errors

Summary				In	Importance	Status
	1912682	tools: Dockerfile: yum install silently ignores errors		StarlingX	Low	Fix Released

Bug #1915050: IPv6: All hosts remain offline after booting off the controller-0

Summary				In	Importance	Status
	1915050	IPv6: All hosts remain offline after booting off the controller-0		StarlingX	Critical	Fix Released

Bug #1917864: bash: shell commands are no longer logged to /var/log/bash.log

Summary				In	Importance	Status
	1917864	bash: shell commands are no longer logged to /var/log/bash.log		StarlingX	High	Fix Released

Bug #1917901: tb.sh create fails on rmdir /var/lib/mock

Summary				In	Importance	Status
	1917901	tb.sh create fails on rmdir /var/lib/mock		StarlingX	High	Fix Released

Bug #1918154: CVE-2020-10878: perl: perl before 5.30.3 has an integer overflow

Summary				In	Importance	Status
	1918154	CVE-2020-10878: perl: perl before 5.30.3 has an integer overflow		StarlingX	High	Fix Released

Bug #1918477: download_mirror.sh is slow

Summary				In	Importance	Status
	1918477	download_mirror.sh is slow		StarlingX	High	Fix Released

Bug #1920024: linuxsoft.cern.ch is no longer responding

Summary				In	Importance	Status
	1920024	linuxsoft.cern.ch is no longer responding		StarlingX	High	Fix Released

Bug #1923458: basearch not always set

Summary				In	Importance	Status
	1923458	basearch not always set		StarlingX	Medium	Fix Released

Bug #1924691: systemd sends tons of useless PropertiesChanged messages when a mount happens

Summary				In	Importance	Status
	1924691	systemd sends tons of useless PropertiesChanged messages when a mount happens		StarlingX	Medium	Fix Released

Bug #1926372: CVE-2021-26937 screen segfault

Summary				In	Importance	Status
	1926372	CVE-2021-26937 screen segfault		StarlingX	High	Fix Released

Bug #1926987: Download_mirror.sh fails on 'flockflock'

Summary				In	Importance	Status
	1926987	Download_mirror.sh fails on 'flockflock'		StarlingX	Critical	Fix Released

Bug #1927137: Docker build env fails on git-review

Summary				In	Importance	Status
	1927137	Docker build env fails on git-review		StarlingX	Critical	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2019-10160

References