CVE-2019-9636 : Red Hat has Released Security Update for python

Red Hat has released security update of python-2.6.6 package for Red Hat Enterprise Linux 6 products.

This release fixes vulnerability for python-2.6.6 package in Red Hat Enterprise Linux 6 products.

python: Information Disclosure due to urlsplit improper NFKC normalization (CVE-2019-9636)

Date Reported13-March-2019
Fix Released On13-June-2019
Severity LevelHigh
Affected Packagespython-2.6.6

Affected Operating System & Version:

Operating System Name/Version/Code NameFixed Package Version
Red Hat Enterprise Linux Server 6 x86_64python-2.6.6-68.el6_10
Red Hat Enterprise Linux Server 6 i386python-2.6.6-68.el6_10
Red Hat Enterprise Linux Workstation 6 x86_64python-2.6.6-68.el6_10
Red Hat Enterprise Linux Workstation 6 i386python-2.6.6-68.el6_10
Red Hat Enterprise Linux Desktop 6 x86_64python-2.6.6-68.el6_10
Red Hat Enterprise Linux Desktop 6 i386python-2.6.6-68.el6_10
Red Hat Enterprise Linux for IBM z Systems 6 s390xpython-2.6.6-68.el6_10
Red Hat Enterprise Linux for Power, big endian 6 ppc64python-2.6.6-68.el6_10
Red Hat Enterprise Linux for Scientific Computing 6 x86_64python-2.6.6-68.el6_10

Refer the following Link for installing security updates to Red hat (RHEL) and CentOS Systems.

Details:

JImproper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname).

The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.

It’s recommended to update the python package ASAP.

For more details about the security issues, and other related information, refer to the CVE pages.

Red Hat Security Advisory References:

Security Database References (CVE):

Solution:

Refer the following Link to verify the installed security updates on Red hat (RHEL) and CentOS Systems.

This issue has been fixed and update is available in red hat distributions repository.

The installed security fixes can be verified in the package change log using the following command.

# rpm -q --changelog python-2.6.6 | grep -i "CVE-2019-9636"

Leave a Reply

Your email address will not be published. Required fields are marked *