Red Hat has released security update of python-2.6.6 package for Red Hat Enterprise Linux 6 products.
This release fixes vulnerability for python-2.6.6 package in Red Hat Enterprise Linux 6 products.
python: Information Disclosure due to urlsplit improper NFKC normalization (CVE-2019-9636)
| Date Reported | 13-March-2019 |
| Fix Released On | 13-June-2019 |
| Severity Level | High |
| Affected Packages | python-2.6.6 |
Affected Operating System & Version:
| Operating System Name/Version/Code Name | Fixed Package Version |
| Red Hat Enterprise Linux Server 6 x86_64 | python-2.6.6-68.el6_10 |
| Red Hat Enterprise Linux Server 6 i386 | python-2.6.6-68.el6_10 |
| Red Hat Enterprise Linux Workstation 6 x86_64 | python-2.6.6-68.el6_10 |
| Red Hat Enterprise Linux Workstation 6 i386 | python-2.6.6-68.el6_10 |
| Red Hat Enterprise Linux Desktop 6 x86_64 | python-2.6.6-68.el6_10 |
| Red Hat Enterprise Linux Desktop 6 i386 | python-2.6.6-68.el6_10 |
| Red Hat Enterprise Linux for IBM z Systems 6 s390x | python-2.6.6-68.el6_10 |
| Red Hat Enterprise Linux for Power, big endian 6 ppc64 | python-2.6.6-68.el6_10 |
| Red Hat Enterprise Linux for Scientific Computing 6 x86_64 | python-2.6.6-68.el6_10 |
Refer the following Link for installing security updates to Red hat (RHEL) and CentOS Systems.
Details:
JImproper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname).
The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
It’s recommended to update the python package ASAP.
For more details about the security issues, and other related information, refer to the CVE pages.
Red Hat Security Advisory References:
Security Database References (CVE):
Solution:
Refer the following Link to verify the installed security updates on Red hat (RHEL) and CentOS Systems.
This issue has been fixed and update is available in red hat distributions repository.
The installed security fixes can be verified in the package change log using the following command.
# rpm -q --changelog python-2.6.6 | grep -i "CVE-2019-9636"
