{"id":"MGASA-2019-0135","summary":"Updated python3 packages fix security vulnerability","details":"Python's elementtree C accelerator failed to initialise Expat's hash salt\nduring initialization. This could make it easy to conduct denial of service\nattacks against Expat by contructing an XML document that would cause\npathological hash collisions in Expat's internal data structures, consuming\nlarge amounts CPU and RAM (CVE-2018-14647).\n\nModules/_pickle.c in Python before 3.5.7 has an integer overflow via a large\nLONG_BINPUT value that is mishandled during a \"resize to twice the size\"\nattempt. This issue might cause memory exhaustion, but is only relevant if\nthe pickle format is used for serializing tens or hundreds of gigabytes of\ndata\n(CVE-2018-20406).\n\nA null pointer dereference vulnerability was found in the certificate\nparsing code in Python. This causes a denial of service to applications when\nparsing specially crafted certificates. This vulnerability is unlikely to be\ntriggered if application enables SSL/TLS certificate validation and accepts\ncertificates only from trusted root certificate authorities (CVE-2019-5010).\n\nA vulnerability was found in Python 3.x through 3.5.7. An improper Handling\nof Unicode Encoding (with an incorrect netloc) during NFKC normalization could\nlead to an Information Disclosure (credentials, cookies, etc. that are cached\nagainst a given hostname) in the urllib.parse.urlsplit, urllib.parse.urlparse\ncomponents. A specially crafted URL could be incorrectly parsed to locate\ncookies or authentication data and send that information to a different host\nthan when parsed correctly (CVE-2019-9636).\n\nThe python3 package has been updated to version 3.5.7, fixing these and other\nissues.\n","modified":"2026-02-02T12:56:35.724005Z","published":"2019-04-10T21:25:19Z","related":["CVE-2018-14647","CVE-2018-20406","CVE-2019-5010","CVE-2019-9636"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2019-0135.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23664"},{"type":"REPORT","url":"https://pythoninsider.blogspot.com/2019/03/python-3.html"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A7QEHDSATR6O6LCG44EN2DA4QDAYBYWW/"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/"}],"affected":[{"package":{"name":"python3","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/python3?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.5.7-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2019-0135.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}