Subject: [ASA-201906-17] python: information disclosure Arch Linux Security Advisory ASA-201906-17 ========================================== Severity: High Date : 2019-06-18 CVE-ID : CVE-2019-9636 Package : python Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-977 Summary ======= The package python before version 3.7.3-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 3.7.3-1. # pacman -Syu "python>=3.7.3-1" The problem has been fixed upstream in version 3.7.3. Workaround ========== None. Description =========== Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. A specially crafted URL could be incorrectly parsed by urllib.parse.urlsplit and urllib.parse.urlparse to locate cookies or authentication data and send that information to a different host than when parsed correctly. Impact ====== A remote attacker is able to use a specially crafted URL to locate and disclose cookies or authentication data. References ========== https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html https://github.com/python/cpython/commit/daad2c482c91de32d8305abbccc76a5de8b3a8be https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de https://security.archlinux.org/CVE-2019-9636