Subject: [ASA-201911-4] python2: information disclosure Arch Linux Security Advisory ASA-201911-4 ========================================= Severity: High Date : 2019-11-03 CVE-ID : CVE-2019-9636 Package : python2 Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-978 Summary ======= The package python2 before version 2.7.17-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 2.7.17-1. # pacman -Syu "python2>=2.7.17-1" The problem has been fixed upstream in version 2.7.17. Workaround ========== None. Description =========== Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. A specially crafted URL could be incorrectly parsed by urllib.parse.urlsplit and urllib.parse.urlparse to locate cookies or authentication data and send that information to a different host than when parsed correctly. Impact ====== A remote attacker is able to craft a malicious URL and transfer private data to a different host than expected. References ========== https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html https://github.com/python/cpython/commit/daad2c482c91de32d8305abbccc76a5de8b3a8be https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de https://security.archlinux.org/CVE-2019-9636