Debian Bug report logs -
#921040
python2.7: CVE-2019-5010: NULL pointer dereference using a specially crafted X509 certificate
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Thu, 31 Jan 2019 23:36:04 UTC
Severity: important
Tags: security, upstream
Found in versions python2.7/2.7.15-5, python2.7/2.7.13-2+deb9u3, python2.7/2.7.13-1
Fixed in version python2.7/2.7.15-6
Done: Matthias Klose <doko@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://bugs.python.org/issue35746
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Matthias Klose <doko@debian.org>:
Bug#921040; Package python2.7.
(Thu, 31 Jan 2019 23:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Matthias Klose <doko@debian.org>.
(Thu, 31 Jan 2019 23:36:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python2.7
Version: 2.7.15-5
Severity: important
Tags: security
This was assigned CVE-2019-5010:
https://bugs.python.org/issue35746
https://github.com/python/cpython/pull/11569
Patch for 2.7:
https://github.com/python/cpython/commit/06b15424b0dcacb1c551b2a36e739fffa8d0c595
Cheers,
Moritz
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 01 Feb 2019 07:06:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#921040; Package python2.7.
(Fri, 01 Feb 2019 07:42:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>.
(Fri, 01 Feb 2019 07:42:11 GMT) (full text, mbox, link).
Message #14 received at 921040@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 python2.7: CVE-2019-5010: NULL pointer dereference using a specially crafted X509 certificate
Control clone -1 -2 -3
Control: reassign -2 src:python3.6 3.6.8-1
Control: retitle -2 python3.6: CVE-2019-5010: NULL pointer dereference using a specially crafted X509 certificate
Control: reassign -3 src:python3.7 3.7.2-1
Control: retitle -3 python3.7: CVE-2019-5010: NULL pointer dereference using a specially crafted certificate
On Fri, Feb 01, 2019 at 12:33:35AM +0100, Moritz Muehlenhoff wrote:
> Package: python2.7
> Version: 2.7.15-5
> Severity: important
> Tags: security
>
> This was assigned CVE-2019-5010:
> https://bugs.python.org/issue35746
> https://github.com/python/cpython/pull/11569
>
> Patch for 2.7:
> https://github.com/python/cpython/commit/06b15424b0dcacb1c551b2a36e739fffa8d0c595
Affects as well the versions in unstable for python3.6 and python3.7
so cloning the bug accordingly.
Regards,
Salvatore
Changed Bug title to 'python2.7: CVE-2019-5010: NULL pointer dereference using a specially crafted X509 certificate' from 'CVE-2019-5010'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 921040-submit@bugs.debian.org.
(Fri, 01 Feb 2019 07:42:11 GMT) (full text, mbox, link).
Bug 921040 cloned as bugs 921063, 921064
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 01 Feb 2019 07:57:04 GMT) (full text, mbox, link).
Reply sent
to Matthias Klose <doko@debian.org>:
You have taken responsibility.
(Fri, 01 Feb 2019 08:51:09 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Fri, 01 Feb 2019 08:51:09 GMT) (full text, mbox, link).
Message #23 received at 921040-close@bugs.debian.org (full text, mbox, reply):
Source: python2.7
Source-Version: 2.7.15-6
We believe that the bug you reported is fixed in the latest version of
python2.7, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 921040@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated python2.7 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 01 Feb 2019 08:18:31 +0100
Source: python2.7
Architecture: source
Version: 2.7.15-6
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Closes: 921039 921040
Changes:
python2.7 (2.7.15-6) unstable; urgency=medium
.
* Update to 20190201 from the 2.7 branch.
- CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline().
- CVE-2018-14647: _elementtree.c doesn't call XML_SetHashSalt().
Closes: #921039.
- CVE-2019-5010: DsO vulnerability exists in the X509 certificate parser.
Closes: #921040.
* Bump standards version.
* Update symbols file.
Checksums-Sha1:
330274af10115129a5130f3914f45ffad439b94a 3344 python2.7_2.7.15-6.dsc
26c02e807e241461f71ed515814741d788cb0160 596337 python2.7_2.7.15-6.diff.gz
d38f6d0200a447c3890e4f27f319c15418f0c015 10050 python2.7_2.7.15-6_source.buildinfo
Checksums-Sha256:
0179e286a457fffde54a6731f306fd86f386b8db33aa88ff9c9760115f9125c4 3344 python2.7_2.7.15-6.dsc
b3c63e731e47ef48fa0087ed922679d55772fedc2bcb7ac414ca677a0feb2266 596337 python2.7_2.7.15-6.diff.gz
30b62b5ac02566c600ea4045fc446165a33191bafe9bf3384066be165bc43610 10050 python2.7_2.7.15-6_source.buildinfo
Files:
f5e28cb0db5d2c168e3758d1f9c67518 3344 python optional python2.7_2.7.15-6.dsc
54619766bcdafd0cb9d4d5f7b237d4c1 596337 python optional python2.7_2.7.15-6.diff.gz
7d1180beb276bb990e9653d51b9328ce 10050 python optional python2.7_2.7.15-6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAlxT/agQHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9fTjD/9Ma/8erwYWu8yiJb9I2Tp6UCv9ycs8+8f4
CffK+DC2Iv9L9C6rS0/UQ7qsxIoUUahCqC5786LNUcP+D3sneyWKxsQ41qnHQDyD
YmRt969UpcG/l94Ten3enPXEoIc0ktNOyClmN0AjlkWqy6i1IpJhHaDLzAQamIfo
jrpBa+grGmUAeMBQfZVmmxrhpVfT/Fqr1AEgx49ifnGTJGefCa2IGWdmfrhoipcG
k82tFmnL/lhU4+SZEfAcmgtcEnF9dmX/aGQ0PH6GVQQObfEQ4SOWEF/qE1YGigy4
B5jgIetbBDXdIHiUVKoeJ/uqko0fNtg16Je6u7w54zjIlsrYStCWAWydR7Bw549K
AkQXRqkgHeSoh/fYWjLBTiGMUDBMRaUCnLe+y2Sq4RdX+6OHxxZFLdNZG6tEpEQd
4sv8KXavY9NAcIyUV4G4H1G1NIQ3S1n9FS5ItNRbGidVvR6E1usi/mD6f3hLwnyl
MTrmh9vVlKraqiFCKr2u4y7i9rRujk/HByMFzGoJaRTTDJ8ThewQynGxvn91maOj
GJyfCj2HAkYFd5d1Jk/3gQrLSd/vmcr/iJFvOO93H4W9pkUt7WgffuWHgSsiC+eK
Sc69SQ+owbDbf0Bcan5DNPJ3MspbP53nXJRllY452qIGd/LoNqSg4qsoSVeByVDn
lGZOy4btNg==
=MBp/
-----END PGP SIGNATURE-----
Marked as found in versions python2.7/2.7.13-2+deb9u3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 01 Feb 2019 09:30:10 GMT) (full text, mbox, link).
Marked as found in versions python2.7/2.7.13-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 01 Feb 2019 09:30:10 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 05 Mar 2019 07:28:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:11:18 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon