The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Python: header tampering via urllib2, urllib

Synthesis of the vulnerability

An attacker can change the HTTP request created by urllib.
Severity of this alert: 2/4.
Creation date: 17/06/2016.
Références of this alert: bulletinjul2016, CVE-2016-5699, DLA-1663-1, DLA-522-1, DSA-2019-131, FEDORA-2016-34ca5273e9, FEDORA-2016-6c2b74bb96, FEDORA-2016-b046b56518, FEDORA-2016-ef784cf9f7, openSUSE-SU-2016:1885-1, openSUSE-SU-2016:2120-1, RHSA-2016:1626-01, RHSA-2016:1627-01, RHSA-2016:1628-01, RHSA-2016:1629-01, RHSA-2016:1630-01, SP-CAAAPSR, SPL-128812, SUSE-SU-2019:0223-1, USN-3134-1, VIGILANCE-VUL-19925.

Description of the vulnerability

The urllib module of the Python library is an HTTP client.

However, the urllib module accepts HTTP headers at the end of the URL. The headers will be inserted before the ones added by urllib.

An attacker can therefore change the HTTP request created by urllib.
Full Vigil@nce bulletin... (Free trial)

This cybersecurity bulletin impacts software or systems such as Debian, VNX Operating Environment, VNX Series, Fedora, openSUSE, openSUSE Leap, Solaris, Python, RHEL, Splunk Enterprise, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this cybersecurity weakness is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this computer vulnerability bulletin.

Solutions for this threat

Python: patch for urllib2 and urllib.
A patch for the 3.4, 3.5 and 2.7 branches is indicated in information sources.

Debian 8: new python3.4 packages.
New packages are available:
  Debian 8: python3.4 3.4.2-1+deb8u2

Debian: new python2.7 packages.
New packages are available:
  Debian 7: python2.7 2.7.3-6+deb7u3

Dell EMC VNXe3200: version 3.1.10.9946299.
The version 3.1.10.9946299 is fixed:
  https://www.dell.com/

Fedora 23: new python3 packages.
New packages are available:
  Fedora 23: python3 3.4.3-9.fc23

Fedora: new pypy3 packages.
New packages are available:
  Fedora 22: pypy3 2.4.0-3.fc22
  Fedora 23: pypy3 2.4.0-3.fc23
  Fedora 24: pypy3 2.4.0-6.fc24

openSUSE: new python3 packages.
New packages are available:
  openSUSE 13.2: python3 3.4.5-4.4.1
  openSUSE Leap 42.1: python3 3.4.5-8.1

openSUSE: new python packages.
New packages are available:
  openSUSE 13.2: python 2.7.12-3.1
  openSUSE Leap 42.1: python 2.7.12-23.1

RHEL 7: new rh-python35-python packages.
New packages are available:
  RHEL 7: rh-python35-python 3.5.1-9.el7

RHEL: new python27-python packages.
New packages are available:
  RHEL 6: python27-python 2.7.8-18.el6
  RHEL 7: python27-python 2.7.8-16.el7

RHEL: new python33-python packages.
New packages are available:
  RHEL 6: python33-python 3.3.2-18.el6
  RHEL 7: python33-python 3.3.2-16.el7

RHEL: new python packages.
New packages are available:
  RHEL 6: python 2.6.6-66.el6_8
  RHEL 7: python 2.7.5-38.el7_2

RHEL: new rh-python34-python packages.
New packages are available:
  RHEL 6: rh-python34-python 3.4.2-14.el6

Solaris: patch for third party software of July 2016 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Splunk Enterprise: versions 6.5.0, 6.4.5, 6.3.8, 6.2.12, 6.1.12, 6.0.13 and 5.0.17.
Versions 6.5.0, 6.4.5, 6.3.8, 6.2.12, 6.1.12, 6.0.13 and 5.0.17 are fixed:
  http://www.splunk.com/en_us/homepage.html

SUSE LE 12 RTM: new python packages.
New packages are available:
  SUSE LE 12 RTM: python 2.7.9-16.7.1

Ubuntu: new python packages.
New packages are available:
  Ubuntu 16.04 LTS: python2.7 2.7.12-1ubuntu0~16.04.1, python3.5 3.5.2-2ubuntu0~16.04.1
  Ubuntu 14.04 LTS: python2.7 2.7.6-8ubuntu0.3, python3.4 3.4.3-1ubuntu1~14.04.5
  Ubuntu 12.04 LTS: python2.7 2.7.3-0ubuntu3.9, python3.2 3.2.3-0ubuntu3.8
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computers vulnerabilities patch. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.