CVE-2019-9740

Question

CVE-2019-9740

Closed this issue 5 years ago · 8 comments

vandys commented 6 years ago

We should patch this urllib vulnerability ASAP. Anybody working on it yet?

stefantalpalaru commented 5 years ago

Solved.

Answer 1 · 2019-03-18T22:26:52.000Z

It's almost 2 years old: https://bugs.python.org/issue30458

Answer 2 · 2019-03-18T22:34:35.000Z

Wow. Should we at least trap embedding control chars into a URL? I guess it'd be prudent in
both urllib and urllib2

Answer 3 · 2019-08-12T12:41:36.000Z

Ping? Is anybody still looking into security fixes for Tauthon? I see no commits to master at all since the 2.8.0 release. Is this project still alive?

Moving from Python 2 to Tauthon would make a lot of sense security-wise (even for code that works fine with Python 2.7.x) if Tauthon is actively maintained, but not if the 2.8.0 release was the end.

Answer 4 · 2019-08-12T13:33:37.000Z

Since this project does sync from the Python 2.x series, this fix should appear presently. The founder of "Python 2.8" (nee "Tauthon") has stepped back a bit, not sure if the new maintainer is still available. :-(

Answer 5 · 2019-08-12T13:36:42.000Z

That'll work for now, assuming the sync actually happens. (The security fix at hand was committed to the upstream 2.7 branch on 2019-05-21. There has been no sync to Tauthon since then.) But it will no longer be something you can rely on after 2019-12-31. Security fixes will actually need to be backported from Python 3.

Answer 6 · 2019-08-12T13:53:03.000Z

not sure if the new maintainer is still available

I am.

Answer 7 · 2019-08-31T21:50:33.000Z

Should be closed by #118 if you want to patch before it gets re-sync'd.