CVE-2019-16056

Name
CVE-2019-16056
Description
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Issue Tracking https://bugs.python.org/issue34155
Patch https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/
MLIST https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html
MLIST https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/
CONFIRM https://security.netapp.com/advisory/ntap-20190926-0005/
UBUNTU https://usn.ubuntu.com/4151-1/
UBUNTU https://usn.ubuntu.com/4151-2/
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QP46PQSUKYPGWTADQ67NOV3BUN6JM34Z/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QASRD4E2G65GGEHYKVHYCXB2XWAGTNL4/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SDQQ56P7ZZR64XV5DUVWNSNXKKEXUG2J/
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00012.html
REDHAT https://access.redhat.com/errata/RHSA-2019:3725
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00021.html
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/
REDHAT https://access.redhat.com/errata/RHSA-2019:3948
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEARDOTXCYPYELKBD2KWZ27GSPXDI3GQ/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OYGESQSGIHDCIGOBVF7VXCMIE6YDWRYB/
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
N/A https://www.oracle.com/security-alerts/cpuapr2020.html
MISC https://www.oracle.com/security-alerts/cpujul2020.html
MLIST https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
MLIST https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
MLIST https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* python >= None <= 2.7.16
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* python >= 3.0.0 <= 3.0.1
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* python >= 3.1.0 <= 3.1.5
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* python >= 3.2.0 <= 3.2.6
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* python >= 3.3.0 <= 3.3.7
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* python >= 3.5.0 <= 3.5.7
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* python >= 3.7.0 <= 3.7.4
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* python >= 3.4.0 <= 3.4.10
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* python >= 3.6.0 <= 3.6.9

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
python3 edge-main 3.7.5-r0 None fixed
python3 3.22-main 3.7.5-r0 None fixed
python3 3.21-main 3.7.5-r0 None fixed
python3 3.20-main 3.7.5-r0 None fixed
python3 3.19-main 3.7.5-r0 None fixed
python3 3.18-main 3.7.5-r0 None fixed
python3 3.17-main 3.7.5-r0 None fixed
python3 3.12-main 3.7.5-r0 None fixed
python3 3.11-main 3.7.5-r0 None fixed
python3 3.10-main 3.7.5-r0 None fixed
python2 edge-community 2.7.16-r3 None fixed
python2 3.12-main 2.7.16-r3 None fixed
python2 3.11-main 2.7.16-r3 None fixed