{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "tracking": { "current_release_date": "2025-11-27T18:42:32Z", "generator": { "date": "2025-11-27T18:42:32Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2025:1760370140", "initial_release_date": "2025-10-13T15:43:08Z", "revision_history": [ { "date": "2025-10-13T15:43:08Z", "number": "1", "summary": "Initial version" }, { "date": "2025-11-27T18:42:32Z", "number": "2", "summary": "Update document" } ], "status": "final", "version": "2" }, "title": "Fix CVE(s): CVE-2020-26116, CVE-2020-8492" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Ubuntu 18.04", "product": { "name": "Ubuntu 18.04", "product_id": "Ubuntu-18", "product_identification_helper": { "cpe": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*" } } } ], "category": "product_family", "name": "Ubuntu" } ], "category": "vendor", "name": "Canonical Ltd." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "alt-python27-debug-0:2.7.18-7.amd64", "product": { "name": "alt-python27-debug-0:2.7.18-7.amd64", "product_id": "alt-python27-debug-0:2.7.18-7.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python27-debug@2.7.18-7?arch=amd64" } } }, { "category": "product_version", "name": "alt-python27-tools-0:2.7.18-7.amd64", "product": { "name": "alt-python27-tools-0:2.7.18-7.amd64", "product_id": "alt-python27-tools-0:2.7.18-7.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python27-tools@2.7.18-7?arch=amd64" } } }, { "category": "product_version", "name": "alt-python27-0:2.7.18-7.amd64", "product": { "name": "alt-python27-0:2.7.18-7.amd64", "product_id": "alt-python27-0:2.7.18-7.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python27@2.7.18-7?arch=amd64" } } }, { "category": "product_version", "name": "alt-python27-devel-0:2.7.18-7.amd64", "product": { "name": "alt-python27-devel-0:2.7.18-7.amd64", "product_id": "alt-python27-devel-0:2.7.18-7.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python27-devel@2.7.18-7?arch=amd64" } } }, { "category": "product_version", "name": "alt-python27-tkinter-0:2.7.18-7.amd64", "product": { "name": "alt-python27-tkinter-0:2.7.18-7.amd64", "product_id": "alt-python27-tkinter-0:2.7.18-7.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python27-tkinter@2.7.18-7?arch=amd64" } } }, { "category": "product_version", "name": "alt-python27-libs-0:2.7.18-7.amd64", "product": { "name": "alt-python27-libs-0:2.7.18-7.amd64", "product_id": "alt-python27-libs-0:2.7.18-7.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python27-libs@2.7.18-7?arch=amd64" } } }, { "category": "product_version", "name": "alt-python27-idle-0:2.7.18-7.amd64", "product": { "name": "alt-python27-idle-0:2.7.18-7.amd64", "product_id": "alt-python27-idle-0:2.7.18-7.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python27-idle@2.7.18-7?arch=amd64" } } }, { "category": "product_version", "name": "alt-python27-test-0:2.7.18-7.amd64", "product": { "name": "alt-python27-test-0:2.7.18-7.amd64", "product_id": "alt-python27-test-0:2.7.18-7.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python27-test@2.7.18-7?arch=amd64" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "alt-python27-debug-0:2.7.18-7.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:alt-python27-debug-0:2.7.18-7.amd64" }, "product_reference": "alt-python27-debug-0:2.7.18-7.amd64", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python27-tools-0:2.7.18-7.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:alt-python27-tools-0:2.7.18-7.amd64" }, "product_reference": "alt-python27-tools-0:2.7.18-7.amd64", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python27-0:2.7.18-7.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:alt-python27-0:2.7.18-7.amd64" }, "product_reference": "alt-python27-0:2.7.18-7.amd64", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python27-devel-0:2.7.18-7.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:alt-python27-devel-0:2.7.18-7.amd64" }, "product_reference": "alt-python27-devel-0:2.7.18-7.amd64", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python27-tkinter-0:2.7.18-7.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:alt-python27-tkinter-0:2.7.18-7.amd64" }, "product_reference": "alt-python27-tkinter-0:2.7.18-7.amd64", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python27-libs-0:2.7.18-7.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:alt-python27-libs-0:2.7.18-7.amd64" }, "product_reference": "alt-python27-libs-0:2.7.18-7.amd64", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python27-idle-0:2.7.18-7.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:alt-python27-idle-0:2.7.18-7.amd64" }, "product_reference": "alt-python27-idle-0:2.7.18-7.amd64", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python27-test-0:2.7.18-7.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:alt-python27-test-0:2.7.18-7.amd64" }, "product_reference": "alt-python27-test-0:2.7.18-7.amd64", "relates_to_product_reference": "Ubuntu-18" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-8492", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "description", "text": "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Ubuntu-18:alt-python27-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-debug-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-devel-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-idle-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-libs-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-test-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-tkinter-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-tools-0:2.7.18-7.amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2020-8492" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html" }, { "category": "external", "summary": "https://bugs.python.org/issue39503", "url": "https://bugs.python.org/issue39503" }, { "category": "external", "summary": "https://github.com/python/cpython/pull/18284", "url": "https://github.com/python/cpython/pull/18284" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/rdb31a608dd6758c6093fd645aea3fbf022dd25b37109b6aaea5bc0b5%40%3Ccommits.cassandra.apache.org%3E", "url": "https://lists.apache.org/thread.html/rdb31a608dd6758c6093fd645aea3fbf022dd25b37109b6aaea5bc0b5%40%3Ccommits.cassandra.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/rfec113c733162b39633fd86a2d0f34bf42ac35f711b3ec1835c774da%40%3Ccommits.cassandra.apache.org%3E", "url": "https://lists.apache.org/thread.html/rfec113c733162b39633fd86a2d0f34bf42ac35f711b3ec1835c774da%40%3Ccommits.cassandra.apache.org%3E" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WOKDEXLYW5UQ4S7PA7E37IITOC7C56J/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WOKDEXLYW5UQ4S7PA7E37IITOC7C56J/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APGWEMYZIY5VHLCSZ3HD67PA5Z2UQFGH/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APGWEMYZIY5VHLCSZ3HD67PA5Z2UQFGH/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/" }, { "category": "external", "summary": "https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html", "url": "https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202005-09", "url": "https://security.gentoo.org/glsa/202005-09" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20200221-0001/", "url": "https://security.netapp.com/advisory/ntap-20200221-0001/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4333-1/", "url": "https://usn.ubuntu.com/4333-1/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4333-2/", "url": "https://usn.ubuntu.com/4333-2/" } ], "release_date": "2020-01-30T19:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-10-13T15:42:22.691296Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2025:1760370140", "product_ids": [ "Ubuntu-18:alt-python27-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-debug-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-devel-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-idle-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-libs-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-test-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-tkinter-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-tools-0:2.7.18-7.amd64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2025:1760370140" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Ubuntu-18:alt-python27-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-debug-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-devel-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-idle-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-libs-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-test-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-tkinter-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-tools-0:2.7.18-7.amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2020-26116", "cwe": { "id": "CWE-74", "name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" }, "notes": [ { "category": "description", "text": "http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Ubuntu-18:alt-python27-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-debug-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-devel-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-idle-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-libs-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-test-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-tkinter-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-tools-0:2.7.18-7.amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2020-26116" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00027.html" }, { "category": "external", "summary": "https://bugs.python.org/issue39603", "url": "https://bugs.python.org/issue39603" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html", "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV/" }, { "category": "external", "summary": "https://python-security.readthedocs.io/vuln/http-header-injection-method.html", "url": "https://python-security.readthedocs.io/vuln/http-header-injection-method.html" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202101-18", "url": "https://security.gentoo.org/glsa/202101-18" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20201023-0001/", "url": "https://security.netapp.com/advisory/ntap-20201023-0001/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4581-1/", "url": "https://usn.ubuntu.com/4581-1/" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpuoct2021.html", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "release_date": "2020-09-27T04:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-10-13T15:42:22.691296Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2025:1760370140", "product_ids": [ "Ubuntu-18:alt-python27-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-debug-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-devel-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-idle-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-libs-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-test-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-tkinter-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-tools-0:2.7.18-7.amd64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2025:1760370140" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "Ubuntu-18:alt-python27-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-debug-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-devel-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-idle-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-libs-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-test-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-tkinter-0:2.7.18-7.amd64", "Ubuntu-18:alt-python27-tools-0:2.7.18-7.amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] } ] }