Python 2 End of Life Security Updates

As part of ActiveState’s Python 2 extended support, we continue to evaluate known security vulnerabilities (CVE’s) impacting Python 2.7 since Python 2 End of Life occurred on January 1, 2020, including both core (CPython) vulnerabilities and third-party packages.

The following CVE’s can be reviewed for your own internal remediation via the links below. Alternatively, ActiveState has released fixes for these vulnerabilities in Python 2.7.18, available for enterprise builds with our Python 2 extended support options.

Core Vulnerabilities

CVE Severity Package Description Status Publish Date
CVE-2020-27619 Critical In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP. Although the code is different between Python 2 and Python 3, the same issue with the eval() is present in Python 2.7.18. Fix available 2020/10/21
CVE-2020-26116 High http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, inserting CR and LF control characters in the first argument of HTTPConnection.request. Although the httplib module is laid out differently in Python 3, the same execution path and behaviour is present in Python 2.7.18. Fix available 2020/09/27
CVE-2019-20907 High In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. Fix available 2020/07/13
CVE-2020-8492 Medium Core library urllib allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client. Fix available 2020/01/30

ActiveState has issued a forked version of Python 2.7.18 containing fixes for these vulnerabilities. You can get the source code from our public GitHub repository.


Third-Party Package Vulnerabilities

CVE Severity Package Description Status Publish Date
CVE-2019-11068 Critical libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. Fix available 2020/04/10
CVE-2020-7212 High The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2). Fix available 2020/03/06
CVE-2020-26137 Medium urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. Fix available 2020/09/30
CVE-2020-5390 High PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertion that has been signed. Fix available 2020/01/13
CVE-2020-14422 Medium Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.

NOTE: ipaddress is a backported Python 2 library from Python 3 core and is vulnerable to the issue described. ActiveState has forked this version and fixed it. Source is available in our public Github repository.

Fix available 2020/06/18
CVE-2020-11655 High SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object’s initialization is mishandled. Fix available 2020/04/08
CVE-2020-6802 Medium In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option. Fix available 2020/03/24
CVE-2020-5313 High libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. Fix available 2020/01/02
CVE-2020-5312 Critical libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. Fix available 2020/01/02
CVE-2020-5311 Critical libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow. Fix available 2020/01/02
CVE-2020-5310 High libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. Fix available 2020/01/02

Learn more about our extended support options here. For more information or if you have any questions, please contact us at sales@activestate.com.