AXSA:2019-3987:01

Release date: 
Wednesday, August 14, 2019 - 07:07
Subject: 
python27-python-2.7.16-6.0.1.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Severity: 
High
Description: 

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)

* python: undocumented local_file protocol allows remote attackers to bypass protection mechanisms (CVE-2019-9948)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-10160
A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
CVE-2019-9636
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
CVE-2019-9948
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
1. python27-python-2.7.16-6.0.1.AXS4.src.rpm
md5sum: 9bc52b9eeef5725fa5b9aaa354b200ba
sha256sum: b78e3fa50f81e348bec4657d557a5c9aeda83eddaa782a0864b7417086145f45
Size: 12,616 Kb

Asianux Server 4.0 for x86_64
1. python27-python-2.7.16-6.0.1.AXS4.x86_64.rpm
md5sum: b3796c16b3057bade79c99a03c79549f
sha256sum: 4de5b7cafea6033706a7625a9c0c818080bb1613fac3d7837a07aa4de77d7be0
Size: 84 Kb
2. python27-python-debug-2.7.16-6.0.1.AXS4.x86_64.rpm
md5sum: c10ada0bda58b02b46e026a114874e26
sha256sum: 21bdc6ccd6431c370b50aa9b5837f822440e0792ea34e52d10ae1a5fc07b21ce
Size: 1,955 Kb
3. python27-python-devel-2.7.16-6.0.1.AXS4.x86_64.rpm
md5sum: 5f40787a27841a5705f3c5a013a0bcf5
sha256sum: c119678e2df9aa1b68559cad6ba96913cce2d572df530fdd11c2a83dd01f498d
Size: 390 Kb
4. python27-python-libs-2.7.16-6.0.1.AXS4.x86_64.rpm
md5sum: d7658cb9fd2feddd229fce9569cb67c4
sha256sum: 5dc9b564fa6ff6d74d87ce02823de85f12fbb5f9359ca6d92de89b89ae39038f
Size: 5,938 Kb
5. python27-python-test-2.7.16-6.0.1.AXS4.x86_64.rpm
md5sum: 01299f49c5e9f3e7602de5904ddc3c7e
sha256sum: 7f9adbbdd71abee5fcbe533b7d6537a44f95b18e3dabda0be3467cc802aa29c9
Size: 4,896 Kb
6. python27-python-tools-2.7.16-6.0.1.AXS4.x86_64.rpm
md5sum: 86557c94af3fd21cf12b505993550ee4
sha256sum: 8387ea254621a467531fafc3f59287ad9f04787ee04d3174d97a126cfb12edb3
Size: 442 Kb
7. python27-tkinter-2.7.16-6.0.1.AXS4.x86_64.rpm
md5sum: 5e1680012821cdaa2362254f04ac3344
sha256sum: eca237962d82efdba86e8e073bdf760bc5ea173dc4cac7ac03128a6eac7db887
Size: 399 Kb
Copyright© 2007-2015 Asianux. All rights reserved.