python-2.7.5-86.0.1.el7.AXS7

エラータID: AXSA:2019-4284:05

Release date: 
Thursday, September 12, 2019 - 11:07
Subject: 
python-2.7.5-86.0.1.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python: Missing salt initialization in _elementtree.c module (CVE-2018-14647)

* python: NULL pointer dereference using a specially crafted X509 certificate (CVE-2019-5010)

* python: CRLF injection via the query part of the url passed to urlopen() (CVE-2019-9740)

* python: CRLF injection via the path part of the url passed to urlopen() (CVE-2019-9947)

* python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms (CVE-2019-9948)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 7.7 Release Notes linked from the References section.

CVE-2018-14647
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.
CVE-2019-5010
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-9740
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.
CVE-2019-9947
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.
CVE-2019-9948

Solution: 

Update packages.

CVEs: 
CVE-2018-14647
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.
CVE-2019-5010
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-9740
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.
CVE-2019-9947
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.
CVE-2019-9948
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
Additional Info: 

N/A

Download: 

SRPMS
  1. python-2.7.5-86.0.1.el7.AXS7.src.rpm
    MD5: 5c96f9f71624a2ab82498acb2782d8af
    SHA-256: 0a1a40fc5121977d3e5b05389e3b1d7e08a01640b1ba9b347d52bafffb95c65f
    Size: 10.20 MB

Asianux Server 7 for x86_64
  1. python-2.7.5-86.0.1.el7.AXS7.x86_64.rpm
    MD5: dcf6202a5d133fac34242427c8184bd4
    SHA-256: ce894e2bf1561a3ebd682051c2856fc7eb825e0439e2aa8983362b23f566f776
    Size: 94.75 kB
  2. python-devel-2.7.5-86.0.1.el7.AXS7.x86_64.rpm
    MD5: c0fac59e794ce1b8711506d0e2e4de7f
    SHA-256: 2d985592a09ff8dc7fc764b53b673a36c40fc61efede9be10739ee912960f6e4
    Size: 397.39 kB
  3. python-libs-2.7.5-86.0.1.el7.AXS7.x86_64.rpm
    MD5: 953023e51605f264487408b2b5bf4ee5
    SHA-256: 603c7b06f45a6f5ee8b39fe2b15f639d8c8955b0ef67ab8174e2997ebc98e3c0
    Size: 5.64 MB
  4. python-libs-2.7.5-86.0.1.el7.AXS7.i686.rpm
    MD5: d64354f7591a60f91237887f33450a33
    SHA-256: dc8a230498e6b19ef9f589c6ee0621bb4251e228506d1ebe593da764df38889a
    Size: 5.59 MB