AXSA:2019-4413:04

Release date: 
Thursday, December 19, 2019 - 14:26
Subject: 
python27-python-2.7.17-2.0.1.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
Moderate
Description: 

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

The following packages have been upgraded to a later upstream version: python27-python (2.7.17). (BZ#1767887)

Security Fix(es):

* python: Cookie domain check returns incorrect results (CVE-2018-20852)

* python: email.utils.parseaddr wrongly parses email addresses (CVE-2019-16056)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Missing audiotest.au in python27-python-test (BZ#1767890)

CVE-2018-20852
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
CVE-2019-16056
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. python27-python-2.7.17-2.0.1.AXS4.src.rpm
    MD5: 17097ed3f4656b4444b119da0dfdc0d9
    SHA-256: 02d0c00e44c43cb0a91520dfbbf74ffefc85cf543efff201cdfdff51558b94b0
    Size: 12.41 MB

Asianux Server 4 for x86_64
  1. python27-python-2.7.17-2.0.1.AXS4.x86_64.rpm
    MD5: 6920c032f100601cc3d6d18514379575
    SHA-256: 283e979d4d511f60cf21329fdf9c6a8d433e562124218dcad79246530314dec1
    Size: 84.36 kB
  2. python27-python-debug-2.7.17-2.0.1.AXS4.x86_64.rpm
    MD5: c8d4c280208f98d4700490872c1e3fd8
    SHA-256: db06857394cfbf07346dbd32223336db27192d3509caac532a81b4c33291a203
    Size: 1.91 MB
  3. python27-python-devel-2.7.17-2.0.1.AXS4.x86_64.rpm
    MD5: b12a3362b6f9707056bc16665e432ea8
    SHA-256: e5870f69b580ea8756eac194845295bbfbbb557e8c6516fb3e1e9fe8a430658b
    Size: 390.44 kB
  4. python27-python-libs-2.7.17-2.0.1.AXS4.x86_64.rpm
    MD5: 6fca9dc40318a6650aa0061f865ba9ad
    SHA-256: 6de301c5d73174bec9ff97c7f52809aead4fa741cc4c49807d7ab13db0367ea8
    Size: 5.80 MB
  5. python27-python-test-2.7.17-2.0.1.AXS4.x86_64.rpm
    MD5: ec2be90ab576ed6fd20bb723addaa4b2
    SHA-256: 1ff5ba1ccfccc79bebcfa52d2d2fe443578f91cf9b087faa01dae17d0624ae0a
    Size: 4.83 MB
  6. python27-python-tools-2.7.17-2.0.1.AXS4.x86_64.rpm
    MD5: 35f9d9a885049456fdc13caadc82709e
    SHA-256: 8a30b08f5fd39752858b67639510005575cb0b91cf851f968fc6619f7a8f56c0
    Size: 442.08 kB
  7. python27-tkinter-2.7.17-2.0.1.AXS4.x86_64.rpm
    MD5: 2d960f74035ba160ebb6c6c0cb1a3aca
    SHA-256: 87b079fcfdb8a637d6e2d4544c0a65e797df0d39c4f1db8b197c745163073b3d
    Size: 399.70 kB
Copyright© 2007-2015 Asianux. All rights reserved.