python-virtualenv-15.1.0-4.el7
エラータID: AXSA:2020-4513:01
The virtualenv tool creates isolated Python environments. The virtualenv tool is a successor to workingenv, and an extension of virtual-python.
Security Fix(es):
* python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure (CVE-2018-20060)
* python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service (CVE-2019-11236)
* python-requests: Redirect from HTTPS to HTTP does not remove Authorization header (CVE-2018-18074)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2018-18074
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
CVE-2018-20060
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
CVE-2019-11236
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
Update packages.
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
N/A
SRPMS
- python-virtualenv-15.1.0-4.el7.src.rpm
MD5: 3eae23b6ce8e5799f1216bb1e77ffea0
SHA-256: ddcf030123969d70889416f21623cbd034a8b7166dce25a1db7450bde02e47f4
Size: 1.79 MB
Asianux Server 7 for x86_64
- python-virtualenv-15.1.0-4.el7.noarch.rpm
MD5: 48f0ff4b1c65298cb8804ad84441f0cd
SHA-256: b2345df7cf2c190fe5772c594b523f10f3becd8404425212de89b45b86a1d550
Size: 1.71 MB