python-2.7.5-88.0.1.el7.AXS7
エラータID: AXSA:2020-4713:15
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.
Security Fix(es):
* python: Cookie domain check returns incorrect results (CVE-2018-20852)
* python: email.utils.parseaddr wrongly parses email addresses (CVE-2019-16056)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Asianux Server 7.8 Release Notes linked from the References section.
CVE-2018-20852
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
CVE-2019-16056
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
Update packages.
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
N/A
SRPMS
- python-2.7.5-88.0.1.el7.AXS7.src.rpm
MD5: 50d5abaa765ac56aa3c2f70c5774a27b
SHA-256: 90214222ebb7248a0d02bf18ec90c9647185e55ffb9c2ddec0c4a43728995bc0
Size: 10.21 MB
Asianux Server 7 for x86_64
- python-2.7.5-88.0.1.el7.AXS7.x86_64.rpm
MD5: ab11bc0688ed5de7c8d728845fd040df
SHA-256: 92c1d08bcd943f0a9408f9e97896976a58d3555130ca2736ba4673422471a8aa
Size: 94.98 kB - python-devel-2.7.5-88.0.1.el7.AXS7.x86_64.rpm
MD5: 628fc35ac66a85738744e4066e4d4968
SHA-256: 8b6889668db526b2d32e6b0a40f6424b1145db38b52df5acaa2ecddd6d80a841
Size: 397.63 kB - python-libs-2.7.5-88.0.1.el7.AXS7.x86_64.rpm
MD5: b0e2c477147a10358dd212b84aa6952e
SHA-256: 677b1be7a28b360d1d566254ab46132c3f617fd203f18db34bed36cc32a9cf18
Size: 5.64 MB - python-libs-2.7.5-88.0.1.el7.AXS7.i686.rpm
MD5: 378823f0c678c06b3c7c6719f208e4f0
SHA-256: 5ba164223c60677dd30a6199fabda9222bb9617a202b043b36e0ea9a0281bad3
Size: 5.60 MB