AXSA:2020-285:03

Release date: 
Friday, September 4, 2020 - 09:21
Subject: 
python-pip-9.0.3-16.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

pip is a package management system used to install and manage software packages written in Python. Many packages can be found in the Python Package Index (PyPI). pip is a recursive acronym that can stand for either "Pip Installs Packages" or "Pip Installs Python".

Security Fix(es):

* python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure (CVE-2018-20060)

* python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service (CVE-2019-11236)

* python-urllib3: Certification mishandle when error should be thrown (CVE-2019-11324)

* python-requests: Redirect from HTTPS to HTTP does not remove Authorization header (CVE-2018-18074)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 8.2 Release Notes linked from the References section.

CVE-2018-18074
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
CVE-2018-20060
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
CVE-2019-11236
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
CVE-2019-11324
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. python-pip-9.0.3-16.el8.src.rpm
    MD5: 564194d90c74e04ca04d55afc16af073
    SHA-256: 4bc0c4e6b6c415cfc1fa93264f20800a1cc6785ad82a5e5a09b7379ac0abf405
    Size: 1.31 MB

Asianux Server 8 for x86_64
  1. platform-python-pip-9.0.3-16.el8.noarch.rpm
    MD5: 7c85aaacac585ff74028fbb6780a18d4
    SHA-256: aeba2ad038fa9bed3b5e33641c514d7fdbc5b1ed7a52ca34330b2cce88e82eda
    Size: 1.84 MB
  2. python3-pip-9.0.3-16.el8.noarch.rpm
    MD5: dae008e04864681b747bc07fbf233bfa
    SHA-256: a86d66e85ca5db5d5d827df79ac64120df47150df48ab903559f1faf53bb445b
    Size: 18.39 kB
  3. python3-pip-wheel-9.0.3-16.el8.noarch.rpm
    MD5: 0f3a90f8dffb291e08d4fb9f1754ee42
    SHA-256: 38132fe5f79c339e8c58f2532e2e6f30aadc50b7a3aa1143c182a011943af74f
    Size: 1.18 MB
  4. platform-python-pip-9.0.3-16.el8.noarch.rpm
    MD5: 7c85aaacac585ff74028fbb6780a18d4
    SHA-256: aeba2ad038fa9bed3b5e33641c514d7fdbc5b1ed7a52ca34330b2cce88e82eda
    Size: 1.84 MB
  5. python3-pip-9.0.3-16.el8.noarch.rpm
    MD5: dae008e04864681b747bc07fbf233bfa
    SHA-256: a86d66e85ca5db5d5d827df79ac64120df47150df48ab903559f1faf53bb445b
    Size: 18.39 kB
  6. python3-pip-wheel-9.0.3-16.el8.noarch.rpm
    MD5: 0f3a90f8dffb291e08d4fb9f1754ee42
    SHA-256: 38132fe5f79c339e8c58f2532e2e6f30aadc50b7a3aa1143c182a011943af74f
    Size: 1.18 MB
Copyright© 2007-2015 Asianux. All rights reserved.