python3-3.6.8-31.el8

エラータID: AXSA:2021-1204:01

Release date: 
Friday, January 15, 2021 - 11:25
Subject: 
python3-3.6.8-31.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python: XSS vulnerability in the documentation XML-RPC server in server_title field (CVE-2019-16935)

* python: infinite loop in the tarfile module via crafted TAR archive (CVE-2019-20907)

* python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS (CVE-2020-8492)

* python: DoS via inefficiency in IPv{4,6}Interface classes (CVE-2020-14422)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-16935
The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
CVE-2019-20907
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
CVE-2020-14422
Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.
CVE-2020-8492
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. python3-3.6.8-31.el8.src.rpm
    MD5: e7b8831290fe9ca46dfc3f5dc068d199
    SHA-256: 33d2e1a997fb50ac79da3b5c2e2ee7db4469a5a337474a8a8d0f8b75b9d8d3cd
    Size: 18.19 MB

Asianux Server 8 for x86_64
  1. platform-python-3.6.8-31.el8.x86_64.rpm
    MD5: 9008464cb7e8bf2127a0927397edf99b
    SHA-256: 96c9c25f1835d80ba87651e3067dae22380863307b023b770bb2536dc25ab99d
    Size: 82.15 kB
  2. platform-python-debug-3.6.8-31.el8.x86_64.rpm
    MD5: dc12a259c178bd11c93784d7f9df68fe
    SHA-256: b8aeb0e7161811bf8a903c1501d1bb7796308f863a088b11191361e9a52aff22
    Size: 2.68 MB
  3. platform-python-devel-3.6.8-31.el8.x86_64.rpm
    MD5: 6dd37740b8c1764c8edafd61855ec142
    SHA-256: bb954a3a812ff6a7fcd6e44f159a824e966c59368ba2bb9a75d0f85b130c98d4
    Size: 246.33 kB
  4. python3-idle-3.6.8-31.el8.x86_64.rpm
    MD5: cce2aa9ab66ad7f024209400ff8d74b2
    SHA-256: e2b18c1ce6b0b7c8b272704e2522603759a782ebb148ef1c74c702e0d694ea6f
    Size: 823.65 kB
  5. python3-libs-3.6.8-31.el8.x86_64.rpm
    MD5: 8a7c7eba966d6db37451bb328bd5a7bc
    SHA-256: 913e60fed7ed8d9de287d30616252f2273fd352f99d1e3efab6d386aee6cbd47
    Size: 7.81 MB
  6. python3-test-3.6.8-31.el8.x86_64.rpm
    MD5: 3cf59ea50a1fc6799e8de41b1039da40
    SHA-256: 21617325029d3936c09c16c3aa7c67f3b04ee1911d3f3991760ee483cb28bfc8
    Size: 8.63 MB
  7. python3-tkinter-3.6.8-31.el8.x86_64.rpm
    MD5: 5b94c732b988908666722ff9bb61b913
    SHA-256: 41a5132d2c5d8e6bf8ad9d859e402877b27b77d9420489cd44fc111f98456cb6
    Size: 368.78 kB
  8. platform-python-3.6.8-31.el8.i686.rpm
    MD5: aa1d1b999ebf4cb7b6f2531f66c02125
    SHA-256: 8b73fa3d2d54ddc35fee6d835e0b3ec77cf2e3a88ef3bbb6e976ce6647e96e3d
    Size: 82.08 kB
  9. platform-python-debug-3.6.8-31.el8.i686.rpm
    MD5: 3247f7ad5737ab926ff6340200d7c465
    SHA-256: 9bd9ff512c58ea460768d88c557322ae2a81cd474cde3ff8eba7b28b56feb3d6
    Size: 2.71 MB
  10. platform-python-devel-3.6.8-31.el8.i686.rpm
    MD5: 4060bab89769caad1523df374501141c
    SHA-256: 318a8f40cc2f10ea7d101c9030e098bb1e8345b399813f507f82bd6f0176c8e3
    Size: 245.61 kB
  11. python3-idle-3.6.8-31.el8.i686.rpm
    MD5: 6ce207d21e1dc03c37e209768f311952
    SHA-256: 7e047abf5801ce2206ca51b9b46c96e4013eebfbeb46a4dde0ca3b5612eca18c
    Size: 823.68 kB
  12. python3-libs-3.6.8-31.el8.i686.rpm
    MD5: 8f3ac4601f89f56d1619489b77442066
    SHA-256: 38e4d5fc3cbc5a6c1c64b1db07f97b4a25fbddaabebf170f6bb14498ad776c29
    Size: 7.87 MB
  13. python3-test-3.6.8-31.el8.i686.rpm
    MD5: 2674369d607c59452f208b44cd752b30
    SHA-256: 7ff5c20d30ae66c7837bd7a2dbabc4c7983c7b41e57b9f899ac1840eecb49e93
    Size: 8.64 MB
  14. python3-tkinter-3.6.8-31.el8.i686.rpm
    MD5: af6c02a07180d7a5ad961d6561a3d0bc
    SHA-256: 51e8d764e63bd4e63bace3d0b76535ebed00d23d3df892df50558fd4e32054b5
    Size: 370.22 kB