python-2.7.5-92.0.1.el7.AXS7

エラータID: AXSA:2022-3427:14

Release date: 
Wednesday, July 6, 2022 - 05:45
Subject: 
python-2.7.5-92.0.1.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

Python is an interpreted, interactive, object-oriented programming language,
which includes modules, classes, exceptions, very high level dynamic data types
and dynamic typing. Python supports interfaces to many system calls and
libraries, as well as to various windowing systems.

Security Fix(es):

* python: CRLF injection via HTTP request method in httplib/http.client
(CVE-2020-26116)
* python-urllib3: CRLF injection via HTTP request method (CVE-2020-26137)
* python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c
(CVE-2021-3177)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2020-26116
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before
3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the
HTTP request method, as demonstrated by inserting CR and LF control characters
in the first argument of HTTPConnection.request.
CVE-2020-26137
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP
request method, as demonstrated by inserting CR and LF control characters in the
first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVE-2021-3177
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution in certain Python
applications that accept floating-point numbers as untrusted input, as
demonstrated by a 1e300 argument to c_double.from_param. This occurs because
sprintf is used unsafely.

Solution: 

Update packages.

CVEs: 
CVE-2020-26116
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
CVE-2020-26137
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVE-2021-3177
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
Additional Info: 

N/A

Download: 

SRPMS
  1. python-2.7.5-92.0.1.el7.AXS7.src.rpm
    MD5: 93d0e04028cfb6cd34a7eccc64dabe8c
    SHA-256: 7c3a90690cbf863ce12089bee45d52d7ef0d9b564bb6f01acf5e429ebb3264ef
    Size: 10.26 MB

Asianux Server 7 for x86_64
  1. python-2.7.5-92.0.1.el7.AXS7.x86_64.rpm
    MD5: 3cda72245a1bd59eb5996097471c25c4
    SHA-256: ae5ab609242ebf80a35f271aabeb1d48f4c71ea96d244f6eec1f11a0b7e3ac6c
    Size: 95.62 kB
  2. python-devel-2.7.5-92.0.1.el7.AXS7.x86_64.rpm
    MD5: 2d2d4bc511457425d0568b8b8f7cc366
    SHA-256: bfc4dcc2112ae7ea0a81e404a01b9876162d852d116a03ef34abd919c9da3a31
    Size: 398.25 kB
  3. python-libs-2.7.5-92.0.1.el7.AXS7.x86_64.rpm
    MD5: 411c5e23f068671069c64634f4af8671
    SHA-256: a2bc965b000c31214eb29d657d4609746c84679a5a86a2353f2df53d95f8e088
    Size: 5.65 MB
  4. python-libs-2.7.5-92.0.1.el7.AXS7.i686.rpm
    MD5: aae650fc8b5df65dc2c244de099b1038
    SHA-256: 844e68ce90202806c9efbad44d09191793e26ac686413bd662b7802d163fa25c
    Size: 5.60 MB