python3-3.6.8-47.el8.ML.1

エラータID: AXSA:2022-3849:02

Release date: 
Friday, September 16, 2022 - 03:27
Subject: 
python3-3.6.8-47.el8.ML.1
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python(mailcap): findmatch() function does not sanitise the second argument (CVE-2015-20107)
* python: urllib.parse does not sanitize URLs containing ASCII newline and tabs (CVE-2022-0391)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2015-20107
In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).
CVE-2022-0391
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

Solution: 

Update packages.

CVEs: 
CVE-2015-20107
In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).
CVE-2022-0391
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.
Additional Info: 

N/A

Download: 

SRPMS
  1. python3-3.6.8-47.el8.ML.1.src.rpm
    MD5: d6a7c8faacabcfdebc87c4b59bff7544
    SHA-256: ca1b8a55a00786bd9c1b7af3a4fe77d3193f647c712f465190bb2f5680918edd
    Size: 18.23 MB

Asianux Server 8 for x86_64
  1. platform-python-3.6.8-47.el8.ML.1.x86_64.rpm
    MD5: 1eb9666f03a8e582639ddaab60977985
    SHA-256: 93c91b898f423860899594016a7befe8d0ba3d982d5f5f2e69060118a0cdeeea
    Size: 84.87 kB
  2. platform-python-debug-3.6.8-47.el8.ML.1.x86_64.rpm
    MD5: a5e64137636f29182e0a5b13d96abffc
    SHA-256: 05affd07938e7c9458f0ddab9a72083279325ae5d09ab2c5f5449faa1671981c
    Size: 2.69 MB
  3. platform-python-devel-3.6.8-47.el8.ML.1.x86_64.rpm
    MD5: 346103e600f5c1470f4e8df8be305a35
    SHA-256: 9e706e9afc2fbe8e2c109d334dceb2bc3710e1fd5129840b91025761d7159e58
    Size: 249.43 kB
  4. python3-idle-3.6.8-47.el8.ML.1.x86_64.rpm
    MD5: 084952cc4021867d9475574893710c8c
    SHA-256: fcb33a49d8808404bb9e4384a535692f104986304ce6c85ed802b471e6deadc1
    Size: 826.26 kB
  5. python3-libs-3.6.8-47.el8.ML.1.x86_64.rpm
    MD5: 533d2fef5ee98bb03f54398f70a435e5
    SHA-256: 513a1f6e802ccf9d453ff2ab31aae1578a7ba1e5eeda112a58e9b4d8cd2a0373
    Size: 7.81 MB
  6. python3-test-3.6.8-47.el8.ML.1.x86_64.rpm
    MD5: 7adb780ba0b882e1adef0fb6c9194ad7
    SHA-256: 892cb7a02436ac1ee9fcfc47678b46821beb1c04b1786b7c227568f26aad5dc7
    Size: 8.64 MB
  7. python3-tkinter-3.6.8-47.el8.ML.1.x86_64.rpm
    MD5: bdcd113c069cb1e8f71032d0667deb32
    SHA-256: 10340e36d5937ce467930fcce808810d7b28f23821c83e7fe11548c31e16c0e8
    Size: 371.66 kB
  8. platform-python-3.6.8-47.el8.ML.1.i686.rpm
    MD5: 32234109a00b9c84c571f120cafd8afe
    SHA-256: 30167268408ee57e3c8269be1d51b40d016ec1c940dfe46843b5cd7dbbc0c4f2
    Size: 84.80 kB
  9. platform-python-debug-3.6.8-47.el8.ML.1.i686.rpm
    MD5: 821f8f98f5bdca49afcdbf8483896587
    SHA-256: cdab3d45d6506c485cf37b8930d43957fb36edb73f89d0d56962c6642f3d5e33
    Size: 2.73 MB
  10. platform-python-devel-3.6.8-47.el8.ML.1.i686.rpm
    MD5: 39bc061cda3d41e3b040c19476a674ce
    SHA-256: 278acf7d789c02dedbe7cda7299f8c391837f04f066f3c80c355bd87f5c7e9c0
    Size: 248.76 kB
  11. python3-idle-3.6.8-47.el8.ML.1.i686.rpm
    MD5: efe3cfb3b986584db1a0bc180b9e6995
    SHA-256: fc530b3f3d41ee21ba3bf28bd6a6ff98fdcd2fbfb833855f58ca0095971b7ed7
    Size: 826.27 kB
  12. python3-libs-3.6.8-47.el8.ML.1.i686.rpm
    MD5: 49738507c7cdf978509d6b1dc1be2956
    SHA-256: 252e39178be9e4c2294ca10a3bf6c9dee094e78eda4641331c841203885baef5
    Size: 7.88 MB
  13. python3-test-3.6.8-47.el8.ML.1.i686.rpm
    MD5: c8a0acf35c724b92295de1f1c94578a4
    SHA-256: ffa2c7e93f09237e5eaed2a5d98990d3feb80061308bda1b64fc8cdb99f2dfe6
    Size: 8.65 MB
  14. python3-tkinter-3.6.8-47.el8.ML.1.i686.rpm
    MD5: 21972f00369a0e5d14546f74680d74ee
    SHA-256: 9f16c9633e147ce6b6b3ecd8ee1db34a927a6fb2da5f7e9fdaa8558122b9b140
    Size: 373.07 kB