python-2.7.5-80.0.1.el7.AXS7
エラータID: AXSA:2019-3917:04
リリース日:
2019/07/01 Monday - 03:07
題名:
python-2.7.5-80.0.1.el7.AXS7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Python には CVE-2019-9636 のリグレッションバグが存在し、攻撃者が URL
のユーザとパスワードの部分を悪用することによって、CVE-2019-9636 の攻撃が
可能な脆弱性があります。(CVE-2019-10160)
- Python の urllib.parse.urlsplit、urllib.parse.urlparse には、NFKC
正規化を行っている際の Unicode エンコードの不適切な処理のため、巧妙に細工
された URL を介して、認証情報、クッキーなどの情報を漏らしてしまう脆弱性が
あります。(CVE-2019-9636)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2019-10160
A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
CVE-2019-9636
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
追加情報:
N/A
ダウンロード:
SRPMS
- python-2.7.5-80.0.1.el7.AXS7.src.rpm
MD5: 39c8667a664b527006b08e37cd41e6e1
SHA-256: c08372adbb2830068b84f125455270c2a6aca42a7e56f0f2391fb15db16c6c83
Size: 10.19 MB
Asianux Server 7 for x86_64
- python-2.7.5-80.0.1.el7.AXS7.x86_64.rpm
MD5: c58b4e47c38f83a2092b5bffe5ca45f9
SHA-256: c3ae57e6b96a5ff6f3036770527c92876b86de550c2ff8a5ce0f372faf24cb63
Size: 93.92 kB - python-devel-2.7.5-80.0.1.el7.AXS7.x86_64.rpm
MD5: 37fcc37bea3eff7d8098991cbb555737
SHA-256: 4c320d310154da29317d70bd2c1086af109d20e8ea46c0a43906a0e00de0ada9
Size: 397.63 kB - python-libs-2.7.5-80.0.1.el7.AXS7.x86_64.rpm
MD5: ec3ad8ec014f0b3c24e43bb93b4e0ce3
SHA-256: 3948438fbfc6eb4a2d2c889309a202d060e55ffb868e12fc6186e31bfb931805
Size: 5.64 MB - python-libs-2.7.5-80.0.1.el7.AXS7.i686.rpm
MD5: 090887d39cc64f09d0330f061022a2a7
SHA-256: 85228e456e25c83d9a10cae5598d99d3b1a52d492023c72b1c726d94fa08a47f
Size: 5.59 MB