python27-python-2.7.16-6.0.1.AXS4

エラータID: AXSA:2019-3987:01

リリース日: 
2019/08/14 Wednesday - 08:07
題名: 
python27-python-2.7.16-6.0.1.AXS4
影響のあるチャネル: 
Asianux Server 4 for x86_64
Severity: 
High
Description: 

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)

* python: undocumented local_file protocol allows remote attackers to bypass protection mechanisms (CVE-2019-9948)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-10160
A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
CVE-2019-9636
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
CVE-2019-9948
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

解決策: 

Update packages.

CVE: 
CVE-2019-10160
A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
CVE-2019-9636
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
CVE-2019-9948
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. python27-python-2.7.16-6.0.1.AXS4.src.rpm
    MD5: 9bc52b9eeef5725fa5b9aaa354b200ba
    SHA-256: b78e3fa50f81e348bec4657d557a5c9aeda83eddaa782a0864b7417086145f45
    Size: 12.32 MB

Asianux Server 4 for x86_64
  1. python27-python-2.7.16-6.0.1.AXS4.x86_64.rpm
    MD5: b3796c16b3057bade79c99a03c79549f
    SHA-256: 4de5b7cafea6033706a7625a9c0c818080bb1613fac3d7837a07aa4de77d7be0
    Size: 84.24 kB
  2. python27-python-debug-2.7.16-6.0.1.AXS4.x86_64.rpm
    MD5: c10ada0bda58b02b46e026a114874e26
    SHA-256: 21bdc6ccd6431c370b50aa9b5837f822440e0792ea34e52d10ae1a5fc07b21ce
    Size: 1.91 MB
  3. python27-python-devel-2.7.16-6.0.1.AXS4.x86_64.rpm
    MD5: 5f40787a27841a5705f3c5a013a0bcf5
    SHA-256: c119678e2df9aa1b68559cad6ba96913cce2d572df530fdd11c2a83dd01f498d
    Size: 390.16 kB
  4. python27-python-libs-2.7.16-6.0.1.AXS4.x86_64.rpm
    MD5: d7658cb9fd2feddd229fce9569cb67c4
    SHA-256: 5dc9b564fa6ff6d74d87ce02823de85f12fbb5f9359ca6d92de89b89ae39038f
    Size: 5.80 MB
  5. python27-python-test-2.7.16-6.0.1.AXS4.x86_64.rpm
    MD5: 01299f49c5e9f3e7602de5904ddc3c7e
    SHA-256: 7f9adbbdd71abee5fcbe533b7d6537a44f95b18e3dabda0be3467cc802aa29c9
    Size: 4.78 MB
  6. python27-python-tools-2.7.16-6.0.1.AXS4.x86_64.rpm
    MD5: 86557c94af3fd21cf12b505993550ee4
    SHA-256: 8387ea254621a467531fafc3f59287ad9f04787ee04d3174d97a126cfb12edb3
    Size: 441.82 kB
  7. python27-tkinter-2.7.16-6.0.1.AXS4.x86_64.rpm
    MD5: 5e1680012821cdaa2362254f04ac3344
    SHA-256: eca237962d82efdba86e8e073bdf760bc5ea173dc4cac7ac03128a6eac7db887
    Size: 399.33 kB