AXSA:2019-4182:01

リリース日: 
2019/08/21 Wednesday - 02:32
題名: 
python-urllib3-1.10.2-7.el7
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities.

Security Fix(es):

* python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure (CVE-2018-20060)

* python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service (CVE-2019-11236)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 7.7 Release Notes linked from the References section.

CVE-2018-20060
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
CVE-2019-11236
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.

解決策: 

Update packages.

追加情報: 

N/A

ダウンロード: 

SRPMS
1. python-urllib3-1.10.2-7.el7.src.rpm
md5sum: 1b1c3cb66defcf517f71f655a5ad0e80
sha256sum: 5291b614be579949d2f40a688f2c6a16816af59e43c337ee1556a5db36d652a3
Size: 146 Kb

Asianux Server 7.0 for x86_64
1. python-urllib3-1.10.2-7.el7.noarch.rpm
md5sum: 5f30f2f7fabea0e2a121876dc5252f46
sha256sum: 107f01204cad6ea37bec29dd257243fd732e6aef1df20e4f14548fd09ed124c7
Size: 102 Kb
Copyright© 2007-2015 Asianux. All rights reserved.