AXSA:2020-4518:01

リリース日: 
2020/03/22 Sunday - 06:36
題名: 
python-pip-9.0.3-7.el7
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

TODO: add package description

Security Fix(es):

* python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure (CVE-2018-20060)

* python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service (CVE-2019-11236)

* python-urllib3: Certification mishandle when error should be thrown (CVE-2019-11324)

* python-requests: Redirect from HTTPS to HTTP does not remove Authorization header (CVE-2018-18074)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2018-18074
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
CVE-2018-20060
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
CVE-2019-11236
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
CVE-2019-11324
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

解決策: 

Update packages.

追加情報: 

N/A

ダウンロード: 

SRPMS
  1. python-pip-9.0.3-7.el7.src.rpm
    MD5: 62e7ef8776753252b9a3e748359038bd
    SHA-256: fc9b08b0bf69c224af1f1126b113cb503f94f51d03e660a60fdbcd583e29587c
    Size: 1.30 MB

Asianux Server 7 for x86_64
  1. python3-pip-9.0.3-7.el7.noarch.rpm
    MD5: 6ca409b5020deee2a7dcb3df7851b81a
    SHA-256: 6e2759bb5ec01ea78ffba6e24b7c4ec743595fadcb912c653c5a3e45b983059b
    Size: 1.76 MB
Copyright© 2007-2015 Asianux. All rights reserved.