python3-3.6.8-13.el7
エラータID: AXSA:2020-4552:01
リリース日:
2020/04/02 Thursday - 06:51
題名:
python3-3.6.8-13.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- python 3 の Lib/http/cookiejar.py の http.cookiejar.DefaultPolicy.
domain_return_ok はドメインを正しく検証しておらず、存在するクッキーを誤った
サーバへ送るよう欺くことができます。プログラムが http.cookiejar.DefaultPolicy
を用い、攻撃者がコントロールしているサーバへ HTTP 接続を行うことで、存在している
クッキーが攻撃者に漏洩してしまう脆弱性があります。(CVE-2018-20852)
- python3 には、複数の '@' 文字を含むメールアドレスを間違ってパースするため、
email モジュールを使用するアプリケーションがメッセージの From/Toヘッダの
いくつかの種類のチェックを騙して、拒否されるべきアドレスを許可する、
CVE-2019-11340 と同様の攻撃が可能な脆弱性があります。(CVE-2019-16056)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2018-20852
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
CVE-2019-16056
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
追加情報:
N/A
ダウンロード:
SRPMS
- python3-3.6.8-13.el7.src.rpm
MD5: 5cdf84a28a546b7fa7e3d242bae07677
SHA-256: e382ad6a0299e231d408eff35ecdf880fefa4cd9f32066668375bac030775c5a
Size: 16.55 MB
Asianux Server 7 for x86_64
- python3-3.6.8-13.el7.x86_64.rpm
MD5: 856a75b430b91bdeab41930a0a46af35
SHA-256: d8a547f956dd45dc8673e76e47a61d2be1536a4d85a5bd8e4add3ffc1877e705
Size: 68.51 kB - python3-debug-3.6.8-13.el7.x86_64.rpm
MD5: 1b4c66125418fd32c50ac129b314d25b
SHA-256: a35a45253267af395d8a625292ce9d8fc7a7545204da54413e8ac1e4ef0319ab
Size: 2.65 MB - python3-devel-3.6.8-13.el7.x86_64.rpm
MD5: 0e369fca37bd46326a2e40f9d94e2b82
SHA-256: d424033fca612ef44c810e6600138fdc6637c94104a24705a81eecd0f55ae0b7
Size: 214.56 kB - python3-idle-3.6.8-13.el7.x86_64.rpm
MD5: ce2e90ce8e639e3e822afe4ed709d7f0
SHA-256: 5bb2863e4511133c855e520f20d7531a21af22e1d84da4fef7b54cccf343d4f6
Size: 777.46 kB - python3-libs-3.6.8-13.el7.x86_64.rpm
MD5: d39a7750e7c6c7e1cc0819ad20ac6d28
SHA-256: 1f22d36d0bd03e0366fabad98b91ed208fb532f63428f31ee8c4f80938512873
Size: 6.97 MB - python3-test-3.6.8-13.el7.x86_64.rpm
MD5: 75a8c1be6ad17c6ac9b45cccca4c1d9b
SHA-256: be136488e8b7d72d6835b8a753b8f3e3278817726860f32e9dbb86a111f155a8
Size: 7.23 MB - python3-tkinter-3.6.8-13.el7.x86_64.rpm
MD5: eab74f7271587d058969922bb2f132a7
SHA-256: 1542faefb0a6e4a1673ab96d9d85120f32b109406ee253f0b5812c755e00bf46
Size: 363.94 kB - python3-3.6.8-13.el7.i686.rpm
MD5: 5ba2c7b113a7878864deb875853e73a7
SHA-256: 8ef262fbfcf32d388b5830257f5acab37594f77b42379b799e58de4574783663
Size: 68.58 kB - python3-debug-3.6.8-13.el7.i686.rpm
MD5: 5c5d37249d15798f4ee078dbac220e02
SHA-256: 74477514d544b73fec03129b1a8f3d489a255da717fa73c6853310f97e895afb
Size: 2.44 MB - python3-devel-3.6.8-13.el7.i686.rpm
MD5: 418b2f972a59fc52c749bed025b1ce06
SHA-256: 8106dd85dc46f7df0410cf9addad08ba7ba7292e8317461864ccca82ff651df3
Size: 214.73 kB - python3-idle-3.6.8-13.el7.i686.rpm
MD5: bb77979fe1f77c50ef3c6126fdb6b397
SHA-256: 61dcfbdb3d76be08764e946040e5a56a453486ac58691348d3afd9180f86d7f9
Size: 777.52 kB - python3-libs-3.6.8-13.el7.i686.rpm
MD5: 5dbd7b9eb0948a455db2baa6d2a7b3e2
SHA-256: 528c11dec1503d51cea8f7c5d4480ee6ca3e533d1f267423ef672b4c9d4b399e
Size: 6.87 MB - python3-test-3.6.8-13.el7.i686.rpm
MD5: 0d634efb95e3b2242e18692d2432d77e
SHA-256: 6562184497cc6789cf25232db5af0c3007eb9c3929231f37ee08b7e165308265
Size: 7.23 MB - python3-tkinter-3.6.8-13.el7.i686.rpm
MD5: e5af5dca9afb914d27006293fe126ce4
SHA-256: c15ea050c2e067d50766c5971d3514dec8c6a960efed904186d56913823b59eb
Size: 363.95 kB