python-2.7.5-88.0.1.el7.AXS7
エラータID: AXSA:2020-4713:15
リリース日:
2020/04/17 Friday - 15:07
題名:
python-2.7.5-88.0.1.el7.AXS7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- python 3 の Lib/http/cookiejar.py の http.cookiejar.DefaultPolicy.
domain_return_ok はドメインを正しく検証しておらず、存在するクッキーを誤った
サーバへ送るよう欺くことができます。プログラムが http.cookiejar.DefaultPolicy
を用い、攻撃者がコントロールしているサーバへ HTTP 接続を行うことで、存在している
クッキーが攻撃者に漏洩してしまう脆弱性があります。(CVE-2018-20852)
- python3 には、複数の '@' 文字を含むメールアドレスを間違ってパースするため、
email モジュールを使用するアプリケーションがメッセージの From/Toヘッダの
いくつかの種類のチェックを騙して、拒否されるべきアドレスを許可する、
CVE-2019-11340 と同様の攻撃が可能な脆弱性があります。(CVE-2019-16056)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2018-20852
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
CVE-2019-16056
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
追加情報:
N/A
ダウンロード:
SRPMS
- python-2.7.5-88.0.1.el7.AXS7.src.rpm
MD5: 50d5abaa765ac56aa3c2f70c5774a27b
SHA-256: 90214222ebb7248a0d02bf18ec90c9647185e55ffb9c2ddec0c4a43728995bc0
Size: 10.21 MB
Asianux Server 7 for x86_64
- python-2.7.5-88.0.1.el7.AXS7.x86_64.rpm
MD5: ab11bc0688ed5de7c8d728845fd040df
SHA-256: 92c1d08bcd943f0a9408f9e97896976a58d3555130ca2736ba4673422471a8aa
Size: 94.98 kB - python-devel-2.7.5-88.0.1.el7.AXS7.x86_64.rpm
MD5: 628fc35ac66a85738744e4066e4d4968
SHA-256: 8b6889668db526b2d32e6b0a40f6424b1145db38b52df5acaa2ecddd6d80a841
Size: 397.63 kB - python-libs-2.7.5-88.0.1.el7.AXS7.x86_64.rpm
MD5: b0e2c477147a10358dd212b84aa6952e
SHA-256: 677b1be7a28b360d1d566254ab46132c3f617fd203f18db34bed36cc32a9cf18
Size: 5.64 MB - python-libs-2.7.5-88.0.1.el7.AXS7.i686.rpm
MD5: 378823f0c678c06b3c7c6719f208e4f0
SHA-256: 5ba164223c60677dd30a6199fabda9222bb9617a202b043b36e0ea9a0281bad3
Size: 5.60 MB
English