python3-3.6.8-31.el8
エラータID: AXSA:2021-1204:01
リリース日:
2021/01/15 Friday - 11:25
題名:
python3-3.6.8-31.el8
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Python の XML-RPC サーバーには、server_title フィールドを介した
クロスサイトスクリプティングの問題があり、信頼されない入力とともに
set_server_title が呼び出されると、そのサーバーの http URL を訪れた
クライアントに任意の JavaScript が送付される脆弱性があります。
(CVE-2019-16935)
- Python の Lib/tarfile.py の _proc_pax ではヘッダの検証が行われないため、
攻撃者が巧妙に細工された TAR アーカイブを介して無限ループを
引き起こす脆弱性があります。(CVE-2019-20907)
- Python の Lib/ipaddress.py の IPv4Interface と IPv6Interface のクラスには、
不適切なハッシュ値の計算が存在し、アプリケーションが IPv4Interface や
IPv6Interface のオブジェクトを含むディクショナリーのパフォーマンスに
影響され、かつリモートの攻撃者が多数のディクショナリーエントリーを
生成出来る場合、攻撃者がサービス拒否を引き起こす脆弱性があります。
(CVE-2020-14422)
- Python には、 urllib.request.AbstractBasicAuthHandler の壊滅的な
バックトラッキングが原因で、HTTP サーバーがクライアントに対して
正規表現のサービス拒否(ReDoS) 攻撃が可能な脆弱性があります。
(CVE-2020-8492)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2019-16935
The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
CVE-2019-20907
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
CVE-2020-14422
Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.
Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.
CVE-2020-8492
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
追加情報:
N/A
ダウンロード:
SRPMS
- python3-3.6.8-31.el8.src.rpm
MD5: e7b8831290fe9ca46dfc3f5dc068d199
SHA-256: 33d2e1a997fb50ac79da3b5c2e2ee7db4469a5a337474a8a8d0f8b75b9d8d3cd
Size: 18.19 MB
Asianux Server 8 for x86_64
- platform-python-3.6.8-31.el8.x86_64.rpm
MD5: 9008464cb7e8bf2127a0927397edf99b
SHA-256: 96c9c25f1835d80ba87651e3067dae22380863307b023b770bb2536dc25ab99d
Size: 82.15 kB - platform-python-debug-3.6.8-31.el8.x86_64.rpm
MD5: dc12a259c178bd11c93784d7f9df68fe
SHA-256: b8aeb0e7161811bf8a903c1501d1bb7796308f863a088b11191361e9a52aff22
Size: 2.68 MB - platform-python-devel-3.6.8-31.el8.x86_64.rpm
MD5: 6dd37740b8c1764c8edafd61855ec142
SHA-256: bb954a3a812ff6a7fcd6e44f159a824e966c59368ba2bb9a75d0f85b130c98d4
Size: 246.33 kB - python3-idle-3.6.8-31.el8.x86_64.rpm
MD5: cce2aa9ab66ad7f024209400ff8d74b2
SHA-256: e2b18c1ce6b0b7c8b272704e2522603759a782ebb148ef1c74c702e0d694ea6f
Size: 823.65 kB - python3-libs-3.6.8-31.el8.x86_64.rpm
MD5: 8a7c7eba966d6db37451bb328bd5a7bc
SHA-256: 913e60fed7ed8d9de287d30616252f2273fd352f99d1e3efab6d386aee6cbd47
Size: 7.81 MB - python3-test-3.6.8-31.el8.x86_64.rpm
MD5: 3cf59ea50a1fc6799e8de41b1039da40
SHA-256: 21617325029d3936c09c16c3aa7c67f3b04ee1911d3f3991760ee483cb28bfc8
Size: 8.63 MB - python3-tkinter-3.6.8-31.el8.x86_64.rpm
MD5: 5b94c732b988908666722ff9bb61b913
SHA-256: 41a5132d2c5d8e6bf8ad9d859e402877b27b77d9420489cd44fc111f98456cb6
Size: 368.78 kB - platform-python-3.6.8-31.el8.i686.rpm
MD5: aa1d1b999ebf4cb7b6f2531f66c02125
SHA-256: 8b73fa3d2d54ddc35fee6d835e0b3ec77cf2e3a88ef3bbb6e976ce6647e96e3d
Size: 82.08 kB - platform-python-debug-3.6.8-31.el8.i686.rpm
MD5: 3247f7ad5737ab926ff6340200d7c465
SHA-256: 9bd9ff512c58ea460768d88c557322ae2a81cd474cde3ff8eba7b28b56feb3d6
Size: 2.71 MB - platform-python-devel-3.6.8-31.el8.i686.rpm
MD5: 4060bab89769caad1523df374501141c
SHA-256: 318a8f40cc2f10ea7d101c9030e098bb1e8345b399813f507f82bd6f0176c8e3
Size: 245.61 kB - python3-idle-3.6.8-31.el8.i686.rpm
MD5: 6ce207d21e1dc03c37e209768f311952
SHA-256: 7e047abf5801ce2206ca51b9b46c96e4013eebfbeb46a4dde0ca3b5612eca18c
Size: 823.68 kB - python3-libs-3.6.8-31.el8.i686.rpm
MD5: 8f3ac4601f89f56d1619489b77442066
SHA-256: 38e4d5fc3cbc5a6c1c64b1db07f97b4a25fbddaabebf170f6bb14498ad776c29
Size: 7.87 MB - python3-test-3.6.8-31.el8.i686.rpm
MD5: 2674369d607c59452f208b44cd752b30
SHA-256: 7ff5c20d30ae66c7837bd7a2dbabc4c7983c7b41e57b9f899ac1840eecb49e93
Size: 8.64 MB - python3-tkinter-3.6.8-31.el8.i686.rpm
MD5: af6c02a07180d7a5ad961d6561a3d0bc
SHA-256: 51e8d764e63bd4e63bace3d0b76535ebed00d23d3df892df50558fd4e32054b5
Size: 370.22 kB
English