2021/08/24 Tuesday - 11:02
rh-python38 security, bug fix, and enhancement update
Asianux Server 7 for x86_64

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

The following packages have been upgraded to a later upstream version: rh-python38-python (3.8.11).

Security Fix(es):

* python-cryptography: Bleichenbacher timing oracle attack against RSA decryption (CVE-2020-25659)
* python: Unsafe use of eval() on data retrieved via HTTP in the test suite (CVE-2020-27619)
* python-lxml: mXSS due to the use of improper parser (CVE-2020-27783)
* python-jinja2: ReDoS vulnerability due to the sub-pattern (CVE-2020-28493)
* python-cryptography: Large inputs for symmetric encryption can trigger integer overflow leading to buffer overflow (CVE-2020-36242)
* python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c (CVE-2021-3177)
* python: Information disclosure via pydoc (CVE-2021-3426)
* python-babel: Relative path traversal allows attacker to load arbitrary locale files and execute arbitrary code (CVE-2021-20095)
* python: Web cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in query parameters (CVE-2021-23336)
* python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS (CVE-2021-28957)
* python-ipaddress: Improper input validation of octal strings (CVE-2021-29921)
* python-urllib3: ReDoS in the parsing of authority part of URL (CVE-2021-33503)
* python-pip: Incorrect handling of unicode separators in git references (CVE-2021-3572)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional information

* Changes in the default separator for the Python urllib parsing functions

To mitigate the Web Cache Poisoning CVE-2021-23336 in the Python urllib library, the default separator for the urllib.parse.parse_qsl and urllib.parse.parse_qs functions is being changed from both ampersand (&) and semicolon (;) to only an ampersand.

The change of the default separator is potentially backwards incompatible, therefore Asianux provides a way to configure the behavior in Python packages where the default separator has been changed. In addition, the affected urllib parsing functions issue a warning if they detect that a customer’s application has been affected by the change.

For more information, see the Knowledgebase article "Mitigation of Web Cache Poisoning in the Python urllib library (CVE-2021-23336)" linked from the References section.

* The Python "ipaddress" module no longer allows leading zeros in IPv4 addresses

To mitigate CVE-2021-29921, the Python "ipaddress" module now rejects IPv4 addresses with leading zeros with an "AddressValueError: Leading zeros are not permitted" error.

Customers who rely on the previous behavior can pre-process their IPv4 address inputs to strip the leading zeros off. For details, see the Asianux Software Collections 3.7 Release Notes.

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.
In Python 3 through 3.9.0, the Lib/test/ CJK codec tests call eval() on content retrieved via HTTP.
A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.


Update packages.




  1. rh-python38-babel-2.7.0-12.el7.src.rpm
    MD5: 7cc9917dc47f0f9ad02ff480b05772ca
    SHA-256: a9f56cbc53c0667edb351fc300a6b9aab5f4c230480c960b8ac96e6fa6c9fc16
    Size: 7.88 MB
  2. rh-python38-python-cryptography-2.8-5.el7.src.rpm
    MD5: 064f519bf9ee3d2ed21a7b62a71a1e5a
    SHA-256: 4f5c8b449f7ef5d09b14e0b7712b0316235dbfbd58b268cfb68dc7c6b26355d9
    Size: 503.33 kB
  3. rh-python38-python-jinja2-2.10.3-6.el7.src.rpm
    MD5: 17e8e8c31b82acbc2e2a9146f6cb7863
    SHA-256: 214f694d2506ef2e89fe3f200e4177be3c0e3a39ea6823bb402907fa69f14992
    Size: 268.77 kB
  4. rh-python38-python-lxml-4.4.1-7.el7.src.rpm
    MD5: 7358eb8d0f204c60faf3333972702844
    SHA-256: 749be039768ff8d0978e466c1c7deecfcd949d8a511a96189cb446060fd5f20e
    Size: 4.39 MB
  5. rh-python38-python-pip-19.3.1-2.el7.src.rpm
    MD5: d82706200a8a2b86dfb324c08b87fda0
    SHA-256: 8fcc2fd3cc64ad1570fc2e95ebd3dc963a7e9c228d6426f42793ade6514f7b71
    Size: 6.14 MB
  6. rh-python38-python-3.8.11-2.el7.src.rpm
    MD5: d199beab4d75de3cc162804830cfa5f4
    SHA-256: b2e18f3ed08d6a015e0a9a920152b010c9fd8ff9c772ea6a662c71705456f34e
    Size: 17.75 MB
  7. rh-python38-python-urllib3-1.25.7-7.el7.src.rpm
    MD5: 1c734c49cca942bd1c9b43d4cd9612ac
    SHA-256: 319eb8f3baa95a630a958491ee5ba907c70b6edd8ef76ec942910d2c75a3b0c1
    Size: 250.57 kB

Asianux Server 7 for x86_64
  1. rh-python38-python-babel-2.7.0-12.el7.noarch.rpm
    MD5: 3f489f730a7a43dc7f54384f67ae3fe0
    SHA-256: 4748aa63d55a5db05cce441fbae7a41149d63656e90ecfc8228b62e283e7b8ca
    Size: 5.94 MB
  2. rh-python38-python-cryptography-2.8-5.el7.x86_64.rpm
    MD5: 6a66a7f871430ae97cdfc523f9256fbe
    SHA-256: 638a73b4e516730fca30426825b5ffc6b69c6cfc51e69b3dbce701262b8c73ad
    Size: 560.30 kB
  3. rh-python38-python-jinja2-2.10.3-6.el7.noarch.rpm
    MD5: 13ff07fee145472e828e60cad931e197
    SHA-256: f42c198ed3002784735c47702d3072d507266aad96c193ee8db8fa9dad470b73
    Size: 266.89 kB
  4. rh-python38-python-lxml-4.4.1-7.el7.x86_64.rpm
    MD5: 15ff6b7b2dd1573c4474783d4c2dbceb
    SHA-256: 337f2c7aecb9eeecf77fa28529e0a31a6e481009a878009c4b36393634b06f3c
    Size: 1.48 MB
  5. rh-python38-python-pip-19.3.1-2.el7.noarch.rpm
    MD5: 7463f7f771117eda853f24ea331913de
    SHA-256: 27af75231a0f38edeec4db828bec9dd742194fbfe939af017f30e9d1e964546f
    Size: 1.74 MB
  6. rh-python38-python-pip-wheel-19.3.1-2.el7.noarch.rpm
    MD5: b72875536cc76ef487b34ea65c94d06f
    SHA-256: 782fd183fe1ed06f0c67eda43542b2c2b1b296c0ac29a363a0a8355d477a532f
    Size: 1.19 MB
  7. rh-python38-python-3.8.11-2.el7.x86_64.rpm
    MD5: 2ed17f1c4e6022884fb1d4c10b8e0a67
    SHA-256: c94d63568ac9369970a4c51d6d65a7f3cc45a37254b2ea81f89ac85035e2b810
    Size: 70.81 kB
  8. rh-python38-python-debug-3.8.11-2.el7.x86_64.rpm
    MD5: d1ea4d3cc15a861d5048a23b2dc5bc4f
    SHA-256: dbde2e9c85a25731aa108729b0792c5ca63e02792bd1a1e99f913aab1626ba4c
    Size: 2.99 MB
  9. rh-python38-python-devel-3.8.11-2.el7.x86_64.rpm
    MD5: e0568b778ff4cd3d488385f347af7cb6
    SHA-256: 0c2756807f628f3b4c4f40e39131f2889d756d19ef08b0b142b638db18b19b51
    Size: 274.60 kB
  10. rh-python38-python-idle-3.8.11-2.el7.x86_64.rpm
    MD5: 7a5f1f3eedde7fb3191a31bb645fd797
    SHA-256: d8fecf64ac4a15b0a10895721f5b05666c17067cf5852a2e5111ce4ad33a441d
    Size: 855.84 kB
  11. rh-python38-python-libs-3.8.11-2.el7.x86_64.rpm
    MD5: 38e899aead2a9455932e6bdb8816f80e
    SHA-256: 1977ff5f3df029cdf60cd175bca1200f380dd0cbebd60f566d50e4d2ce0c771e
    Size: 7.67 MB
  12. rh-python38-python-rpm-macros-3.8.11-2.el7.noarch.rpm
    MD5: 717a35bc6750002240c3002acc472e3e
    SHA-256: 58880f66a3e9dc4f11f7c2163857b0fcfd1ecdf5bb8471f66a56d4817a66076c
    Size: 64.19 kB
  13. rh-python38-python-srpm-macros-3.8.11-2.el7.noarch.rpm
    MD5: deb1525e27324823231c39f993196d84
    SHA-256: 9c912197b3f2dc38975b13e5fc9401fc602366991cd1a5adb8398607ea5cb1a4
    Size: 63.57 kB
  14. rh-python38-python-test-3.8.11-2.el7.x86_64.rpm
    MD5: e2c5b092eb3909b3808e200b27296f12
    SHA-256: 91a122fdfeb8b437ae09e776d43b8358ef0d0e2a24fb539c81c628453dc0ddaa
    Size: 8.29 MB
  15. rh-python38-python-tkinter-3.8.11-2.el7.x86_64.rpm
    MD5: d28154a1a83fe145d682401cbbfca2df
    SHA-256: 970b91f4d23b514d989d25e8618649972c933ecd7178db89260395123799f02b
    Size: 374.25 kB
  16. rh-python38-python-urllib3-1.25.7-7.el7.noarch.rpm
    MD5: 6cfa8d07b0e0c38f5942540bd97ac1cf
    SHA-256: 1edfc6070d520b1e731633430004df613cb59ae5dd82da945d14d123de705a4b
    Size: 190.17 kB
Copyright© 2007-2015 Asianux. All rights reserved.