python-2.7.5-92.0.1.el7.AXS7
エラータID: AXSA:2022-3427:14
リリース日:
2022/07/06 Wednesday - 05:45
題名:
python-2.7.5-92.0.1.el7.AXS7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Python 3 の http.client には、攻撃者が HTTP のリクエストメソッドを
制御している場合、CRLF インジェクション可能な脆弱性があります。
(CVE-2020-26116)
- Python の urllib3 ライブラリの putrequest 関数には問題があるため、
攻撃者が HTTP request メソッドを操作することで、CRLF インジェクション
可能な脆弱性があります。(CVE-2020-26137)
- Python 3 の_ctypes/callproc.c 内の PyCArg_repr にはバッファーオーバー
フローが発生する問題があり、信頼できない入力値を浮動小数点数として
受け入れる特定の Python アプリケーションでリモートコードが実行される
脆弱性があります。(CVE-2021-3177)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2020-26116
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
CVE-2020-26137
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVE-2021-3177
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
追加情報:
N/A
ダウンロード:
SRPMS
- python-2.7.5-92.0.1.el7.AXS7.src.rpm
MD5: 93d0e04028cfb6cd34a7eccc64dabe8c
SHA-256: 7c3a90690cbf863ce12089bee45d52d7ef0d9b564bb6f01acf5e429ebb3264ef
Size: 10.26 MB
Asianux Server 7 for x86_64
- python-2.7.5-92.0.1.el7.AXS7.x86_64.rpm
MD5: 3cda72245a1bd59eb5996097471c25c4
SHA-256: ae5ab609242ebf80a35f271aabeb1d48f4c71ea96d244f6eec1f11a0b7e3ac6c
Size: 95.62 kB - python-devel-2.7.5-92.0.1.el7.AXS7.x86_64.rpm
MD5: 2d2d4bc511457425d0568b8b8f7cc366
SHA-256: bfc4dcc2112ae7ea0a81e404a01b9876162d852d116a03ef34abd919c9da3a31
Size: 398.25 kB - python-libs-2.7.5-92.0.1.el7.AXS7.x86_64.rpm
MD5: 411c5e23f068671069c64634f4af8671
SHA-256: a2bc965b000c31214eb29d657d4609746c84679a5a86a2353f2df53d95f8e088
Size: 5.65 MB - python-libs-2.7.5-92.0.1.el7.AXS7.i686.rpm
MD5: aae650fc8b5df65dc2c244de099b1038
SHA-256: 844e68ce90202806c9efbad44d09191793e26ac686413bd662b7802d163fa25c
Size: 5.60 MB
English