275 lines
14 KiB
JSON
275 lines
14 KiB
JSON
{
|
||
"Definition": [
|
||
{
|
||
"ID": "oval:org.altlinux.errata:def:20191685",
|
||
"Version": "oval:org.altlinux.errata:def:20191685",
|
||
"Class": "patch",
|
||
"Metadata": {
|
||
"Title": "ALT-PU-2019-1685: package `python3` update to version 3.7.3-alt1",
|
||
"AffectedList": [
|
||
{
|
||
"Family": "unix",
|
||
"Platforms": [
|
||
"ALT Linux branch c10f1"
|
||
],
|
||
"Products": [
|
||
"ALT SP Workstation",
|
||
"ALT SP Server"
|
||
]
|
||
}
|
||
],
|
||
"References": [
|
||
{
|
||
"RefID": "ALT-PU-2019-1685",
|
||
"RefURL": "https://errata.altlinux.org/ALT-PU-2019-1685",
|
||
"Source": "ALTPU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2019-02457",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2019-02457",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2020-00690",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2020-00690",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2020-03946",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2020-03946",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-00373",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-00373",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-03713",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-03713",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "CVE-2018-20406",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-20406",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2018-20852",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-20852",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2019-5010",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-5010",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2019-9636",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-9636",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2019-9674",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-9674",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2021-28359",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-28359",
|
||
"Source": "CVE"
|
||
}
|
||
],
|
||
"Description": "This update upgrades python3 to version 3.7.3-alt1. \nSecurity Fix(es):\n\n * BDU:2019-02457: Уязвимость процедуры синтаксического анализа сертификата интерпретатора языка программирования Python, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2020-00690: Уязвимость интерпретатора языка программирования Python, связанная с ошибками управления регистрационными данными, позволяющая нарушителю получить доступ к конфиденциальным данным\n\n * BDU:2020-03946: Уязвимость модуля для работы с ZIP-файлами zipfile пакета программ Python, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-00373: Уязвимость функции http.cookiejar.DefaultPolicy.domain_return_ok() интерпретатора языка программирования Python, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * BDU:2021-03713: Уязвимость модуля pickle.c языка программирования Python, связанная с целочисленным переполнением, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2018-20406: Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a \"resize to twice the size\" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.\n\n * CVE-2018-20852: http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.\n\n * CVE-2019-5010: An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.\n\n * CVE-2019-9636: Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.\n\n * CVE-2019-9674: Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.\n\n * CVE-2021-28359: The \"origin\" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions \u003c1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 \u0026 CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).\n\n * #32211: pyvenv in python3 fails\n\n * #36297: Обновить версию python3",
|
||
"Advisory": {
|
||
"From": "errata.altlinux.org",
|
||
"Severity": "Critical",
|
||
"Rights": "Copyright 2024 BaseALT Ltd.",
|
||
"Issued": {
|
||
"Date": "2019-04-18"
|
||
},
|
||
"Updated": {
|
||
"Date": "2019-04-18"
|
||
},
|
||
"BDUs": [
|
||
{
|
||
"ID": "BDU:2019-02457",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-476",
|
||
"Href": "https://bdu.fstec.ru/vul/2019-02457",
|
||
"Impact": "High",
|
||
"Public": "20190115"
|
||
},
|
||
{
|
||
"ID": "BDU:2020-00690",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-255",
|
||
"Href": "https://bdu.fstec.ru/vul/2020-00690",
|
||
"Impact": "High",
|
||
"Public": "20190309"
|
||
},
|
||
{
|
||
"ID": "BDU:2020-03946",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-400",
|
||
"Href": "https://bdu.fstec.ru/vul/2020-03946",
|
||
"Impact": "High",
|
||
"Public": "20190328"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-00373",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
|
||
"CWE": "CWE-20",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-00373",
|
||
"Impact": "Low",
|
||
"Public": "20190713"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-03713",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-190",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-03713",
|
||
"Impact": "High",
|
||
"Public": "20181223"
|
||
}
|
||
],
|
||
"CVEs": [
|
||
{
|
||
"ID": "CVE-2018-20406",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-190",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-20406",
|
||
"Impact": "High",
|
||
"Public": "20181223"
|
||
},
|
||
{
|
||
"ID": "CVE-2018-20852",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
|
||
"CWE": "CWE-20",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-20852",
|
||
"Impact": "Low",
|
||
"Public": "20190713"
|
||
},
|
||
{
|
||
"ID": "CVE-2019-5010",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-476",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-5010",
|
||
"Impact": "High",
|
||
"Public": "20191031"
|
||
},
|
||
{
|
||
"ID": "CVE-2019-9636",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||
"CWE": "NVD-CWE-noinfo",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-9636",
|
||
"Impact": "Critical",
|
||
"Public": "20190308"
|
||
},
|
||
{
|
||
"ID": "CVE-2019-9674",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-400",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2019-9674",
|
||
"Impact": "High",
|
||
"Public": "20200204"
|
||
},
|
||
{
|
||
"ID": "CVE-2021-28359",
|
||
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
|
||
"CWE": "CWE-79",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-28359",
|
||
"Impact": "Low",
|
||
"Public": "20210502"
|
||
}
|
||
],
|
||
"Bugzilla": [
|
||
{
|
||
"ID": "32211",
|
||
"Href": "https://bugzilla.altlinux.org/32211",
|
||
"Data": "pyvenv in python3 fails"
|
||
},
|
||
{
|
||
"ID": "36297",
|
||
"Href": "https://bugzilla.altlinux.org/36297",
|
||
"Data": "Обновить версию python3"
|
||
}
|
||
],
|
||
"AffectedCPEs": {
|
||
"CPEs": [
|
||
"cpe:/o:alt:spworkstation:10",
|
||
"cpe:/o:alt:spserver:10"
|
||
]
|
||
}
|
||
}
|
||
},
|
||
"Criteria": {
|
||
"Operator": "AND",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:4001",
|
||
"Comment": "ALT Linux must be installed"
|
||
}
|
||
],
|
||
"Criterias": [
|
||
{
|
||
"Operator": "OR",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191685001",
|
||
"Comment": "libpython3 is earlier than 0:3.7.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191685002",
|
||
"Comment": "python3 is earlier than 0:3.7.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191685003",
|
||
"Comment": "python3-base is earlier than 0:3.7.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191685004",
|
||
"Comment": "python3-dev is earlier than 0:3.7.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191685005",
|
||
"Comment": "python3-modules-curses is earlier than 0:3.7.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191685006",
|
||
"Comment": "python3-modules-nis is earlier than 0:3.7.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191685007",
|
||
"Comment": "python3-modules-sqlite3 is earlier than 0:3.7.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191685008",
|
||
"Comment": "python3-modules-tkinter is earlier than 0:3.7.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191685009",
|
||
"Comment": "python3-test is earlier than 0:3.7.3-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20191685010",
|
||
"Comment": "python3-tools is earlier than 0:3.7.3-alt1"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
} |