MGASA-2020-0451 - Updated python and python3 packages fix security vulnerabilities

Publication date: 08 Dec 2020
URL: https://advisories.mageia.org/MGASA-2020-0451.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-9674,
     CVE-2019-17514,
     CVE-2019-20907,
     CVE-2020-8492,
     CVE-2020-14422,
     CVE-2020-26116

It was discovered that incorrectly handled certain ZIP files. An attacker
could possibly use this issue to cause a denial of service (CVE-2019-9674).

It was discovered that Python documentation had a misleading information. A
security issue could be possibly caused by wrong assumptions of this
information (CVE-2019-17514).

It was discovered that Python incorrectly handled certain TAR archives. An
attacker could possibly use this issue to cause a denial of service
(CVE-2019-20907).

It was discovered that Python incorrectly handled certain HTTP requests. An
attacker could possibly use this issue to cause a denial of service
(CVE-2020-8492).

It was discovered that Python incorrectly handled certain IP values. An
attacker could possibly use this issue to cause a denial of service
(CVE-2020-14422).

It was discovered that Python incorrectly handled certain character sequences.
A remote attacker could possibly use this issue to perform CRLF injection
(CVE-2020-26116).

The CVE-2020-14422 issue only affected python3.

References:
- https://bugs.mageia.org/show_bug.cgi?id=26268
- https://ubuntu.com/security/notices/USN-4428-1
- https://ubuntu.com/security/notices/USN-4333-1
- https://ubuntu.com/security/notices/USN-4581-1
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/
- https://access.redhat.com/errata/RHSA-2020:4273
- https://access.redhat.com/errata/RHSA-2020:4299
- https://access.redhat.com/errata/RHSA-2020:4433
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9674
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17514
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20907
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8492
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14422
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26116

SRPMS:
- 7/core/python-2.7.18-1.1.mga7
- 7/core/python3-3.7.9-1.mga7