Mageia 2020-0451: python and python3 security update
Summary
It was discovered that incorrectly handled certain ZIP files. An attacker
could possibly use this issue to cause a denial of service (CVE-2019-9674).
It was discovered that Python documentation had a misleading information. A
security issue could be possibly caused by wrong assumptions of this
information (CVE-2019-17514).
It was discovered that Python incorrectly handled certain TAR archives. An
attacker could possibly use this issue to cause a denial of service
(CVE-2019-20907).
It was discovered that Python incorrectly handled certain HTTP requests. An
attacker could possibly use this issue to cause a denial of service
(CVE-2020-8492).
It was discovered that Python incorrectly handled certain IP values. An
attacker could possibly use this issue to cause a denial of service
(CVE-2020-14422).
It was discovered that Python incorrectly handled certain character sequences.
A remote attacker could possibly use this issue to perform CRLF injection
(CVE-2020-26116).
The CVE-2020-14422 issue only affected python3.
References
- https://bugs.mageia.org/show_bug.cgi?id=26268
- https://ubuntu.com/security/notices/USN-4428-1
- https://ubuntu.com/security/notices/USN-4333-1
- https://ubuntu.com/security/notices/USN-4581-1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/
- https://access.redhat.com/errata/RHSA-2020:4273
- https://access.redhat.com/errata/RHSA-2020:4299
- https://access.redhat.com/errata/RHSA-2020:4433
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9674
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17514
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20907
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8492
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14422
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26116
Resolution
MGASA-2020-0451 - Updated python and python3 packages fix security vulnerabilities
SRPMS
- 7/core/python-2.7.18-1.1.mga7
- 7/core/python3-3.7.9-1.mga7