RedHat: RHSA-2019-1237 Important: Sandbox Escapes in Jinja2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: rh-python35-python-jinja2 security update
Advisory ID:       RHSA-2019:1237-01
Product:           Red Hat Software Collections
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:1237
Issue date:        2019-05-16
CVE Names:         CVE-2016-10745 CVE-2019-10906 
====================================================================
1. Summary:

An update for rh-python35-python-jinja2 is now available for Red Hat
Software Collections.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - noarch
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch

3. Description:

The rh-python35-python-jinja2 package contains Jinja2, a template engine
written in pure Python. Jinja2 provides a Django inspired non-XML syntax
but supports inline expressions and an optional sandboxed environment. 

Security Fix(es):

* python-jinja2: Sandbox escape due to information disclosure via
str.format (CVE-2016-10745)

* python-jinja2: str.format_map allows sandbox escape (CVE-2019-10906)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all applications using Jinja2 must be
restarted.

5. Bugs fixed (https://bugzilla.redhat.com/):

1698345 - CVE-2016-10745 python-jinja2: Sandbox escape due to information disclosure via str.format
1698839 - CVE-2019-10906 python-jinja2: str.format_map allows sandbox escape

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):

Source:
rh-python35-python-jinja2-2.8.1-2.el6.src.rpm

noarch:
rh-python35-python-jinja2-2.8.1-2.el6.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):

Source:
rh-python35-python-jinja2-2.8.1-2.el6.src.rpm

noarch:
rh-python35-python-jinja2-2.8.1-2.el6.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
rh-python35-python-jinja2-2.8.1-2.el7.src.rpm

noarch:
rh-python35-python-jinja2-2.8.1-2.el7.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4):

Source:
rh-python35-python-jinja2-2.8.1-2.el7.src.rpm

noarch:
rh-python35-python-jinja2-2.8.1-2.el7.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5):

Source:
rh-python35-python-jinja2-2.8.1-2.el7.src.rpm

noarch:
rh-python35-python-jinja2-2.8.1-2.el7.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6):

Source:
rh-python35-python-jinja2-2.8.1-2.el7.src.rpm

noarch:
rh-python35-python-jinja2-2.8.1-2.el7.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-python35-python-jinja2-2.8.1-2.el7.src.rpm

noarch:
rh-python35-python-jinja2-2.8.1-2.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-10745
https://access.redhat.com/security/cve/CVE-2019-10906
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXN1eJNzjgjWX9erEAQhZNg/+O3yKCapR6ClTRb7cRku3D8S0TD7rjzbC
2+jjcg+FhWVwaKi3+2vTVMYbxSNWB300I5JXBs/0jKm4qUKXTbxSOSzTLFzeXbc2
qfI3+48LjnsvnFfGad5J/C6dhc4t4gllW+qSO/AGvPBpky9qd1hklyIOI4b0Bpk4
NU2XigUbOyJrMX3VRmTfd4zECyZ5U1KdM8W71XDtH9RTmPAgU5BRO0qc3AF9Ygn5
w3PXSwy4kz4HCvEv1xMCizMrJ45fQnGmGWBo5+f7zTqUweGXJlNrO2AHDtkyTd4n
pbnBqzkSzy/LW/aIzivyPsszuT7Dt13uVWhttzcqoF6+yz/eEHHd/9GbQfZ9Eblp
CMfIBSNdmeXGyxk3vlppUbiWKXOtlNc6JSgyb3i2GqB35NMgAc0V01ScxK1JbpjI
QlwRNaEGUn8cC8b1DShdTIEbzZLKIyR6V5PGqUyuNp3seCD/LuIq5MtmRQFOE4qk
gveVNkLLOC+mwrT8QCkod1nJs7BICMkeqIItm0aoLzi4c1kr42tk3Pq+hIkcyekh
mIuQw2VnNjn1NP530J9/NEPV22tPueM/ifM2uqeRMaZA8RREoGC9ipq7CNURiIgh
/YcVbaTVOp0bAU2VBq3PlSG0ueeN8ZqCJQlVhXaGqwKdHqZOxn6jRWqi+cFz74ZN
o6EqbeHHVG4=hFJF
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.

RedHat: RHSA-2019-1237 Important: Sandbox Escapes in Jinja2

red hat

May 16, 2019

An update for rh-python35-python-jinja2 is now available for Red Hat Software Collections

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all applications using Jinja2 must be restarted.

Summary

The rh-python35-python-jinja2 package contains Jinja2, a template engine written in pure Python. Jinja2 provides a Django inspired non-XML syntax but supports inline expressions and an optional sandboxed environment.
Security Fix(es):
* python-jinja2: Sandbox escape due to information disclosure via str.format (CVE-2016-10745)
* python-jinja2: str.format_map allows sandbox escape (CVE-2019-10906)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics Covered

security advisory important sandbox escape software collections rh-python35-python-jinja2

References

https://access.redhat.com/security/cve/CVE-2016-10745 https://access.redhat.com/security/cve/CVE-2019-10906 https://access.redhat.com/security/updates/classification/#important

Package List

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):
Source: rh-python35-python-jinja2-2.8.1-2.el6.src.rpm
noarch: rh-python35-python-jinja2-2.8.1-2.el6.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):
Source: rh-python35-python-jinja2-2.8.1-2.el6.src.rpm
noarch: rh-python35-python-jinja2-2.8.1-2.el6.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source: rh-python35-python-jinja2-2.8.1-2.el7.src.rpm
noarch: rh-python35-python-jinja2-2.8.1-2.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4):
Source: rh-python35-python-jinja2-2.8.1-2.el7.src.rpm
noarch: rh-python35-python-jinja2-2.8.1-2.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5):
Source: rh-python35-python-jinja2-2.8.1-2.el7.src.rpm
noarch: rh-python35-python-jinja2-2.8.1-2.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6):
Source: rh-python35-python-jinja2-2.8.1-2.el7.src.rpm
noarch: rh-python35-python-jinja2-2.8.1-2.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source: rh-python35-python-jinja2-2.8.1-2.el7.src.rpm
noarch: rh-python35-python-jinja2-2.8.1-2.el7.noarch.rpm

Read the Full Advisory

Severity

important

Lowest

Low

Medium

High

Critical

Advisory ID: RHSA-2019:1237-01

Product: Red Hat Software Collections

Advisory URL: https://access.redhat.com/errata/RHSA-2019:1237

Issue date: 2019-05-16

Topic

An update for rh-python35-python-jinja2 is now available for Red HatSoftware Collections.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics Covered

security advisory important sandbox escape software collections rh-python35-python-jinja2

Relevant Releases Architectures

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - noarch

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch

Bugs Fixed

1698345 - CVE-2016-10745 python-jinja2: Sandbox escape due to information disclosure via str.format

1698839 - CVE-2019-10906 python-jinja2: str.format_map allows sandbox escape

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

RedHat: RHSA-2019-1237 Important: Sandbox Escapes in Jinja2

Topics Covered

Search Advisories & Updates

Recent Searches

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

RedHat: RHSA-2019-1237 Important: Sandbox Escapes in Jinja2

Solution

Summary

Topics Covered

References

Package List

Topic

Topics Covered

Relevant Releases Architectures

Bugs Fixed

Get the latest News and Insights

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

RedHat: RHSA-2019-1237 Important: Sandbox Escapes in Jinja2

Topics Covered

Search Advisories & Updates

Recent Searches

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

RedHat: RHSA-2019-1237 Important: Sandbox Escapes in Jinja2

Solution

Summary

Topics Covered

References

Package List

Topic

Topics Covered

Relevant Releases Architectures

Bugs Fixed

Get the latest News and Insights

Related Articles

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!