Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Red Hat Enterprise Linux 7 RHSA-2020:2068-01 moderate python-pip patch

red hat
Calendar Grey May 12, 2020
Dist Redhat Esm H88
Cautionary security notice for Microsoft’s Office software enhancement focusing on data leaks and risk of breaches.
An update for python-pip is now available for Red Hat Enterprise Linux 7

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

pip is a package management system used to install and manage software packages written in Python. Many packages can be found in the Python Package Index (PyPI). pip is a recursive acronym that can stand for either "Pip Installs Packages" or "Pip Installs Python"
Security Fix(es):
* python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure (CVE-2018-20060)
* python-urllib3: CRLF injection due to not encoding the ' ' sequence leading to possible attack on internal service (CVE-2019-11236)
* python-urllib3: Certification mishandle when error should be thrown (CVE-2019-11324)
* python-requests: Redirect from HTTPS to HTTP does not remove Authorization header (CVE-2018-18074)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

https://access.redhat.com/security/cve/CVE-2018-18074 https://access.redhat.com/security/cve/CVE-2018-20060 https://access.redhat.com/security/cve/CVE-2019-11236 https://access.redhat.com/security/cve/CVE-2019-11324 https://access.redhat.com/security/updates/classification/#moderate

Package List

Red Hat Enterprise Linux Client (v. 7):
Source: python-pip-9.0.3-7.el7_8.src.rpm
noarch: python3-pip-9.0.3-7.el7_8.noarch.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: python-pip-9.0.3-7.el7_8.src.rpm
noarch: python3-pip-9.0.3-7.el7_8.noarch.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: python-pip-9.0.3-7.el7_8.src.rpm
noarch: python3-pip-9.0.3-7.el7_8.noarch.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: python-pip-9.0.3-7.el7_8.src.rpm
noarch: python3-pip-9.0.3-7.el7_8.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Advisory ID: RHSA-2020:2068-01
Product: Red Hat Enterprise Linux
Issue date: 2020-05-12

Topic

An update for python-pip is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Red Hat Enterprise Linux Client (v. 7) - noarch

Red Hat Enterprise Linux ComputeNode (v. 7) - noarch

Red Hat Enterprise Linux Server (v. 7) - noarch

Red Hat Enterprise Linux Workstation (v. 7) - noarch

Bugs Fixed

1643829 - CVE-2018-18074 python-requests: Redirect from HTTPS to HTTP does not remove Authorization header

1649153 - CVE-2018-20060 python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure

1700824 - CVE-2019-11236 python-urllib3: CRLF injection due to not encoding the '

' sequence leading to possible attack on internal service

1702473 - CVE-2019-11324 python-urllib3: Certification mishandle when error should be thrown

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here