安全公告详情

NS-SA-2019-0061

2019-07-17 14:58:09

简介

important: python/openwsman security update

严重级别

important

主题

An update for python/openwsman is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

python: The Tkinter (Tk interface) program is an graphical user interface for the Python scripting language. You should install the tkinter package if you'd like to use a graphical user interface for Python programming.
openwsman: Development files for openwsman


Security Fix(es):
python: A flaw was found in the way catastrophic backtracking was implemented in python's pop3lib's apop() method. An attacker could use this flaw to cause denial of service.(CVE-2018-1060)
python: A flaw was found in the way catastrophic backtracking was implemented in python's difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.(CVE-2018-1061)
python: It was discovered that python's functions urllib.parse.urlsplit and urllib.parse.urlparse do not properly handle URLs encoded with Punycode/Internationalizing Domain Names in Applications (IDNA), which may result in a wrong domain name (specifically the netloc component of URL - user@domain:port) being returned by those functions. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-9636)
python: bugfix
openwsman: Openwsman, versions up to and including 2.6.9, are vulnerable to arbitrary file disclosure because the working directory of openwsmand daemon was set to root directory. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request to openwsman server.(CVE-2019-3816)
openwsman: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F12.

影响组件

  • python
  • openwsman

影响产品

  • CGSL MAIN 5.04
  • CGSL CORE 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["python-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.x86_64.rpm","python-debug-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.x86_64.rpm","python-debuginfo-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.x86_64.rpm","python-devel-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.x86_64.rpm","python-libs-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.x86_64.rpm","python-test-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.x86_64.rpm","python-tools-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.x86_64.rpm","tkinter-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.x86_64.rpm"],"source":"python-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.src.rpm"},{"binary":["libwsman-devel-2.6.3-6.git4391e5c.el7_6.x86_64.rpm","libwsman1-2.6.3-6.git4391e5c.el7_6.x86_64.rpm","openwsman-client-2.6.3-6.git4391e5c.el7_6.x86_64.rpm","openwsman-debuginfo-2.6.3-6.git4391e5c.el7_6.x86_64.rpm","openwsman-perl-2.6.3-6.git4391e5c.el7_6.x86_64.rpm","openwsman-python-2.6.3-6.git4391e5c.el7_6.x86_64.rpm","openwsman-ruby-2.6.3-6.git4391e5c.el7_6.x86_64.rpm","openwsman-server-2.6.3-6.git4391e5c.el7_6.x86_64.rpm"],"source":"openwsman-2.6.3-6.git4391e5c.el7_6.src.rpm"}]},{"product":"CGSL CORE 5.04","pkgs":[{"binary":["tkinter-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.lite.x86_64.rpm","python-libs-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.lite.x86_64.rpm","python-debug-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.lite.x86_64.rpm","python-debuginfo-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.lite.x86_64.rpm","python-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.lite.x86_64.rpm","python-test-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.lite.x86_64.rpm","python-devel-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.lite.x86_64.rpm","python-tools-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.lite.x86_64.rpm"],"source":"python-2.7.5-77.el7_6.cgslv5.0.1.g1e06d47.lite.src.rpm"},{"binary":["libwsman-devel-2.6.3-6.git4391e5c.el7_6.x86_64.rpm","libwsman1-2.6.3-6.git4391e5c.el7_6.x86_64.rpm","openwsman-debuginfo-2.6.3-6.git4391e5c.el7_6.x86_64.rpm","openwsman-perl-2.6.3-6.git4391e5c.el7_6.x86_64.rpm","openwsman-python-2.6.3-6.git4391e5c.el7_6.x86_64.rpm","openwsman-ruby-2.6.3-6.git4391e5c.el7_6.x86_64.rpm","openwsman-server-2.6.3-6.git4391e5c.el7_6.x86_64.rpm","openwsman-client-2.6.3-6.git4391e5c.el7_6.x86_64.rpm"],"source":"openwsman-2.6.3-6.git4391e5c.el7_6.src.rpm"}]}]}

CVE

参考