安全公告详情

NS-SA-2019-0246

2019-12-27 14:15:32

简介

moderate: python-urllib3/libxkbcommon security update

严重级别

moderate

主题

An update for python-urllib3/libxkbcommon is now available for NewStart CGSL MAIN 5.05/CGSL CORE 5.05.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

python-urllib3: Python HTTP module with connection pooling and file POST abilities.
libxkbcommon: libxkbcommon is the X.Org library for compiling XKB maps into formats usable by the X Server or other display servers.


Security Fix(es):
python-urllib3: In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.(CVE-2019-11236)
python-urllib3: before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.(CVE-2018-20060)
python-urllib3: bugfix
libxkbcommon: Unchecked NULL pointer usage in LookupModMask in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with invalid virtual modifiers.(CVE-2018-15862)
libxkbcommon: Unchecked NULL pointer usage in ResolveStateAndPredicate in xkbcomp/compat.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with a no-op modmask expression.(CVE-2018-15863)
libxkbcommon: Unchecked NULL pointer usage in resolve_keysym in xkbcomp/parser.y in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because a map access attempt can occur for a map that was never created.(CVE-2018-15864)
libxkbcommon: An uncontrolled recursion flaw was found in libxkbcommon in the way it parses boolean expressions. A specially crafted file provided to xkbcomp could crash the application.(CVE-2018-15853)
libxkbcommon: Unchecked NULL pointer usage when parsing invalid atoms in ExprResolveLhs in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because lookup failures are mishandled.(CVE-2018-15859)
libxkbcommon: Unchecked NULL pointer usage in ExprResolveLhs in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file that triggers an xkb_intern_atom failure.(CVE-2018-15861)
libxkbcommon: An invalid free in ExprAppendMultiKeysymList in xkbcomp/ast-build.c in xkbcommon before 0.8.1 could be used by local attackers to crash xkbcommon keymap parsers or possibly have unspecified other impact by supplying a crafted keymap file.(CVE-2018-15857)
libxkbcommon: An infinite loop when reaching EOL unexpectedly in compose/parser.c (aka the keymap parser) in xkbcommon before 0.8.1 could be used by local attackers to cause a denial of service during parsing of crafted keymap files.(CVE-2018-15856)
libxkbcommon: Unchecked NULL pointer usage in xkbcommon before 0.8.1 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because the XkbFile for an xkb_geometry section was mishandled.(CVE-2018-15855)
libxkbcommon: Unchecked NULL pointer usage in xkbcommon before 0.8.1 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because geometry tokens were desupported incorrectly.(CVE-2018-15854)
libxkbcommon: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.05.F7.

影响组件

  • python-urllib3
  • libxkbcommon

影响产品

  • CGSL MAIN 5.05
  • CGSL CORE 5.05

更新包

{"fix":[{"product":"CGSL MAIN 5.05","pkgs":[{"binary":["python-urllib3-1.10.2-7.el7.noarch.rpm"],"source":"python-urllib3-1.10.2-7.el7.src.rpm"},{"binary":["libxkbcommon-0.7.1-3.el7.x86_64.rpm","libxkbcommon-debuginfo-0.7.1-3.el7.x86_64.rpm","libxkbcommon-devel-0.7.1-3.el7.x86_64.rpm","libxkbcommon-x11-0.7.1-3.el7.x86_64.rpm","libxkbcommon-x11-devel-0.7.1-3.el7.x86_64.rpm"],"source":"libxkbcommon-0.7.1-3.el7.src.rpm"}]},{"product":"CGSL CORE 5.05","pkgs":[{"binary":["python-urllib3-1.10.2-7.el7.noarch.rpm"],"source":"python-urllib3-1.10.2-7.el7.src.rpm"},{"binary":["libxkbcommon-x11-devel-0.7.1-3.el7.x86_64.rpm","libxkbcommon-0.7.1-3.el7.x86_64.rpm","libxkbcommon-debuginfo-0.7.1-3.el7.x86_64.rpm","libxkbcommon-devel-0.7.1-3.el7.x86_64.rpm","libxkbcommon-x11-0.7.1-3.el7.x86_64.rpm"],"source":"libxkbcommon-0.7.1-3.el7.src.rpm"}]}]}

CVE

参考