安全公告详情

NS-SA-2023-0099

2023-05-30 09:08:34

简介

important: python-pip/brotli security update

严重级别

important

主题

An update for python-pip/brotli is now available for NewStart CGSL MAIN 6.06.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

python-pip: pip is a package management system used to install and manage software packages written in Python. Many packages can be found in the Python Package Index (PyPI). pip is a recursive acronym that can stand for either "Pip Installs Packages" or "Pip Installs Python".
brotli: Brotli is a generic-purpose lossless compression algorithm that compresses data using a combination of a modern variant of the LZ77 algorithm, Huffman coding and 2nd order context modeling, with a compression ratio comparable to the best currently available general-purpose compression methods. It is similar in speed with deflate but offers more dense compression.


Security Fix(es):
python-pip: In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.(CVE-2019-11236)
python-pip: The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.(CVE-2019-11324)
python-pip: bugfix
brotli: A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.(CVE-2020-8927)
brotli: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.06.02B5.

影响组件

  • python-pip
  • brotli

影响产品

  • CGSL MAIN 6.06

更新包

{"fix":[{"product":"CGSL MAIN 6.06","pkgs":[{"binary":["platform-python-pip-9.0.3-22.zncgsl6.noarch.rpm","python3-pip-9.0.3-22.zncgsl6.noarch.rpm","python3-pip-wheel-9.0.3-22.zncgsl6.noarch.rpm"],"source":"python-pip-9.0.3-22.zncgsl6.src.rpm"},{"binary":["brotli-1.0.6-3.zncgsl6.x86_64.rpm"],"source":"brotli-1.0.6-3.zncgsl6.src.rpm"}]}]}
CGSL MAIN 6.06
  • python-pip-9.0.3-22.zncgsl6.src.rpm
    • platform-python-pip-9.0.3-22.zncgsl6.noarch.rpm
    • python3-pip-9.0.3-22.zncgsl6.noarch.rpm
    • python3-pip-wheel-9.0.3-22.zncgsl6.noarch.rpm
  • brotli-1.0.6-3.zncgsl6.src.rpm
    • brotli-1.0.6-3.zncgsl6.x86_64.rpm

CVE

参考

© 2004-2023 广东中兴新支点技术有限公司 版权所有 (www.gd-linux.com) 粤ICP备15061780号-2

全国服务热线:400-033-0108