NS-SA-2025-0073

简介

important: python-urllib3/tuned security update

严重级别

important

主题

An update for python-urllib3/tuned is now available for NewStart CGSL MAIN 7.02.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

python-urllib3:
tuned:


Security Fix(es):
python-urllib3: A flaw was found in urllib3, an HTTP client library for Python. In certain configurations, urllib3 does not treat the `Proxy-Authorization` HTTP header as one carrying authentication material. This issue results in not stripping the header on cross-origin redirects.(CVE-2024-37891)
python-urllib3: bugfix
tuned: A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.(CVE-2024-52336)
tuned: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 7.02.02B7.

影响组件

• python-urllib3
• tuned

影响产品

• CGSL MAIN 7.02

更新包

CVE

• CVE-2024-37891
• CVE-2024-52336

参考

• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37891
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-52336