RHEL 8:python27:2.7 (RHSA-2019:3335)

critical Nessus Plugin ID 130527

Synopsis

遠端 Red Hat 主機缺少一個或多個安全性更新。

描述

現已提供適用於 Red Hat Enterprise Linux 8 的 python27:2.7 模組更新。Red Hat 產品安全性團隊已將此更新評等為具有中等安全性影響。可從〈參照〉一節的 CVE 連結中取得每個弱點之常見弱點評分系統 (CVSS) 的基本分數,其中包含有關嚴重性評等的詳細資訊。Python 是經過解譯的互動式物件導向程式設計語言,支援模組、類別、例外狀況、高階的動態資料類型,以及動態輸入。安全性修正:* numpy:在 pickle python 模組的 numpy.load() 中傳遞的特製序列化物件允許任意程式碼執行 (CVE-2019-6446) * python:透過傳遞至 urlopen() 的 url 查詢部分插入 CRLF (CVE-2019-9740) * python:透過傳遞至 urlopen() 的 url 路徑部分插入 CRLF (CVE-2019-9947) * python:未記載的 local_file 通訊協定可讓遠端攻擊者繞過保護機制 (CVE-2019-9948) * python-urllib3:因為未編碼「\r\n」序列造成 CRLF 插入,進而導致可能的內部服務攻擊 (CVE-2019-11236) * python-urllib3:應擲回錯誤時發生憑證不當處理 (CVE-2019-11324) 如需安全性問題的詳細資料,包括影響、CVSS 分數、致謝及其他相關資訊,請參閱〈參照〉一節列出的 CVE 頁面。其他變更:如需有關此發行版本的詳細變更資訊,請參閱可從〈參照〉一節連結的 Red Hat Enterprise Linux 8.1 版本資訊。

解決方案

更新受影響的套件。

另請參閱

http://www.nessus.org/u?774148ae

https://access.redhat.com/errata/RHSA-2019:3335

https://access.redhat.com/security/cve/cve-2019-6446

https://access.redhat.com/security/cve/cve-2019-9740

https://access.redhat.com/security/cve/cve-2019-9947

https://access.redhat.com/security/cve/cve-2019-9948

https://access.redhat.com/security/cve/cve-2019-11236

https://access.redhat.com/security/cve/cve-2019-11324

Plugin 詳細資訊

嚴重性: Critical

ID: 130527

檔案名稱: redhat-RHSA-2019-3335.nasl

版本: 1.4

類型: local

代理程式: unix

已發布: 2019/11/6

已更新: 2021/3/24

支持的傳感器: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent

風險資訊

CVSS 評分資料來源: CVE-2019-6446

VPR

風險因素: Medium

分數: 5.9

CVSS v2

風險因素: High

基本分數: 7.5

時間分數: 5.5

媒介: AV:N/AC:L/Au:N/C:P/I:P/A:P

時間媒介: E:U/RL:OF/RC:C

CVSS v3

風險因素: Critical

基本分數: 9.8

時間分數: 8.5

媒介: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

時間媒介: E:U/RL:O/RC:C

弱點資訊

CPE: p-cpe:/a:redhat:enterprise_linux:Cython-debugsource, p-cpe:/a:redhat:enterprise_linux:PyYAML-debugsource, p-cpe:/a:redhat:enterprise_linux:babel, p-cpe:/a:redhat:enterprise_linux:numpy-debugsource, p-cpe:/a:redhat:enterprise_linux:python-coverage-debugsource, p-cpe:/a:redhat:enterprise_linux:python-lxml-debugsource, p-cpe:/a:redhat:enterprise_linux:python-nose-docs, p-cpe:/a:redhat:enterprise_linux:python-psycopg2-debugsource, p-cpe:/a:redhat:enterprise_linux:python-psycopg2-doc, p-cpe:/a:redhat:enterprise_linux:python-pymongo-debugsource, p-cpe:/a:redhat:enterprise_linux:python-sqlalchemy-doc, p-cpe:/a:redhat:enterprise_linux:python2, p-cpe:/a:redhat:enterprise_linux:python2-Cython, p-cpe:/a:redhat:enterprise_linux:python2-PyMySQL, p-cpe:/a:redhat:enterprise_linux:python2-attrs, p-cpe:/a:redhat:enterprise_linux:python2-babel, p-cpe:/a:redhat:enterprise_linux:python2-backports, p-cpe:/a:redhat:enterprise_linux:python2-backports-ssl_match_hostname, p-cpe:/a:redhat:enterprise_linux:python2-bson, p-cpe:/a:redhat:enterprise_linux:python2-chardet, p-cpe:/a:redhat:enterprise_linux:python2-coverage, p-cpe:/a:redhat:enterprise_linux:python2-debug, p-cpe:/a:redhat:enterprise_linux:python2-debugsource, p-cpe:/a:redhat:enterprise_linux:python2-devel, p-cpe:/a:redhat:enterprise_linux:python2-dns, p-cpe:/a:redhat:enterprise_linux:python2-docs, p-cpe:/a:redhat:enterprise_linux:python2-docs-info, p-cpe:/a:redhat:enterprise_linux:python2-docutils, p-cpe:/a:redhat:enterprise_linux:python2-funcsigs, p-cpe:/a:redhat:enterprise_linux:python2-idna, p-cpe:/a:redhat:enterprise_linux:python2-ipaddress, p-cpe:/a:redhat:enterprise_linux:python2-jinja2, p-cpe:/a:redhat:enterprise_linux:python2-libs, p-cpe:/a:redhat:enterprise_linux:python2-lxml, p-cpe:/a:redhat:enterprise_linux:python2-markupsafe, p-cpe:/a:redhat:enterprise_linux:python2-mock, p-cpe:/a:redhat:enterprise_linux:python2-nose, p-cpe:/a:redhat:enterprise_linux:python2-numpy, p-cpe:/a:redhat:enterprise_linux:python2-numpy-doc, p-cpe:/a:redhat:enterprise_linux:python2-numpy-f2py, p-cpe:/a:redhat:enterprise_linux:python2-pip, p-cpe:/a:redhat:enterprise_linux:python2-pip-wheel, p-cpe:/a:redhat:enterprise_linux:python2-pluggy, p-cpe:/a:redhat:enterprise_linux:python2-psycopg2, p-cpe:/a:redhat:enterprise_linux:python2-psycopg2-debug, p-cpe:/a:redhat:enterprise_linux:python2-psycopg2-tests, p-cpe:/a:redhat:enterprise_linux:python2-py, p-cpe:/a:redhat:enterprise_linux:python2-pygments, p-cpe:/a:redhat:enterprise_linux:python2-pymongo, p-cpe:/a:redhat:enterprise_linux:python2-pymongo-gridfs, p-cpe:/a:redhat:enterprise_linux:python2-pysocks, p-cpe:/a:redhat:enterprise_linux:python2-pytest, p-cpe:/a:redhat:enterprise_linux:python2-pytest-mock, p-cpe:/a:redhat:enterprise_linux:python2-pytz, p-cpe:/a:redhat:enterprise_linux:python2-pyyaml, p-cpe:/a:redhat:enterprise_linux:python2-requests, p-cpe:/a:redhat:enterprise_linux:python2-rpm-macros, p-cpe:/a:redhat:enterprise_linux:python2-scipy, p-cpe:/a:redhat:enterprise_linux:python2-setuptools, p-cpe:/a:redhat:enterprise_linux:python2-setuptools-wheel, p-cpe:/a:redhat:enterprise_linux:python2-setuptools_scm, p-cpe:/a:redhat:enterprise_linux:python2-six, p-cpe:/a:redhat:enterprise_linux:python2-sqlalchemy, p-cpe:/a:redhat:enterprise_linux:python2-test, p-cpe:/a:redhat:enterprise_linux:python2-tkinter, p-cpe:/a:redhat:enterprise_linux:python2-tools, p-cpe:/a:redhat:enterprise_linux:python2-urllib3, p-cpe:/a:redhat:enterprise_linux:python2-virtualenv, p-cpe:/a:redhat:enterprise_linux:python2-wheel, p-cpe:/a:redhat:enterprise_linux:python2-wheel-wheel, p-cpe:/a:redhat:enterprise_linux:scipy-debugsource, cpe:/o:redhat:enterprise_linux:8

必要的 KB 項目: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

可輕鬆利用: No known exploits are available

修補程式發佈日期: 2019/11/5

弱點發布日期: 2019/1/16

參考資訊

CVE: CVE-2019-11236, CVE-2019-11324, CVE-2019-6446, CVE-2019-9740, CVE-2019-9947, CVE-2019-9948

RHSA: 2019:3335