You are here
Home > Preporuke > Sigurnosni nedostatak programskog paketa python36-python-jinja2

Sigurnosni nedostatak programskog paketa python36-python-jinja2

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LRH

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: rh-python36-python-jinja2 security update
Advisory ID: RHSA-2019:1329-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2019:1329
Issue date: 2019-06-04
CVE Names: CVE-2019-10906
=====================================================================

1. Summary:

An update for rh-python36-python-jinja2 is now available for Red Hat
Software Collections.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) – noarch
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) – noarch
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) – noarch
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) – noarch
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) – noarch
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) – noarch
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) – noarch

3. Description:

The python-jinja2 package contains Jinja2, a template engine written in
pure Python. Jinja2 provides a Django inspired non-XML syntax but supports
inline expressions and an optional sandboxed environment.

Security Fix(es):

* python-jinja2: str.format_map allows sandbox escape (CVE-2019-10906)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all applications using Jinja2 must be
restarted.

5. Bugs fixed (https://bugzilla.redhat.com/):

1698839 – CVE-2019-10906 python-jinja2: str.format_map allows sandbox escape

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):

Source:
rh-python36-python-jinja2-2.9.6-3.el6.src.rpm

noarch:
rh-python36-python-jinja2-2.9.6-3.el6.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):

Source:
rh-python36-python-jinja2-2.9.6-3.el6.src.rpm

noarch:
rh-python36-python-jinja2-2.9.6-3.el6.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
rh-python36-python-jinja2-2.9.6-3.el7.src.rpm

noarch:
rh-python36-python-jinja2-2.9.6-3.el7.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
rh-python36-python-jinja2-2.9.6-3.el7.src.rpm

noarch:
rh-python36-python-jinja2-2.9.6-3.el7.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4):

Source:
rh-python36-python-jinja2-2.9.6-3.el7.src.rpm

noarch:
rh-python36-python-jinja2-2.9.6-3.el7.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5):

Source:
rh-python36-python-jinja2-2.9.6-3.el7.src.rpm

noarch:
rh-python36-python-jinja2-2.9.6-3.el7.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6):

Source:
rh-python36-python-jinja2-2.9.6-3.el7.src.rpm

noarch:
rh-python36-python-jinja2-2.9.6-3.el7.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-python36-python-jinja2-2.9.6-3.el7.src.rpm

noarch:
rh-python36-python-jinja2-2.9.6-3.el7.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-10906
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXPaLsNzjgjWX9erEAQhJRg//VG5dZkDDiRTSNWyIZmsDOBfqSBWg2ZNO
9YVQ1ia3fMYzDMn+W19pKr7vg7uLSd4+Wt2pQwU/OhzXwl7E+Xd5nXgHJZmCzUV8
pNgDZZT+hyCdXOV++UwYMmOttGNn3LKgJMi0cyoO8xNHXf2HmXTPxYbAkSPFNdFQ
YGxd1+li7TF6xgyeZLIbf5i5CtfNb2Z94WtpJlMoU8MX5ZM+E2HSzDOT43/W1tlD
6vco4dvVP8gCdGHn4/UdchTz2l8IAVmzUYO812d3jBIqgV3ET+w9sfPiKO6Z1xG0
yZOZgo6eeBga3XfLYiU+Ka31E5ZWV/8bsBaHeHErleikvRu1UAIMM4yRKCMU9DKz
z10piAowlGy36DTLG9ca9Syy08pavFga9RoOKrqhXVDOSRUHzXPoyE2+ci6LJF6D
ubNfcU/Lqc1bRKEIdUyGfspBxOSup3DmZw2plYjYUygwN95ZVnA0e8u9YUIVS9RA
NbDmZHAn/SKrHJ4n+XQCkR4w6uz6VGElMCqecnHydXibQJToRwvKkqdCHINTm0tI
2D89VJ3rtGYTvp7yn1Q+2KHlnF3xKjwb0M4m6hEh7yF2rhNm7KsXWZwtfRk1QYGf
tGjtV3OnCRHKr0et1MHb1AAavNjAocw/AvAzH8+YeAhAwKMy7nqGjQDrrv0Gjj3L
N7NF4qqF1rs=
=h0uG
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

AutorToni Vugdelija
Cert idNCERT-REF-2019-06-0001-ADV
CveCERT-CVE-DUMMY
ID izvornikaCERT-ORIGID-DUMMY
ProizvodCERT-DUMMY-PRODUCT
IzvorAdobe
Top
More in Preporuke
Sigurnosni nedostatak jezgre operacijskog sustava

Otkriven je sigurnosni nedostatak jezgre operacijskog sustava RHEL. Otkriveni nedostatak potencijalnim napadačima omogućuje izazivanje DoS stanja. Savjetuje se ažuriranje izdanim...

Close