RHSA-2020:4285: Moderate: rh-python36 security, bug fix, and enhancement update
First published: Mon Oct 19 2020(Updated: )
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.<br>The following packages have been upgraded to a later upstream version: rh-python36-python (3.6.12). (BZ#1873080)<br>Security Fix(es):<br><li> python: XSS vulnerability in the documentation XML-RPC server in server_title field (CVE-2019-16935)</li> <li> python: CRLF injection via the host part of the url passed to urlopen() (CVE-2019-18348)</li> <li> python: infinite loop in the tarfile module via crafted TAR archive (CVE-2019-20907)</li> <li> python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py (CVE-2019-20916)</li> <li> python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS (CVE-2020-8492)</li> <li> python: DoS via inefficiency in IPv{4,6}Interface classes (CVE-2020-14422)</li> <li> python: CRLF injection via HTTP request method in httplib/http.client (CVE-2020-26116)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.<br>Bug Fix(es):<br><li> rh-python36-python-pip: Contains multiple bundled libraries, and has no bundled() provides (BZ#1774951)</li> <li> Allow rh-python36-python-pip to use system CA certificate Trust (BZ#1826520)</li>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-python36-python | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-pip | <9.0.1-5.el7 | 9.0.1-5.el7 |
| redhat/rh-python36-python-virtualenv | <15.1.0-3.el7 | 15.1.0-3.el7 |
| redhat/rh-python36-python | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-debug | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-debuginfo | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-devel | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-libs | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-pip | <9.0.1-5.el7 | 9.0.1-5.el7 |
| redhat/rh-python36-python-test | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-tkinter | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-tools | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-virtualenv | <15.1.0-3.el7 | 15.1.0-3.el7 |
| redhat/rh-python36-python-debug | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-debuginfo | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-devel | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-libs | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-test | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-tkinter | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-tools | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-debug | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-debuginfo | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-devel | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-libs | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-test | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-tkinter | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python-tools | <3.6.12-1.el7 | 3.6.12-1.el7 |
| redhat/rh-python36-python | <3.6.12-1.el7.aa | 3.6.12-1.el7.aa |
| redhat/rh-python36-python-debug | <3.6.12-1.el7.aa | 3.6.12-1.el7.aa |
| redhat/rh-python36-python-debuginfo | <3.6.12-1.el7.aa | 3.6.12-1.el7.aa |
| redhat/rh-python36-python-devel | <3.6.12-1.el7.aa | 3.6.12-1.el7.aa |
| redhat/rh-python36-python-libs | <3.6.12-1.el7.aa | 3.6.12-1.el7.aa |
| redhat/rh-python36-python-test | <3.6.12-1.el7.aa | 3.6.12-1.el7.aa |
| redhat/rh-python36-python-tkinter | <3.6.12-1.el7.aa | 3.6.12-1.el7.aa |
| redhat/rh-python36-python-tools | <3.6.12-1.el7.aa | 3.6.12-1.el7.aa |
| redhat/rh-python36-python | <3.6.12-1.el6 | 3.6.12-1.el6 |
| redhat/rh-python36-python-pip | <9.0.1-5.el6 | 9.0.1-5.el6 |
| redhat/rh-python36-python-virtualenv | <15.1.0-3.el6 | 15.1.0-3.el6 |
| redhat/rh-python36-python | <3.6.12-1.el6 | 3.6.12-1.el6 |
| redhat/rh-python36-python-debug | <3.6.12-1.el6 | 3.6.12-1.el6 |
| redhat/rh-python36-python-debuginfo | <3.6.12-1.el6 | 3.6.12-1.el6 |
| redhat/rh-python36-python-devel | <3.6.12-1.el6 | 3.6.12-1.el6 |
| redhat/rh-python36-python-libs | <3.6.12-1.el6 | 3.6.12-1.el6 |
| redhat/rh-python36-python-pip | <9.0.1-5.el6 | 9.0.1-5.el6 |
| redhat/rh-python36-python-test | <3.6.12-1.el6 | 3.6.12-1.el6 |
| redhat/rh-python36-python-tkinter | <3.6.12-1.el6 | 3.6.12-1.el6 |
| redhat/rh-python36-python-tools | <3.6.12-1.el6 | 3.6.12-1.el6 |
| redhat/rh-python36-python-virtualenv | <15.1.0-3.el6 | 15.1.0-3.el6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1727276
- https://bugzilla.redhat.com/show_bug.cgi?id=1763229
- https://bugzilla.redhat.com/show_bug.cgi?id=1809065
- https://bugzilla.redhat.com/show_bug.cgi?id=1826520
- https://bugzilla.redhat.com/show_bug.cgi?id=1854926
- https://bugzilla.redhat.com/show_bug.cgi?id=1856481
- https://bugzilla.redhat.com/show_bug.cgi?id=1868135
- https://bugzilla.redhat.com/show_bug.cgi?id=1873080
- https://bugzilla.redhat.com/show_bug.cgi?id=1883014
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/errata/RHSA-2020:4285 (Advisory)
Frequently Asked Questions
What is the severity of RHSA-2020:4285?
RHSA-2020:4285 has been classified as a moderate severity vulnerability.
How do I fix RHSA-2020:4285?
To fix RHSA-2020:4285, upgrade to the affected packages as specified in the advisory.
Which packages are affected by RHSA-2020:4285?
RHSA-2020:4285 affects multiple packages including rh-python36-python, rh-python36-python-pip, and rh-python36-python-virtualenv.
What version of Python does RHSA-2020:4285 affect?
RHSA-2020:4285 affects Python 3.6.12 and earlier versions.
Is RHSA-2020:4285 a critical vulnerability?
No, RHSA-2020:4285 is not classified as a critical vulnerability, but it should still be addressed promptly.
- agent/severity
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/remedy
- agent/references
- agent/title
- agent/description
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2020:4285
- agent/software-canonical-lookup
- agent/event
- agent/trending
- agent/tags
- agent/source
- package-manager/redhat