![](https://malwaredevil.com/wp-content/uploads/2021/03/malwaredevilcube-150x150.png)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1309 python2.7 security update 19 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python2.7 Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-23336 CVE-2019-16935 Reference: ESB-2021.1122 ESB-2021.1014 ESB-2021.0864 Original Bulletin: https://www.debian.org/lts/security/2021/dla-2628 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2628-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky April 17, 2021 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : python2.7 Version : 2.7.13-2+deb9u5 CVE ID : CVE-2019-16935 CVE-2021-23336 Two security issues have been discovered in python2.7: CVE-2019-16935 The documentation XML-RPC server in Python 2.7 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. CVE-2021-23336 The Python2.7 vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. **Attention, API-change!** Please be sure your software is working properly if it uses `urllib.parse.parse_qs` or `urllib.parse.parse_qsl`, `cgi.parse` or `cgi.parse_multipart`. Earlier Python versions allowed using both ``;`` and ``&`` as query parameter separators in `urllib.parse.parse_qs` and `urllib.parse.parse_qsl`. Due to security concerns, and to conform with newer W3C recommendations, this has been changed to allow only a single separator key, with ``&`` as the default. This change also affects `cgi.parse` and `cgi.parse_multipart` as they use the affected functions internally. For more details, please see their respective documentation. For Debian 9 stretch, these problems have been fixed in version 2.7.13-2+deb9u5. We recommend that you upgrade your python2.7 packages. For the detailed security status of python2.7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python2.7 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmB7N4EACgkQ0+Fzg8+n /wb/qxAAj6FN++ub8ZbGfOH4my+nWTGASrjSPjUk4+XSA1JsKxTgXUfqEeYW1+ms N7JvsaO4tgS946tVvlxDEokjso3BH7ljJQHpNKhbqsDmIUHvK3Fm2Xrg1J750gGl dsJjkUx85Yq/+B8JyidJMrsj//AZVsd76B9J5cSw47gyowLa++fAT4Lbk1rTCajO FL80pGEA2Mmw4c/HA9qgLvNtMsQWlgQCIObK20d0mQSzvCA5X13SM5U4bhbsoAqW AM3mEWOyFs53MssKBych940sqA2YZKUkS7voL2BzjXANSTAFI2rPiQn3kPaoNtl6 7v9JMDYuhZypj2VdNOWS0NkZGUtBI9RcsLAIUdrrzLIDEQ0tvgOBWHakvS0W/K7H IZOUoBoyRSU573dhGC4WaQMgaaYmk/E+sWngy6Qu6G4FmSZOX/ANeX1NkU8JGBJ7 Ej9FUn9/4nOkYSwspznueXuFsSFEtmBQD9hZ9xV+L8xxyASlT/5dORsIYYkz2xX3 E6yJ5foLuk0xqCXH5tBlHoS/9Wy2ccoOEltYZCXFvvA6vL7izrmXWxOniOPsQ6b8 cOnQBHHXu0ervBD017MgXPfpmjXlc8STlF+oz35TYEZ6K8Q0caCYK7vKHUCVgSev YcAZoIrwEV43nWsSWjK03NnZfLfLCleoTtsyB7rwvokXEZrTErs= =OkPp - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYHzn2uNLKJtyKPYoAQjREg//f3mSLHumqwdsmYhDZKJDdfrj5LaXiBUs Jf37lftSDwwkIyNeLjdWDzy4YWo/HmGJiQaKP2PFMGQlSlnZ28bBdLmPrD5cBOrh jnqnuYQ9nBFdSlZiX8TMO1gDrqYsGutGKGFUzMrKUCy3CvcNtPf3xJQf3xM0zj8L dymFMUNSx4SjuvcFsRHGp81HKyZ9/gsxt7c8ZQTa2wH0VGBad4adoVRvCKaqjkie IzqRvuR6GdWVtTsJCq6FYlHYbTBdsub427vQE0PTCQyEeMxUcCb0mvAW0tOfZik5 Csup2ktONPilwHEDij8TKXE98UeyfUmi2qoFx+9Xls1RPTtJmSmedlhL7g6h5qAe WHr5amvrIyLNlaE1PzGljPWGSt6BDE7TIwtrNryxhwFk3g2YWma4lUOrJwm/ic5z ijrgLyh7XR1g8jDUiWIlfqmR0myv7DXClKelKfEquo0hQg3bYHoLPiOZ/lQxEodc hbGxDalMeaRS5otf2kZK4WlMgp88nUjysf5rKHLbdfYfUHFZwN1tadxfPwF3ioBg RKKyNDTmm4uI+0DA9xqxSuBaFdrCL+6nawJbaEW/WSg7oODKQJLyPcrIqFXkpNB8 f4wHe0n9FyIjtyVTvCWlUtpEDVx8fYDKs54QrUdqrUed0MUKVXJfVLkANavSt2CZ Pc4P5jiotsA= =jEJh -----END PGP SIGNATURE-----
The post ESB-2021.1309 – [Debian] python2.7: Multiple vulnerabilities appeared first on Malware Devil.
https://malwaredevil.com/2021/04/19/esb-2021-1309-debian-python2-7-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1309-debian-python2-7-multiple-vulnerabilities
No comments:
Post a Comment