Описание
ELSA-2019-3520: python3 security and bug fix update (MODERATE)
[3.6.8-15.1.0.1]
- Add Oracle Linux distribution in platform.py [Orabug: 20812544]
[3.6.8-15.1]
- Patch 329 (FIPS) modified: Added workaround for mod_ssl: Skip error checking in _Py_hashlib_fips_error Resolves: rhbz#1760106
[3.6.8-15]
- Patch 329 that adds support for OpenSSL FIPS mode has been improved and bugfixed Resolves: rhbz#1744670 rhbz#1745499 rhbz#1745685
[3.6.8-14]
- Adding a new patch 329 that adds support for OpenSSL FIPS mode
- Explicitly listing man pages in files section to fix an RPM warning Resolves: rhbz#1731424
[3.6.8-13]
- Do not set PHA verify flag on client side (rhbz#1725721)
- Enable TLS 1.3 post-handshake authentication in http.client (rhbz#1671353)
[3.6.8-12]
- Use RPM built wheels of pip and setuptools in ensurepip instead of our rewheel patch
- Require platform-python-setuptools from platform-python-devel to prevent packaging errors Resolves: rhbz#1701286
[3.6.8-11]
- Fix for CVE-2019-10160 Resolves: rhbz#1689318
[3.6.8-10]
- Security fix for CVE-2019-9948 Resolves: rhbz#1714643
[3.6.8-9]
- Reduced default build flags used to build extension modules https://fedoraproject.org/wiki/Changes/Python_Extension_Flags Resolves: rhbz#1634784
[3.6.8-8]
- gzip the unversioned-python man page Resolves: rhbz#1665514
[3.6.8-7]
- Disallow control chars in http URLs
- Fixes CVE-2019-9740 and CVE-2019-9947 Resolves: rhbz#1704365 and rhbz#1703531
[3.6.8-6]
- Updated fix for CVE-2019-9636 (rhbz#1689318)
[3.6.8-5]
- Security fix for CVE-2019-9636 (rhbz#1689318)
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
platform-python
3.6.8-15.1.0.1.el8
platform-python-debug
3.6.8-15.1.0.1.el8
platform-python-devel
3.6.8-15.1.0.1.el8
python3-idle
3.6.8-15.1.0.1.el8
python3-libs
3.6.8-15.1.0.1.el8
python3-test
3.6.8-15.1.0.1.el8
python3-tkinter
3.6.8-15.1.0.1.el8
Oracle Linux x86_64
platform-python
3.6.8-15.1.0.1.el8
platform-python-debug
3.6.8-15.1.0.1.el8
platform-python-devel
3.6.8-15.1.0.1.el8
python3-idle
3.6.8-15.1.0.1.el8
python3-libs
3.6.8-15.1.0.1.el8
python3-test
3.6.8-15.1.0.1.el8
python3-tkinter
3.6.8-15.1.0.1.el8
Связанные CVE
Связанные уязвимости
ELSA-2019-2030: python security and bug fix update (MODERATE)
ELSA-2019-3335: python27:2.7 security and bug fix update (MODERATE)
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.