Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2019:1554-1

Опубликовано: 18 июн. 2019
Источник: suse-cvrf

Описание

Security update for python-Jinja2

This update for python-Jinja2 fixes the following issues:

Security issues fixed:

  • CVE-2016-10745: Fixed a sandbox escape caused by an information disclosure via str.format (bsc#1132174).
  • CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323).
  • CVE-2019-8341: Fixed command injection in function from_string (bsc#1125815).

Список пакетов

Image SLES12-SP4-Azure-BYOS
python-Jinja2-2.8-22.8.1
python3-Jinja2-2.8-22.8.1
Image SLES12-SP4-EC2-HVM-BYOS
python-Jinja2-2.8-22.8.1
python3-Jinja2-2.8-22.8.1
Image SLES12-SP4-GCE-BYOS
python-Jinja2-2.8-22.8.1
Image SLES12-SP4-OCI-BYOS
python3-Jinja2-2.8-22.8.1
Image SLES12-SP4-SAP-Azure
python3-Jinja2-2.8-22.8.1
Image SLES12-SP4-SAP-Azure-BYOS
python-Jinja2-2.8-22.8.1
python3-Jinja2-2.8-22.8.1
Image SLES12-SP4-SAP-EC2-HVM
python3-Jinja2-2.8-22.8.1
Image SLES12-SP4-SAP-EC2-HVM-BYOS
python-Jinja2-2.8-22.8.1
python3-Jinja2-2.8-22.8.1
Image SLES12-SP4-SAP-GCE-BYOS
python-Jinja2-2.8-22.8.1
Image SLES12-SP4-SAP-OCI-BYOS
python3-Jinja2-2.8-22.8.1
Image SLES12-SP5-Azure-BYOS
python-Jinja2-2.8-22.8.1
python3-Jinja2-2.8-22.8.1
Image SLES12-SP5-Azure-Basic-On-Demand
python3-Jinja2-2.8-22.8.1
Image SLES12-SP5-Azure-HPC-BYOS
python-Jinja2-2.8-22.8.1
python3-Jinja2-2.8-22.8.1
Image SLES12-SP5-Azure-HPC-On-Demand
python3-Jinja2-2.8-22.8.1
Image SLES12-SP5-Azure-SAP-BYOS
python-Jinja2-2.8-22.8.1
python3-Jinja2-2.8-22.8.1
Image SLES12-SP5-Azure-SAP-On-Demand
python3-Jinja2-2.8-22.8.1
Image SLES12-SP5-Azure-Standard-On-Demand
python3-Jinja2-2.8-22.8.1
Image SLES12-SP5-EC2-BYOS
python-Jinja2-2.8-22.8.1
python3-Jinja2-2.8-22.8.1
Image SLES12-SP5-EC2-ECS-On-Demand
python3-Jinja2-2.8-22.8.1
Image SLES12-SP5-EC2-On-Demand
python3-Jinja2-2.8-22.8.1
Image SLES12-SP5-EC2-SAP-BYOS
python-Jinja2-2.8-22.8.1
python3-Jinja2-2.8-22.8.1
Image SLES12-SP5-EC2-SAP-On-Demand
python3-Jinja2-2.8-22.8.1
Image SLES12-SP5-GCE-BYOS
python-Jinja2-2.8-22.8.1
Image SLES12-SP5-GCE-SAP-BYOS
python-Jinja2-2.8-22.8.1
Image SLES12-SP5-OCI-BYOS-BYOS
python3-Jinja2-2.8-22.8.1
Image SLES12-SP5-OCI-BYOS-SAP-BYOS
python3-Jinja2-2.8-22.8.1
SUSE Enterprise Storage 4
python-Jinja2-2.8-22.8.1
python3-Jinja2-2.8-22.8.1
SUSE Enterprise Storage 5
python-Jinja2-2.8-22.8.1
python3-Jinja2-2.8-22.8.1
SUSE Linux Enterprise Point of Sale 12 SP2
python-Jinja2-2.8-22.8.1
python3-Jinja2-2.8-22.8.1
SUSE Manager Proxy 3.1
python-Jinja2-2.8-22.8.1
python3-Jinja2-2.8-22.8.1
SUSE Manager Proxy 3.2
python-Jinja2-2.8-22.8.1
python3-Jinja2-2.8-22.8.1
SUSE Manager Server 3.1
python-Jinja2-2.8-22.8.1
python3-Jinja2-2.8-22.8.1
SUSE Manager Server 3.2
python-Jinja2-2.8-22.8.1
python3-Jinja2-2.8-22.8.1
SUSE OpenStack Cloud 7
python-Jinja2-2.8-22.8.1

Ссылки

Описание

In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.

Затронутые продукты
Image SLES12-SP4-Azure-BYOS:python-Jinja2-2.8-22.8.1
Image SLES12-SP4-Azure-BYOS:python3-Jinja2-2.8-22.8.1
Image SLES12-SP4-EC2-HVM-BYOS:python-Jinja2-2.8-22.8.1
Image SLES12-SP4-EC2-HVM-BYOS:python3-Jinja2-2.8-22.8.1
Ссылки

Описание

In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

Затронутые продукты
Image SLES12-SP4-Azure-BYOS:python-Jinja2-2.8-22.8.1
Image SLES12-SP4-Azure-BYOS:python3-Jinja2-2.8-22.8.1
Image SLES12-SP4-EC2-HVM-BYOS:python-Jinja2-2.8-22.8.1
Image SLES12-SP4-EC2-HVM-BYOS:python3-Jinja2-2.8-22.8.1
Ссылки

Описание

** DISPUTED ** An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing.

Затронутые продукты
Image SLES12-SP4-Azure-BYOS:python-Jinja2-2.8-22.8.1
Image SLES12-SP4-Azure-BYOS:python3-Jinja2-2.8-22.8.1
Image SLES12-SP4-EC2-HVM-BYOS:python-Jinja2-2.8-22.8.1
Image SLES12-SP4-EC2-HVM-BYOS:python3-Jinja2-2.8-22.8.1
Ссылки
Уязвимость SUSE-SU-2019:1554-1