-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: python-virtualenv security update Advisory ID: RHSA-2020:0851-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:0851 Issue date: 2020-03-17 CVE Names: CVE-2018-18074 CVE-2018-20060 CVE-2019-11236 ===================================================================== 1. Summary: An update for python-virtualenv is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Optional (v. 7) - noarch Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - noarch 3. Description: The virtualenv tool creates isolated Python environments. The virtualenv tool is a successor to workingenv, and an extension of virtual-python. Security Fix(es): * python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure (CVE-2018-20060) * python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service (CVE-2019-11236) * python-requests: Redirect from HTTPS to HTTP does not remove Authorization header (CVE-2018-18074) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1643829 - CVE-2018-18074 python-requests: Redirect from HTTPS to HTTP does not remove Authorization header 1649153 - CVE-2018-20060 python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure 1700824 - CVE-2019-11236 python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service 6. Package List: Red Hat Enterprise Linux Client Optional (v. 7): Source: python-virtualenv-15.1.0-4.el7_7.src.rpm noarch: python-virtualenv-15.1.0-4.el7_7.noarch.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): Source: python-virtualenv-15.1.0-4.el7_7.src.rpm noarch: python-virtualenv-15.1.0-4.el7_7.noarch.rpm Red Hat Enterprise Linux Server (v. 7): Source: python-virtualenv-15.1.0-4.el7_7.src.rpm noarch: python-virtualenv-15.1.0-4.el7_7.noarch.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: python-virtualenv-15.1.0-4.el7_7.src.rpm noarch: python-virtualenv-15.1.0-4.el7_7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-18074 https://access.redhat.com/security/cve/CVE-2018-20060 https://access.redhat.com/security/cve/CVE-2019-11236 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXnD4v9zjgjWX9erEAQjmFg/9F5BMr4O5FpCZmfbn/f1essBhQmRlo19D 6KDKgg7K8uVRTlaVk/P5EbHGYKhyud1do6VbUd51lbscKP3JyNvmoTtB0UtPL9SS l78obtd45KI4pIDP457luxhxanXsDyQkuyCb3lmp3NiRoTOSlZz1rzzr4xdxgrDq S2MF16xLwUAbhVD1Ug3IrQuVNcartR7TCMrRYXpfRfpOkmcNkJZ2OIAFMWc1qf81 J1t/QalUWMFI1YlF5dBoBCmZse3ke7V01Q2kMikLQzmdr43sW7SZ47mZIiqP1YQ2 hboTWd/Lph3asYdH50jz9moYDK18RmPzEBG7UIQJxwPm7lzjEbFD4hWm8H9dN+OC k5hxo9Q+7udDLp+Z6RigqasKuwMYuz29hlq+ZQi2A3mVR36V76QpqIFwfLeEa22+ iJ4hYivrXkw4svz2zhjSL2iMVuzTPpwU8pYLqIlDuvRvru/UkVFUZQFAy9bglxLV LbIRuJC4j2zSMwy9epdcm7PTk8m9EF5ZjbWyXCPeuk6vgMpKgIHNj1knAwQa5Sju v970rReEgFvXiXDTR8rxWDuJVr2NOySi8tIXIER+E7F6o5sgK8mIi+1Y8KplpEb0 0SBPiRyz+f9qfq+nz6K1Q4esPUe7l1BX4Ha6I8GrB2KJrqj0x7latX1blTpY5dtq Tsgt8YVM57A= =6Jbd -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce