-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: python27-python and python27-python-pip security update Advisory ID: RHSA-2022:1663-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2022:1663 Issue date: 2022-05-02 CVE Names: CVE-2021-3733 CVE-2021-3737 CVE-2021-4189 CVE-2022-0391 ===================================================================== 1. Summary: An update for python27-python and python27-python-pip is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * python: urllib: Regular expression DoS in AbstractBasicAuthHandler (CVE-2021-3733) * python: ftplib should not use the host from the PASV response (CVE-2021-4189) * python: urllib.parse does not sanitize URLs containing ASCII newline and tabs (CVE-2022-0391) * python: urllib: HTTP client possible infinite loop on a 100 Continue response (CVE-2021-3737) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1995162 - CVE-2021-3737 python: urllib: HTTP client possible infinite loop on a 100 Continue response 1995234 - CVE-2021-3733 python: urllib: Regular expression DoS in AbstractBasicAuthHandler 2036020 - CVE-2021-4189 python: ftplib should not use the host from the PASV response 2047376 - CVE-2022-0391 python: urllib.parse does not sanitize URLs containing ASCII newline and tabs 2064442 - SCL Python 2.7: pip contains bundled pre-built exe files in site-packages/pip/_vendor/distlib/ [rhscl-3.8.z] 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: python27-python-2.7.18-4.el7.src.rpm python27-python-pip-8.1.2-7.el7.src.rpm noarch: python27-python-pip-8.1.2-7.el7.noarch.rpm ppc64le: python27-python-2.7.18-4.el7.ppc64le.rpm python27-python-debug-2.7.18-4.el7.ppc64le.rpm python27-python-debuginfo-2.7.18-4.el7.ppc64le.rpm python27-python-devel-2.7.18-4.el7.ppc64le.rpm python27-python-libs-2.7.18-4.el7.ppc64le.rpm python27-python-test-2.7.18-4.el7.ppc64le.rpm python27-python-tools-2.7.18-4.el7.ppc64le.rpm python27-tkinter-2.7.18-4.el7.ppc64le.rpm s390x: python27-python-2.7.18-4.el7.s390x.rpm python27-python-debug-2.7.18-4.el7.s390x.rpm python27-python-debuginfo-2.7.18-4.el7.s390x.rpm python27-python-devel-2.7.18-4.el7.s390x.rpm python27-python-libs-2.7.18-4.el7.s390x.rpm python27-python-test-2.7.18-4.el7.s390x.rpm python27-python-tools-2.7.18-4.el7.s390x.rpm python27-tkinter-2.7.18-4.el7.s390x.rpm x86_64: python27-python-2.7.18-4.el7.x86_64.rpm python27-python-debug-2.7.18-4.el7.x86_64.rpm python27-python-debuginfo-2.7.18-4.el7.x86_64.rpm python27-python-devel-2.7.18-4.el7.x86_64.rpm python27-python-libs-2.7.18-4.el7.x86_64.rpm python27-python-test-2.7.18-4.el7.x86_64.rpm python27-python-tools-2.7.18-4.el7.x86_64.rpm python27-tkinter-2.7.18-4.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: python27-python-2.7.18-4.el7.src.rpm python27-python-pip-8.1.2-7.el7.src.rpm noarch: python27-python-pip-8.1.2-7.el7.noarch.rpm x86_64: python27-python-2.7.18-4.el7.x86_64.rpm python27-python-debug-2.7.18-4.el7.x86_64.rpm python27-python-debuginfo-2.7.18-4.el7.x86_64.rpm python27-python-devel-2.7.18-4.el7.x86_64.rpm python27-python-libs-2.7.18-4.el7.x86_64.rpm python27-python-test-2.7.18-4.el7.x86_64.rpm python27-python-tools-2.7.18-4.el7.x86_64.rpm python27-tkinter-2.7.18-4.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3733 https://access.redhat.com/security/cve/CVE-2021-3737 https://access.redhat.com/security/cve/CVE-2021-4189 https://access.redhat.com/security/cve/CVE-2022-0391 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYm+vpdzjgjWX9erEAQhlcw//ZitWGk1VxkJDNg5smmlVjvp8LsG6KbQA Od/U//eUdDRby4jXSJKgcwR6Zg2ZEu0OFYhpNBpnK4WMaRFXmaO1QS7KGskNjDoF 5cJrw75snwtAwMLgEQ9GwA6uhvjpiSHuwukRU6TGDAWx+Bl/0BPuDm4nh0dSDvL9 nF3d5WrTSZqfgCN0bGTqy/xv+C8V5LVIe0a6niCVY/5X4oLfWBjdfn6WBU56xECR RFfyqN9QMoIFXrN3gvEA3U/p4OR9qDbh0h1MVGLIZqNEsiLn2Ypkmuk63X+V92Ez JernipmxsvSFEmg0jvQ+OXs6MaZgtvF91nUvQItn588tYXhlTpMeHPBV3s2HZNTW tNVs3ADONPsEofnt0CLqYrk0H+rkw/TxxUlZltuii8BAT6h7lMUAVe4AHc6WEleh qtwcdtfcH1RPvsN3GlN2qKKdtXN7lhVxKAdpz5hbo2Rcec1UVfyM/sxTxFHW1a6s dr0c6xTqQgq4PT86YmEZSjDMtAHrVrK9syeVdz30MiyS8Woz0yLr3avzpjVuMh+3 1jFSGSZA1RjRe1D/2c4q0yeRjV37nsvRj9YFtSUrxHBqdsF+ZKZRTKtqjPk1sjxi GNeYg7uxQ8w7aA/AHDk0Q5dPJOpoWx/7/RORbrF6wj5PT4dYaZMsv2zjP05w210j PsgdhVDyeR0= =Ica7 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce