Vulnerabilities > CVE-2019-16056

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE

Summary

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

Vulnerable Configurations

Part Description Count
Application
Python
308
Application
Redhat
1
Application
Oracle
8
OS
Fedoraproject
3
OS
Debian
2
OS
Canonical
5
OS
Oracle
1
OS
Opensuse
2

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0302-1.NASL
    descriptionThis update for python36 to version 3.6.10 fixes the following issues : CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ signs (bsc#1149955). CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133448
    published2020-02-04
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133448
    titleSUSE SLES12 Security Update : python36 (SUSE-SU-2020:0302-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2020:0302-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133448);
      script_version("1.2");
      script_cvs_date("Date: 2020/02/06");
    
      script_cve_id("CVE-2017-18207", "CVE-2018-1000802", "CVE-2018-1060", "CVE-2018-20852", "CVE-2019-10160", "CVE-2019-15903", "CVE-2019-16056", "CVE-2019-5010", "CVE-2019-9636", "CVE-2019-9947");
    
      script_name(english:"SUSE SLES12 Security Update : python36 (SUSE-SU-2020:0302-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for python36 to version 3.6.10 fixes the following 
    issues :
    
    CVE-2017-18207: Fixed a denial of service in
    Wave_read._read_fmt_chunk() (bsc#1083507).
    
    CVE-2019-16056: Fixed an issue where email parsing could fail for
    multiple @ signs (bsc#1149955).
    
    CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat
    (bsc#1149429).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1027282"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1029377"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081750"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083507"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1086001"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1088009"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1094814"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1109663"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1137942"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1138459"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1141853"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1149121"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1149429"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1149792"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1149955"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1151490"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1159035"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1159622"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=709442"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=951166"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=983582"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-18207/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1000802/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1060/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-20852/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-10160/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15903/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-16056/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-5010/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-9636/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-9947/"
      );
      # https://www.suse.com/support/update/announcement/2020/suse-su-20200302-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?68a41617"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 12-SP5 :
    
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-302=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libpython3_6m1_0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libpython3_6m1_0-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python36");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python36-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python36-base-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python36-base-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python36-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:python36-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/02/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/04");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(5)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP5", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"5", reference:"libpython3_6m1_0-3.6.10-4.3.5")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"libpython3_6m1_0-debuginfo-3.6.10-4.3.5")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"python36-3.6.10-4.3.5")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"python36-base-3.6.10-4.3.5")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"python36-base-debuginfo-3.6.10-4.3.5")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"python36-base-debugsource-3.6.10-4.3.5")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"python36-debuginfo-3.6.10-4.3.5")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"python36-debugsource-3.6.10-4.3.5")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python36");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-B06EC6159B.NASL
    descriptionPython 3.5 has now entered
    last seen2020-06-01
    modified2020-06-02
    plugin id130793
    published2019-11-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130793
    titleFedora 30 : python35 (2019-b06ec6159b)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1925.NASL
    descriptionA vulnerability was discovered in Python, an interactive high-level object-oriented language. CVE-2019-16056 The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id128883
    published2019-09-17
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128883
    titleDebian DLA-1925-1 : python2.7 security update
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20200407_PYTHON3_ON_SL7_X.NASL
    description* python: Cookie domain check returns incorrect results * python: email.utils.parseaddr wrongly parses email addresses
    last seen2020-04-30
    modified2020-04-21
    plugin id135830
    published2020-04-21
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135830
    titleScientific Linux Security Update : python3 on SL7.x x86_64 (20200407)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1132.NASL
    descriptionThe remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1132 advisory. - python: Cookie domain check returns incorrect results (CVE-2018-20852) - python: email.utils.parseaddr wrongly parses email addresses (CVE-2019-16056) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-23
    modified2020-04-01
    plugin id135056
    published2020-04-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135056
    titleRHEL 7 : python3 (RHSA-2020:1132)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2438.NASL
    descriptionThis update for python3 to 3.6.9 fixes the following issues : Security issues fixed : - CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Non-security issues fixed : - Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490) - Improved locale handling by implementing PEP 538. This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id130579
    published2019-11-06
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130579
    titleopenSUSE Security Update : python3 (openSUSE-2019-2438)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-4954D8773C.NASL
    description# This is a beta preview of Python 3.8 Python 3.8 is still in development. This release, 3.8.0b4 is the last of four planned beta release previews. Beta release previews are intended to give the wider community the opportunity to test new features and bug fixes and to prepare their projects to support the new feature release. # Call to action We **strongly encourage** maintainers of third-party Python projects to **test with 3.8** during the beta phase and report issues found to [the Python bug tracker](https://bugs.python.org) as soon as possible. While the release is planned to be feature complete entering the beta phase, it is possible that features may be modified or, in rare cases, deleted up until the start of the release candidate phase (2019-09-30). Our goal is have no ABI changes after beta 3 and no code changes after 3.8.0rc1, the release candidate. To achieve that, it will be extremely important to get as much exposure for 3.8 as possible during the beta phase. Please keep in mind that this is a preview release and its use is **not** recommended for production environments. # Major new features of the 3.8 series, compared to 3.7 Some of the new major new features and changes in Python 3.8 are : - [PEP 572](https://www.python.org/dev/peps/pep-0572/), Assignment expressions - [PEP 570](https://www.python.org/dev/peps/pep-0570/), Positional-only arguments - [PEP 587](https://www.python.org/dev/peps/pep-0587/), Python Initialization Configuration (improved embedding) - [PEP 590](https://www.python.org/dev/peps/pep-0590/), Vectorcall: a fast calling protocol for CPython - [PEP 578](https://www.python.org/dev/peps/pep-0578), Runtime audit hooks - [PEP 574](https://www.python.org/dev/peps/pep-0574), Pickle protocol 5 with out-of-band data - Typing-related: [PEP 591](https://www.python.org/dev/peps/pep-0591) (Final qualifier), [PEP 586](https://www.python.org/dev/peps/pep-0586) (Literal types), and [PEP 589](https://www.python.org/dev/peps/pep-0589) (TypedDict) - Parallel filesystem cache for compiled bytecode - Debug builds share ABI as release builds - f-strings support a handy `=` specifier for debugging - `continue` is now legal in `finally:` blocks - on Windows, the default `asyncio` event loop is now `ProactorEventLoop` - on macOS, the _spawn_ start method is now used by default in `multiprocessing` - `multiprocessing` can now use shared memory segments to avoid pickling costs between processes - `typed_ast` is merged back to CPython - `LOAD_GLOBAL` is now 40% faster - `pickle` now uses Protocol 4 by default, improving performance There are many other interesting changes, please consult the
    last seen2020-06-01
    modified2020-06-02
    plugin id128652
    published2019-09-11
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128652
    titleFedora 30 : python38 (2019-4954d8773c)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1605.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1605 advisory. - The fix leads to a regression (CVE-2018-18074) - python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure (CVE-2018-20060) - python: Cookie domain check returns incorrect results (CVE-2018-20852) - python-urllib3: CRLF injection due to not encoding the
    last seen2020-05-21
    modified2020-04-28
    plugin id136044
    published2020-04-28
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136044
    titleRHEL 8 : python27:2.7 (RHSA-2020:1605)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1924.NASL
    descriptionA vulnerability was discovered in Python, an interactive high-level object-oriented language. CVE-2019-16056 The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id128882
    published2019-09-17
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128882
    titleDebian DLA-1924-1 : python3.4 security update
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2393.NASL
    descriptionThis update for python fixes the following issues : Security issues fixed : - CVE-2019-9947: Fixed an insufficient validation of URL paths with embedded whitespace or control characters that could allow HTTP header injections. (bsc#1130840) - CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id130339
    published2019-10-28
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130339
    titleopenSUSE Security Update : python (openSUSE-2019-2393)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2798-1.NASL
    descriptionThis update for python3 fixes the following issues : CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) CVE-2018-20852: Fixed an incorrect domain validation that could lead to cookies being sent to the wrong server. (bsc#1141853) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id130361
    published2019-10-29
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130361
    titleSUSE SLED12 / SLES12 Security Update : python3 (SUSE-SU-2019:2798-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-7EC5BB5D22.NASL
    descriptionPython 3.6.10 is the latest security fix release of Python 3.6. Security fix for CVE-2019-16056, CVE-2019-16935. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id132781
    published2020-01-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132781
    titleFedora 30 : python36 (2019-7ec5bb5d22)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-758824A3FF.NASL
    descriptionPython 2.7.17 is a bug fix release in the Python 2.7.x series. It is expected to be the penultimate release for Python 2.7. https://www.python.org/downloads/release/python-2717/ - Security fix for CVE-2018-20852. - Security fix for CVE-2019-16056. - Security fix for CVE-2019-16935. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id130790
    published2019-11-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130790
    titleFedora 29 : python2 / python2-docs (2019-758824a3ff)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-D58EB75449.NASL
    description# This is a beta preview of Python 3.8 Python 3.8 is still in development. This release, 3.8.0b4 is the last of four planned beta release previews. Beta release previews are intended to give the wider community the opportunity to test new features and bug fixes and to prepare their projects to support the new feature release. # Call to action We **strongly encourage** maintainers of third-party Python projects to **test with 3.8** during the beta phase and report issues found to [the Python bug tracker](https://bugs.python.org) as soon as possible. While the release is planned to be feature complete entering the beta phase, it is possible that features may be modified or, in rare cases, deleted up until the start of the release candidate phase (2019-09-30). Our goal is have no ABI changes after beta 3 and no code changes after 3.8.0rc1, the release candidate. To achieve that, it will be extremely important to get as much exposure for 3.8 as possible during the beta phase. Please keep in mind that this is a preview release and its use is **not** recommended for production environments. # Major new features of the 3.8 series, compared to 3.7 Some of the new major new features and changes in Python 3.8 are : - [PEP 572](https://www.python.org/dev/peps/pep-0572/), Assignment expressions - [PEP 570](https://www.python.org/dev/peps/pep-0570/), Positional-only arguments - [PEP 587](https://www.python.org/dev/peps/pep-0587/), Python Initialization Configuration (improved embedding) - [PEP 590](https://www.python.org/dev/peps/pep-0590/), Vectorcall: a fast calling protocol for CPython - [PEP 578](https://www.python.org/dev/peps/pep-0578), Runtime audit hooks - [PEP 574](https://www.python.org/dev/peps/pep-0574), Pickle protocol 5 with out-of-band data - Typing-related: [PEP 591](https://www.python.org/dev/peps/pep-0591) (Final qualifier), [PEP 586](https://www.python.org/dev/peps/pep-0586) (Literal types), and [PEP 589](https://www.python.org/dev/peps/pep-0589) (TypedDict) - Parallel filesystem cache for compiled bytecode - Debug builds share ABI as release builds - f-strings support a handy `=` specifier for debugging - `continue` is now legal in `finally:` blocks - on Windows, the default `asyncio` event loop is now `ProactorEventLoop` - on macOS, the _spawn_ start method is now used by default in `multiprocessing` - `multiprocessing` can now use shared memory segments to avoid pickling costs between processes - `typed_ast` is merged back to CPython - `LOAD_GLOBAL` is now 40% faster - `pickle` now uses Protocol 4 by default, improving performance There are many other interesting changes, please consult the
    last seen2020-06-01
    modified2020-06-02
    plugin id128653
    published2019-09-11
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128653
    titleFedora 29 : python38 (2019-d58eb75449)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2748-1.NASL
    descriptionThis update for python fixes the following issues : Security issue fixed : CVE-2019-16056: Fixed a parser issue in the email module (bsc#1149955). CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id130193
    published2019-10-24
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130193
    titleSUSE SLED12 / SLES12 Security Update : python (SUSE-SU-2019:2748-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4151-1.NASL
    descriptionIt was discovered that Python incorrectly parsed certain email addresses. A remote attacker could possibly use this issue to trick Python applications into accepting email addresses that should be denied. (CVE-2019-16056) It was discovered that the Python documentation XML-RPC server incorrectly handled certain fields. A remote attacker could use this issue to execute a cross-site scripting (XSS) attack. (CVE-2019-16935). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129774
    published2019-10-10
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129774
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.04 : python2.7, python3.5, python3.6, python3.7 vulnerabilities (USN-4151-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2115.NASL
    descriptionAccording to the versions of the python3 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.(CVE-2019-16935) - http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.(CVE-2018-20852) - An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340 however, this CVE applies to Python more generally.(CVE-2019-16056) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-03
    modified2019-11-12
    plugin id130824
    published2019-11-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130824
    titleEulerOS 2.0 SP8 : python3 (EulerOS-SA-2019-2115)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1275.NASL
    descriptionAccording to the versions of the python packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340 however, this CVE applies to Python more generally.(CVE-2019-16056) - An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.(CVE-2019-9947) - An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.(CVE-2019-9740) - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.(CVE-2019-16935) - library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated
    last seen2020-03-26
    modified2020-03-20
    plugin id134741
    published2020-03-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134741
    titleEulerOS Virtualization 3.0.2.2 : python (EulerOS-SA-2020-1275)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-5DC275C9F2.NASL
    descriptionFix CVE-2019-16056 (rhbz#1750457) ---- Fix CVE-2019-10160 (rhbz#1718867) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129029
    published2019-09-19
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129029
    titleFedora 29 : python34 (2019-5dc275c9f2)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2748-2.NASL
    descriptionThis update for python fixes the following issues : Security issue fixed : CVE-2019-16056: Fixed a parser issue in the email module (bsc#1149955). CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id130943
    published2019-11-13
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130943
    titleSUSE SLES12 Security Update : python (SUSE-SU-2019:2748-2)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-232F092DB0.NASL
    descriptionPython 3.7.5 is the fifth and most recent maintenance release of Python 3.7. Includes a security fix for CVE-2019-16056. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id130478
    published2019-11-04
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130478
    titleFedora 31 : python3 (2019-232f092db0)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2019-1324.NASL
    descriptionA security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. (CVE-2019-10160) An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. (CVE-2019-9740) urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen(
    last seen2020-06-01
    modified2020-06-02
    plugin id131244
    published2019-11-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131244
    titleAmazon Linux AMI : python34 (ALAS-2019-1324)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2453.NASL
    descriptionThis update for python3 to 3.6.9 fixes the following issues : Security issues fixed : - CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Non-security issues fixed : - Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490) - Improved locale handling by implementing PEP 538. This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id130886
    published2019-11-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130886
    titleopenSUSE Security Update : python3 (openSUSE-2019-2453)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1764.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1764 advisory. - python: Cookie domain check returns incorrect results (CVE-2018-20852) - python: email.utils.parseaddr wrongly parses email addresses (CVE-2019-16056) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-30
    modified2020-04-28
    plugin id136049
    published2020-04-28
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136049
    titleRHEL 8 : python3 (RHSA-2020:1764)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-D202CDA4F8.NASL
    descriptionPython 3.5 has now entered
    last seen2020-06-01
    modified2020-06-02
    plugin id130797
    published2019-11-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130797
    titleFedora 29 : python35 (2019-d202cda4f8)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-2_0-0177_PYTHON2.NASL
    descriptionAn update of the python2 package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id129693
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129693
    titlePhoton OS 2.0: Python2 PHSA-2019-2.0-0177
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-ABA3CCA74A.NASL
    descriptionPython 3.7.5 is the fifth and most recent maintenance release of Python 3.7. Includes a security fix for CVE-2019-16056. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id130490
    published2019-11-04
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130490
    titleFedora 30 : python3 (2019-aba3cca74a)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2020-1131.NASL
    descriptionThe remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:1131 advisory. - python: Cookie domain check returns incorrect results (CVE-2018-20852) - python: email.utils.parseaddr wrongly parses email addresses (CVE-2019-16056) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-06
    modified2020-04-10
    plugin id135343
    published2020-04-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135343
    titleCentOS 7 : python (CESA-2020:1131)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-1_0-0255_PYTHON2.NASL
    descriptionAn update of the python2 package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id129685
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129685
    titlePhoton OS 1.0: Python2 PHSA-2019-1.0-0255
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2442.NASL
    descriptionAccording to the versions of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated
    last seen2020-05-08
    modified2019-12-04
    plugin id131596
    published2019-12-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131596
    titleEulerOS 2.0 SP2 : python (EulerOS-SA-2019-2442)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1368.NASL
    descriptionAn issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340 ; however, this CVE applies to Python more generally.(CVE-2019-16056)
    last seen2020-06-01
    modified2020-06-02
    plugin id131237
    published2019-11-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131237
    titleAmazon Linux 2 : python / python3 (ALAS-2019-1368)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-0D3FCAE639.NASL
    descriptionPython 2.7.17 is a bug fix release in the Python 2.7.x series. It is expected to be the penultimate release for Python 2.7. https://www.python.org/downloads/release/python-2717/ - Security fix for CVE-2018-20852. - Security fix for CVE-2019-16056. - Security fix for CVE-2019-16935. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id130776
    published2019-11-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130776
    titleFedora 31 : python2 / python2-docs (2019-0d3fcae639)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2743-1.NASL
    descriptionThis update for python fixes the following issues : Security issues fixed : CVE-2019-9947: Fixed an insufficient validation of URL paths with embedded whitespace or control characters that could allow HTTP header injections. (bsc#1130840) CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id130164
    published2019-10-23
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130164
    titleSUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2019:2743-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2114.NASL
    descriptionAccording to the versions of the python2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.(CVE-2019-16935) - http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.(CVE-2018-20852) - An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340 however, this CVE applies to Python more generally.(CVE-2019-16056) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-03
    modified2019-11-12
    plugin id130823
    published2019-11-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130823
    titleEulerOS 2.0 SP8 : python2 (EulerOS-SA-2019-2114)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20200407_PYTHON_ON_SL7_X.NASL
    description* python: Cookie domain check returns incorrect results * python: email.utils.parseaddr wrongly parses email addresses
    last seen2020-04-30
    modified2020-04-21
    plugin id135831
    published2020-04-21
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135831
    titleScientific Linux Security Update : python on SL7.x x86_64 (20200407)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-74BA24605E.NASL
    descriptionPython 2.7.17 is a bug fix release in the Python 2.7.x series. It is expected to be the penultimate release for Python 2.7. https://www.python.org/downloads/release/python-2717/ - Security fix for CVE-2018-20852. - Security fix for CVE-2019-16056. - Security fix for CVE-2019-16935. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id130789
    published2019-11-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130789
    titleFedora 30 : python2 / python2-docs (2019-74ba24605e)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2019-1314.NASL
    descriptionAn issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340 ; however, this CVE applies to Python more generally. (CVE-2019-16056)
    last seen2020-06-01
    modified2020-06-02
    plugin id130404
    published2019-10-31
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130404
    titleAmazon Linux AMI : python27 / python34,python35,python36 (ALAS-2019-1314)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-2_0-0176_PYTHON3.NASL
    descriptionAn update of the python3 package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id129295
    published2019-09-24
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129295
    titlePhoton OS 2.0: Python3 PHSA-2019-2.0-0176
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2802-1.NASL
    descriptionThis update for python3 to 3.6.9 fixes the following issues : Security issues fixed : CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Non-security issues fixed: Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490) Improved locale handling by implementing PEP 538. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id130388
    published2019-10-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130388
    titleSUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2019:2802-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-57462FA10D.NASL
    descriptionPython 3.5 has now entered
    last seen2020-06-01
    modified2020-06-02
    plugin id130784
    published2019-11-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130784
    titleFedora 31 : python35 (2019-57462fa10d)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1131.NASL
    descriptionThe remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:1131 advisory. - python: Cookie domain check returns incorrect results (CVE-2018-20852) - python: email.utils.parseaddr wrongly parses email addresses (CVE-2019-16056) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-23
    modified2020-04-01
    plugin id135059
    published2020-04-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135059
    titleRHEL 7 : python (RHSA-2020:1131)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0234-1.NASL
    descriptionThis update for python fixes the following issues : Updated to version 2.7.17 to unify packages among openSUSE:Factory and SLE versions (bsc#1159035). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133259
    published2020-01-27
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133259
    titleSUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:0234-1) (BEAST) (httpoxy)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-1_0-0251_PYTHON3.NASL
    descriptionAn update of the python3 package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id129294
    published2019-09-24
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129294
    titlePhoton OS 1.0: Python3 PHSA-2019-1.0-0251
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-3_0-0031_PYTHON2.NASL
    descriptionAn update of the python2 package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id130126
    published2019-10-22
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130126
    titlePhoton OS 3.0: Python2 PHSA-2019-3.0-0031
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-D11594BF0A.NASL
    description# This is a beta preview of Python 3.8 Python 3.8 is still in development. This release, 3.8.0b4 is the last of four planned beta release previews. Beta release previews are intended to give the wider community the opportunity to test new features and bug fixes and to prepare their projects to support the new feature release. # Call to action We **strongly encourage** maintainers of third-party Python projects to **test with 3.8** during the beta phase and report issues found to [the Python bug tracker](https://bugs.python.org) as soon as possible. While the release is planned to be feature complete entering the beta phase, it is possible that features may be modified or, in rare cases, deleted up until the start of the release candidate phase (2019-09-30). Our goal is have no ABI changes after beta 3 and no code changes after 3.8.0rc1, the release candidate. To achieve that, it will be extremely important to get as much exposure for 3.8 as possible during the beta phase. Please keep in mind that this is a preview release and its use is **not** recommended for production environments. # Major new features of the 3.8 series, compared to 3.7 Some of the new major new features and changes in Python 3.8 are : - [PEP 572](https://www.python.org/dev/peps/pep-0572/), Assignment expressions - [PEP 570](https://www.python.org/dev/peps/pep-0570/), Positional-only arguments - [PEP 587](https://www.python.org/dev/peps/pep-0587/), Python Initialization Configuration (improved embedding) - [PEP 590](https://www.python.org/dev/peps/pep-0590/), Vectorcall: a fast calling protocol for CPython - [PEP 578](https://www.python.org/dev/peps/pep-0578), Runtime audit hooks - [PEP 574](https://www.python.org/dev/peps/pep-0574), Pickle protocol 5 with out-of-band data - Typing-related: [PEP 591](https://www.python.org/dev/peps/pep-0591) (Final qualifier), [PEP 586](https://www.python.org/dev/peps/pep-0586) (Literal types), and [PEP 589](https://www.python.org/dev/peps/pep-0589) (TypedDict) - Parallel filesystem cache for compiled bytecode - Debug builds share ABI as release builds - f-strings support a handy `=` specifier for debugging - `continue` is now legal in `finally:` blocks - on Windows, the default `asyncio` event loop is now `ProactorEventLoop` - on macOS, the _spawn_ start method is now used by default in `multiprocessing` - `multiprocessing` can now use shared memory segments to avoid pickling costs between processes - `typed_ast` is merged back to CPython - `LOAD_GLOBAL` is now 40% faster - `pickle` now uses Protocol 4 by default, improving performance There are many other interesting changes, please consult the
    last seen2020-06-01
    modified2020-06-02
    plugin id129648
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129648
    titleFedora 31 : python38 (2019-d11594bf0a)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0114-1.NASL
    descriptionThis update for python3 to version 3.6.10 fixes the following issues : CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133036
    published2020-01-17
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133036
    titleSUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:0114-1) (BEAST) (httpoxy)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-3_0-0030_PYTHON3.NASL
    descriptionAn update of the python3 package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id129164
    published2019-09-23
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129164
    titlePhoton OS 3.0: Python3 PHSA-2019-3.0-0030
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2653.NASL
    descriptionAccording to the versions of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340 however, this CVE applies to Python more generally.(CVE-2019-16056) - An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.(CVE-2019-9740) - An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.(CVE-2019-9947) - library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated
    last seen2020-05-08
    modified2019-12-18
    plugin id132188
    published2019-12-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132188
    titleEulerOS 2.0 SP3 : python (EulerOS-SA-2019-2653)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-1_0-0252_PYTHON2.NASL
    descriptionAn update of the python2 package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id129787
    published2019-10-11
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129787
    titlePhoton OS 1.0: Python2 PHSA-2019-1.0-0252
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1044.NASL
    descriptionAccording to the versions of the python2 packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340 however, this CVE applies to Python more generally.(CVE-2019-16056) - http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.(CVE-2018-20852) - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.(CVE-2019-16935) - library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated
    last seen2020-06-01
    modified2020-06-02
    plugin id132798
    published2020-01-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132798
    titleEulerOS Virtualization for ARM 64 3.0.5.0 : python2 (EulerOS-SA-2020-1044)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-86.NASL
    descriptionThis update for python3 to version 3.6.10 fixes the following issues : - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). - CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id133172
    published2020-01-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133172
    titleopenSUSE Security Update : python3 (openSUSE-2020-86) (BEAST) (httpoxy)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-986622833F.NASL
    descriptionPython 3.7.5 is the fifth and most recent maintenance release of Python 3.7. Includes a security fix for CVE-2019-16056. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id130485
    published2019-11-04
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130485
    titleFedora 29 : python3 (2019-986622833f)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-2B1F72899A.NASL
    descriptionFix CVE-2019-16056 (rhbz#1750457) ---- Fix CVE-2019-10160 (rhbz#1718867) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129027
    published2019-09-19
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129027
    titleFedora 30 : python34 (2019-2b1f72899a)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1212.NASL
    descriptionAccording to the versions of the python packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.(CVE-2018-20852) - An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.(CVE-2019-9947) - An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.(CVE-2019-9740) - An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340 however, this CVE applies to Python more generally.(CVE-2019-16056) - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.(CVE-2019-16935) - library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated
    last seen2020-03-19
    modified2020-03-13
    plugin id134501
    published2020-03-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134501
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : python (EulerOS-SA-2020-1212)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2020-1132.NASL
    descriptionThe remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1132 advisory. - python: Cookie domain check returns incorrect results (CVE-2018-20852) - python: email.utils.parseaddr wrongly parses email addresses (CVE-2019-16056) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-06
    modified2020-04-10
    plugin id135344
    published2020-04-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135344
    titleCentOS 7 : python3 (CESA-2020:1132)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-50772CF122.NASL
    descriptionFix CVE-2019-16056 (rhbz#1750457) ---- Fix CVE-2019-10160 (rhbz#1718867) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129618
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129618
    titleFedora 31 : python34 (2019-50772cf122)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2389.NASL
    descriptionThis update for python fixes the following issues : Security issues fixed : - CVE-2019-9947: Fixed an insufficient validation of URL paths with embedded whitespace or control characters that could allow HTTP header injections. (bsc#1130840) - CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id130337
    published2019-10-28
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130337
    titleopenSUSE Security Update : python (openSUSE-2019-2389)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-A268BA7B23.NASL
    descriptionPython 3.6.10 is the latest security fix release of Python 3.6. Security fix for CVE-2019-16056, CVE-2019-16935. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id132783
    published2020-01-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132783
    titleFedora 31 : python36 (2019-a268ba7b23)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1048.NASL
    descriptionAccording to the versions of the python3 packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340 however, this CVE applies to Python more generally.(CVE-2019-16056) - http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.(CVE-2018-20852) - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.(CVE-2019-16935) - library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated
    last seen2020-06-01
    modified2020-06-02
    plugin id132802
    published2020-01-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132802
    titleEulerOS Virtualization for ARM 64 3.0.5.0 : python3 (EulerOS-SA-2020-1048)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2225.NASL
    descriptionAccording to the versions of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.(CVE-2019-16935) - library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated
    last seen2020-05-08
    modified2019-11-08
    plugin id130687
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130687
    titleEulerOS 2.0 SP5 : python (EulerOS-SA-2019-2225)

Redhat

advisories
  • bugzilla
    id1749839
    titleCVE-2019-16056 python: email.utils.parseaddr wrongly parses email addresses
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentpython-libs is earlier than 0:2.7.5-88.el7
            ovaloval:com.redhat.rhsa:tst:20201131001
          • commentpython-libs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110554014
        • AND
          • commentpython-devel is earlier than 0:2.7.5-88.el7
            ovaloval:com.redhat.rhsa:tst:20201131003
          • commentpython-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110554010
        • AND
          • commentpython is earlier than 0:2.7.5-88.el7
            ovaloval:com.redhat.rhsa:tst:20201131005
          • commentpython is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110554012
        • AND
          • commenttkinter is earlier than 0:2.7.5-88.el7
            ovaloval:com.redhat.rhsa:tst:20201131007
          • commenttkinter is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110554004
        • AND
          • commentpython-tools is earlier than 0:2.7.5-88.el7
            ovaloval:com.redhat.rhsa:tst:20201131009
          • commentpython-tools is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110554008
        • AND
          • commentpython-test is earlier than 0:2.7.5-88.el7
            ovaloval:com.redhat.rhsa:tst:20201131011
          • commentpython-test is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110554006
        • AND
          • commentpython-debug is earlier than 0:2.7.5-88.el7
            ovaloval:com.redhat.rhsa:tst:20201131013
          • commentpython-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152101008
    rhsa
    idRHSA-2020:1131
    released2020-03-31
    severityModerate
    titleRHSA-2020:1131: python security update (Moderate)
  • bugzilla
    id1749839
    titleCVE-2019-16056 python: email.utils.parseaddr wrongly parses email addresses
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentpython3-libs is earlier than 0:3.6.8-13.el7
            ovaloval:com.redhat.rhsa:tst:20201132001
          • commentpython3-libs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190997002
        • AND
          • commentpython3 is earlier than 0:3.6.8-13.el7
            ovaloval:com.redhat.rhsa:tst:20201132003
          • commentpython3 is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20201132004
        • AND
          • commentpython3-tkinter is earlier than 0:3.6.8-13.el7
            ovaloval:com.redhat.rhsa:tst:20201132005
          • commentpython3-tkinter is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190997016
        • AND
          • commentpython3-test is earlier than 0:3.6.8-13.el7
            ovaloval:com.redhat.rhsa:tst:20201132007
          • commentpython3-test is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190997006
        • AND
          • commentpython3-idle is earlier than 0:3.6.8-13.el7
            ovaloval:com.redhat.rhsa:tst:20201132009
          • commentpython3-idle is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190997014
        • AND
          • commentpython3-devel is earlier than 0:3.6.8-13.el7
            ovaloval:com.redhat.rhsa:tst:20201132011
          • commentpython3-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20201132012
        • AND
          • commentpython3-debug is earlier than 0:3.6.8-13.el7
            ovaloval:com.redhat.rhsa:tst:20201132013
          • commentpython3-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20201132014
    rhsa
    idRHSA-2020:1132
    released2020-03-31
    severityModerate
    titleRHSA-2020:1132: python3 security update (Moderate)
  • bugzilla
    id1762422
    titleThe fix CVE-2018-18074 leads to a regression
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 8 is installed
        ovaloval:com.redhat.rhba:tst:20193384074
      • commentModule python27:2.7 is enabled
        ovaloval:com.redhat.rhsa:tst:20190981121
      • OR
        • AND
          • commentscipy-debugsource is earlier than 0:1.0.0-20.module+el8.1.0+3323+7ac3e00f
            ovaloval:com.redhat.rhsa:tst:20193335011
          • commentscipy-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20193335012
        • AND
          • commentpython2-tools is earlier than 0:2.7.17-1.module+el8.2.0+4561+f4e0d66a
            ovaloval:com.redhat.rhsa:tst:20201605003
          • commentpython2-tools is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981002
        • AND
          • commentpython2-tkinter is earlier than 0:2.7.17-1.module+el8.2.0+4561+f4e0d66a
            ovaloval:com.redhat.rhsa:tst:20201605005
          • commentpython2-tkinter is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981004
        • AND
          • commentpython2-test is earlier than 0:2.7.17-1.module+el8.2.0+4561+f4e0d66a
            ovaloval:com.redhat.rhsa:tst:20201605007
          • commentpython2-test is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981006
        • AND
          • commentpython2-sqlalchemy is earlier than 0:1.3.2-1.module+el8.1.0+2994+98e054d6
            ovaloval:com.redhat.rhsa:tst:20193335019
          • commentpython2-sqlalchemy is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981008
        • AND
          • commentpython2-scipy is earlier than 0:1.0.0-20.module+el8.1.0+3323+7ac3e00f
            ovaloval:com.redhat.rhsa:tst:20193335021
          • commentpython2-scipy is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981010
        • AND
          • commentpython2-pyyaml is earlier than 0:3.12-16.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335023
          • commentpython2-pyyaml is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981012
        • AND
          • commentpython2-pymongo-gridfs is earlier than 0:3.6.1-11.module+el8.1.0+3446+c3d52da3
            ovaloval:com.redhat.rhsa:tst:20193335025
          • commentpython2-pymongo-gridfs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981014
        • AND
          • commentpython2-pymongo is earlier than 0:3.6.1-11.module+el8.1.0+3446+c3d52da3
            ovaloval:com.redhat.rhsa:tst:20193335027
          • commentpython2-pymongo is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981016
        • AND
          • commentpython2-psycopg2-tests is earlier than 0:2.7.5-7.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335029
          • commentpython2-psycopg2-tests is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981018
        • AND
          • commentpython2-psycopg2-debug is earlier than 0:2.7.5-7.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335031
          • commentpython2-psycopg2-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981020
        • AND
          • commentpython2-psycopg2 is earlier than 0:2.7.5-7.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335033
          • commentpython2-psycopg2 is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981022
        • AND
          • commentpython2-numpy-f2py is earlier than 1:1.14.2-13.module+el8.1.0+3323+7ac3e00f
            ovaloval:com.redhat.rhsa:tst:20193335035
          • commentpython2-numpy-f2py is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981024
        • AND
          • commentpython2-numpy is earlier than 1:1.14.2-13.module+el8.1.0+3323+7ac3e00f
            ovaloval:com.redhat.rhsa:tst:20193335037
          • commentpython2-numpy is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981026
        • AND
          • commentpython2-markupsafe is earlier than 0:0.23-19.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335039
          • commentpython2-markupsafe is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981028
        • AND
          • commentpython2-lxml is earlier than 0:4.2.3-3.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335041
          • commentpython2-lxml is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981030
        • AND
          • commentpython2-libs is earlier than 0:2.7.17-1.module+el8.2.0+4561+f4e0d66a
            ovaloval:com.redhat.rhsa:tst:20201605033
          • commentpython2-libs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981032
        • AND
          • commentpython2-devel is earlier than 0:2.7.17-1.module+el8.2.0+4561+f4e0d66a
            ovaloval:com.redhat.rhsa:tst:20201605035
          • commentpython2-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981034
        • AND
          • commentpython2-debugsource is earlier than 0:2.7.17-1.module+el8.2.0+4561+f4e0d66a
            ovaloval:com.redhat.rhsa:tst:20201605037
          • commentpython2-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981036
        • AND
          • commentpython2-debug is earlier than 0:2.7.17-1.module+el8.2.0+4561+f4e0d66a
            ovaloval:com.redhat.rhsa:tst:20201605039
          • commentpython2-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981038
        • AND
          • commentpython2-coverage is earlier than 0:4.5.1-4.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335051
          • commentpython2-coverage is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981040
        • AND
          • commentpython2-bson is earlier than 0:3.6.1-11.module+el8.1.0+3446+c3d52da3
            ovaloval:com.redhat.rhsa:tst:20193335053
          • commentpython2-bson is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981042
        • AND
          • commentpython2-backports is earlier than 0:1.0-15.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335055
          • commentpython2-backports is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981044
        • AND
          • commentpython2-Cython is earlier than 0:0.28.1-7.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335057
          • commentpython2-Cython is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981046
        • AND
          • commentpython2 is earlier than 0:2.7.17-1.module+el8.2.0+4561+f4e0d66a
            ovaloval:com.redhat.rhsa:tst:20201605049
          • commentpython2 is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981048
        • AND
          • commentpython-pymongo-debugsource is earlier than 0:3.6.1-11.module+el8.1.0+3446+c3d52da3
            ovaloval:com.redhat.rhsa:tst:20193335061
          • commentpython-pymongo-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20193335062
        • AND
          • commentpython-psycopg2-doc is earlier than 0:2.7.5-7.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335063
          • commentpython-psycopg2-doc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981050
        • AND
          • commentpython-psycopg2-debugsource is earlier than 0:2.7.5-7.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335065
          • commentpython-psycopg2-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20193335066
        • AND
          • commentpython-lxml-debugsource is earlier than 0:4.2.3-3.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335001
          • commentpython-lxml-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20193335002
        • AND
          • commentpython-coverage-debugsource is earlier than 0:4.5.1-4.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335003
          • commentpython-coverage-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20193335004
        • AND
          • commentnumpy-debugsource is earlier than 1:1.14.2-13.module+el8.1.0+3323+7ac3e00f
            ovaloval:com.redhat.rhsa:tst:20193335005
          • commentnumpy-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20193335006
        • AND
          • commentPyYAML-debugsource is earlier than 0:3.12-16.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335007
          • commentPyYAML-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20193335008
        • AND
          • commentCython-debugsource is earlier than 0:0.28.1-7.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335009
          • commentCython-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20193335010
        • AND
          • commentpython2-wheel-wheel is earlier than 1:0.31.1-2.module+el8.1.0+3725+aac5cd17
            ovaloval:com.redhat.rhsa:tst:20193335067
          • commentpython2-wheel-wheel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20193335068
        • AND
          • commentpython2-wheel is earlier than 1:0.31.1-2.module+el8.1.0+3725+aac5cd17
            ovaloval:com.redhat.rhsa:tst:20193335069
          • commentpython2-wheel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981052
        • AND
          • commentpython2-virtualenv is earlier than 0:15.1.0-19.module+el8.1.0+3507+d69c168d
            ovaloval:com.redhat.rhsa:tst:20193335071
          • commentpython2-virtualenv is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981054
        • AND
          • commentpython2-urllib3 is earlier than 0:1.24.2-1.module+el8.1.0+3280+19512f10
            ovaloval:com.redhat.rhsa:tst:20193335073
          • commentpython2-urllib3 is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981056
        • AND
          • commentpython2-six is earlier than 0:1.11.0-5.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335075
          • commentpython2-six is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981058
        • AND
          • commentpython2-setuptools_scm is earlier than 0:1.15.7-6.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335077
          • commentpython2-setuptools_scm is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981060
        • AND
          • commentpython2-setuptools-wheel is earlier than 0:39.0.1-11.module+el8.1.0+3446+c3d52da3
            ovaloval:com.redhat.rhsa:tst:20193335079
          • commentpython2-setuptools-wheel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20193335080
        • AND
          • commentpython2-setuptools is earlier than 0:39.0.1-11.module+el8.1.0+3446+c3d52da3
            ovaloval:com.redhat.rhsa:tst:20193335081
          • commentpython2-setuptools is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981062
        • AND
          • commentpython2-rpm-macros is earlier than 0:3-38.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335083
          • commentpython2-rpm-macros is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981064
        • AND
          • commentpython2-requests is earlier than 0:2.20.0-3.module+el8.2.0+4577+feefd9b8
            ovaloval:com.redhat.rhsa:tst:20201605085
          • commentpython2-requests is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981066
        • AND
          • commentpython2-pytz is earlier than 0:2017.2-12.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335087
          • commentpython2-pytz is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981068
        • AND
          • commentpython2-pytest-mock is earlier than 0:1.9.0-4.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335089
          • commentpython2-pytest-mock is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981070
        • AND
          • commentpython2-pytest is earlier than 0:3.4.2-13.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335091
          • commentpython2-pytest is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981072
        • AND
          • commentpython2-pysocks is earlier than 0:1.6.8-6.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335093
          • commentpython2-pysocks is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981074
        • AND
          • commentpython2-pygments is earlier than 0:2.2.0-20.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335095
          • commentpython2-pygments is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981076
        • AND
          • commentpython2-py is earlier than 0:1.5.3-6.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335097
          • commentpython2-py is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981078
        • AND
          • commentpython2-pluggy is earlier than 0:0.6.0-8.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335099
          • commentpython2-pluggy is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981080
        • AND
          • commentpython2-pip-wheel is earlier than 0:9.0.3-16.module+el8.2.0+5478+b505947e
            ovaloval:com.redhat.rhsa:tst:20201605101
          • commentpython2-pip-wheel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20193335102
        • AND
          • commentpython2-pip is earlier than 0:9.0.3-16.module+el8.2.0+5478+b505947e
            ovaloval:com.redhat.rhsa:tst:20201605103
          • commentpython2-pip is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981082
        • AND
          • commentpython2-numpy-doc is earlier than 1:1.14.2-13.module+el8.1.0+3323+7ac3e00f
            ovaloval:com.redhat.rhsa:tst:20193335105
          • commentpython2-numpy-doc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981084
        • AND
          • commentpython2-nose is earlier than 0:1.3.7-30.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335107
          • commentpython2-nose is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981086
        • AND
          • commentpython2-mock is earlier than 0:2.0.0-13.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335109
          • commentpython2-mock is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981088
        • AND
          • commentpython2-jinja2 is earlier than 0:2.10-8.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335111
          • commentpython2-jinja2 is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981090
        • AND
          • commentpython2-ipaddress is earlier than 0:1.0.18-6.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335113
          • commentpython2-ipaddress is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981092
        • AND
          • commentpython2-idna is earlier than 0:2.5-7.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335115
          • commentpython2-idna is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981094
        • AND
          • commentpython2-funcsigs is earlier than 0:1.0.2-13.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335117
          • commentpython2-funcsigs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981096
        • AND
          • commentpython2-docutils is earlier than 0:0.14-12.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335119
          • commentpython2-docutils is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981098
        • AND
          • commentpython2-docs-info is earlier than 0:2.7.16-2.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335121
          • commentpython2-docs-info is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981100
        • AND
          • commentpython2-docs is earlier than 0:2.7.16-2.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335123
          • commentpython2-docs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981102
        • AND
          • commentpython2-dns is earlier than 0:1.15.0-10.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335125
          • commentpython2-dns is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981104
        • AND
          • commentpython2-chardet is earlier than 0:3.0.4-10.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335127
          • commentpython2-chardet is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981106
        • AND
          • commentpython2-backports-ssl_match_hostname is earlier than 0:3.5.0.1-11.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335129
          • commentpython2-backports-ssl_match_hostname is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981108
        • AND
          • commentpython2-babel is earlier than 0:2.5.1-9.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335131
          • commentpython2-babel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981110
        • AND
          • commentpython2-attrs is earlier than 0:17.4.0-10.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335133
          • commentpython2-attrs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981112
        • AND
          • commentpython2-PyMySQL is earlier than 0:0.8.0-10.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335135
          • commentpython2-PyMySQL is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981114
        • AND
          • commentpython-sqlalchemy-doc is earlier than 0:1.3.2-1.module+el8.1.0+2994+98e054d6
            ovaloval:com.redhat.rhsa:tst:20193335137
          • commentpython-sqlalchemy-doc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981116
        • AND
          • commentpython-nose-docs is earlier than 0:1.3.7-30.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335139
          • commentpython-nose-docs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981118
        • AND
          • commentbabel is earlier than 0:2.5.1-9.module+el8.1.0+3111+de3f2d8e
            ovaloval:com.redhat.rhsa:tst:20193335141
          • commentbabel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190981120
    rhsa
    idRHSA-2020:1605
    released2020-04-28
    severityModerate
    titleRHSA-2020:1605: python27:2.7 security, bug fix, and enhancement update (Moderate)
  • bugzilla
    id1774471
    titlePython os.urandom() is not FIPS compliant
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 8 is installed
        ovaloval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • commentpython3-debugsource is earlier than 0:3.6.8-23.el8
            ovaloval:com.redhat.rhsa:tst:20201764001
          • commentpython3-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190997008
        • AND
          • commentpython3-test is earlier than 0:3.6.8-23.el8
            ovaloval:com.redhat.rhsa:tst:20201764003
          • commentpython3-test is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190997006
        • AND
          • commentpython3-libs is earlier than 0:3.6.8-23.el8
            ovaloval:com.redhat.rhsa:tst:20201764005
          • commentpython3-libs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190997002
        • AND
          • commentplatform-python is earlier than 0:3.6.8-23.el8
            ovaloval:com.redhat.rhsa:tst:20201764007
          • commentplatform-python is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190997004
        • AND
          • commentpython3-tkinter is earlier than 0:3.6.8-23.el8
            ovaloval:com.redhat.rhsa:tst:20201764009
          • commentpython3-tkinter is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190997016
        • AND
          • commentpython3-idle is earlier than 0:3.6.8-23.el8
            ovaloval:com.redhat.rhsa:tst:20201764011
          • commentpython3-idle is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190997014
        • AND
          • commentplatform-python-devel is earlier than 0:3.6.8-23.el8
            ovaloval:com.redhat.rhsa:tst:20201764013
          • commentplatform-python-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190997010
        • AND
          • commentplatform-python-debug is earlier than 0:3.6.8-23.el8
            ovaloval:com.redhat.rhsa:tst:20201764015
          • commentplatform-python-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20190997012
    rhsa
    idRHSA-2020:1764
    released2020-04-28
    severityModerate
    titleRHSA-2020:1764: python3 security and bug fix update (Moderate)
  • rhsa
    idRHSA-2019:3725
  • rhsa
    idRHSA-2019:3948
rpms
  • rh-python36-python-0:3.6.9-2.el6
  • rh-python36-python-0:3.6.9-2.el7
  • rh-python36-python-debug-0:3.6.9-2.el6
  • rh-python36-python-debug-0:3.6.9-2.el7
  • rh-python36-python-debuginfo-0:3.6.9-2.el6
  • rh-python36-python-debuginfo-0:3.6.9-2.el7
  • rh-python36-python-devel-0:3.6.9-2.el6
  • rh-python36-python-devel-0:3.6.9-2.el7
  • rh-python36-python-libs-0:3.6.9-2.el6
  • rh-python36-python-libs-0:3.6.9-2.el7
  • rh-python36-python-test-0:3.6.9-2.el6
  • rh-python36-python-test-0:3.6.9-2.el7
  • rh-python36-python-tkinter-0:3.6.9-2.el6
  • rh-python36-python-tkinter-0:3.6.9-2.el7
  • rh-python36-python-tools-0:3.6.9-2.el6
  • rh-python36-python-tools-0:3.6.9-2.el7
  • python27-python-0:2.7.17-2.el6
  • python27-python-0:2.7.17-2.el7
  • python27-python-debug-0:2.7.17-2.el6
  • python27-python-debug-0:2.7.17-2.el7
  • python27-python-debuginfo-0:2.7.17-2.el6
  • python27-python-debuginfo-0:2.7.17-2.el7
  • python27-python-devel-0:2.7.17-2.el6
  • python27-python-devel-0:2.7.17-2.el7
  • python27-python-libs-0:2.7.17-2.el6
  • python27-python-libs-0:2.7.17-2.el7
  • python27-python-test-0:2.7.17-2.el6
  • python27-python-test-0:2.7.17-2.el7
  • python27-python-tools-0:2.7.17-2.el6
  • python27-python-tools-0:2.7.17-2.el7
  • python27-tkinter-0:2.7.17-2.el6
  • python27-tkinter-0:2.7.17-2.el7
  • python-0:2.7.5-88.el7
  • python-debug-0:2.7.5-88.el7
  • python-debuginfo-0:2.7.5-88.el7
  • python-devel-0:2.7.5-88.el7
  • python-libs-0:2.7.5-88.el7
  • python-test-0:2.7.5-88.el7
  • python-tools-0:2.7.5-88.el7
  • tkinter-0:2.7.5-88.el7
  • python3-0:3.6.8-13.el7
  • python3-debug-0:3.6.8-13.el7
  • python3-debuginfo-0:3.6.8-13.el7
  • python3-devel-0:3.6.8-13.el7
  • python3-idle-0:3.6.8-13.el7
  • python3-libs-0:3.6.8-13.el7
  • python3-test-0:3.6.8-13.el7
  • python3-tkinter-0:3.6.8-13.el7
  • Cython-debugsource-0:0.28.1-7.module+el8.1.0+3111+de3f2d8e
  • PyYAML-debugsource-0:3.12-16.module+el8.1.0+3111+de3f2d8e
  • babel-0:2.5.1-9.module+el8.1.0+3111+de3f2d8e
  • numpy-debugsource-1:1.14.2-13.module+el8.1.0+3323+7ac3e00f
  • python-coverage-debugsource-0:4.5.1-4.module+el8.1.0+3111+de3f2d8e
  • python-lxml-debugsource-0:4.2.3-3.module+el8.1.0+3111+de3f2d8e
  • python-nose-docs-0:1.3.7-30.module+el8.1.0+3111+de3f2d8e
  • python-psycopg2-debuginfo-0:2.7.5-7.module+el8.1.0+3111+de3f2d8e
  • python-psycopg2-debugsource-0:2.7.5-7.module+el8.1.0+3111+de3f2d8e
  • python-psycopg2-doc-0:2.7.5-7.module+el8.1.0+3111+de3f2d8e
  • python-pymongo-debuginfo-0:3.6.1-11.module+el8.1.0+3446+c3d52da3
  • python-pymongo-debugsource-0:3.6.1-11.module+el8.1.0+3446+c3d52da3
  • python-sqlalchemy-doc-0:1.3.2-1.module+el8.1.0+2994+98e054d6
  • python2-0:2.7.17-1.module+el8.2.0+4561+f4e0d66a
  • python2-Cython-0:0.28.1-7.module+el8.1.0+3111+de3f2d8e
  • python2-Cython-debuginfo-0:0.28.1-7.module+el8.1.0+3111+de3f2d8e
  • python2-PyMySQL-0:0.8.0-10.module+el8.1.0+3111+de3f2d8e
  • python2-attrs-0:17.4.0-10.module+el8.1.0+3111+de3f2d8e
  • python2-babel-0:2.5.1-9.module+el8.1.0+3111+de3f2d8e
  • python2-backports-0:1.0-15.module+el8.1.0+3111+de3f2d8e
  • python2-backports-ssl_match_hostname-0:3.5.0.1-11.module+el8.1.0+3111+de3f2d8e
  • python2-bson-0:3.6.1-11.module+el8.1.0+3446+c3d52da3
  • python2-bson-debuginfo-0:3.6.1-11.module+el8.1.0+3446+c3d52da3
  • python2-chardet-0:3.0.4-10.module+el8.1.0+3111+de3f2d8e
  • python2-coverage-0:4.5.1-4.module+el8.1.0+3111+de3f2d8e
  • python2-coverage-debuginfo-0:4.5.1-4.module+el8.1.0+3111+de3f2d8e
  • python2-debug-0:2.7.17-1.module+el8.2.0+4561+f4e0d66a
  • python2-debuginfo-0:2.7.17-1.module+el8.2.0+4561+f4e0d66a
  • python2-debugsource-0:2.7.17-1.module+el8.2.0+4561+f4e0d66a
  • python2-devel-0:2.7.17-1.module+el8.2.0+4561+f4e0d66a
  • python2-dns-0:1.15.0-10.module+el8.1.0+3111+de3f2d8e
  • python2-docs-0:2.7.16-2.module+el8.1.0+3111+de3f2d8e
  • python2-docs-info-0:2.7.16-2.module+el8.1.0+3111+de3f2d8e
  • python2-docutils-0:0.14-12.module+el8.1.0+3111+de3f2d8e
  • python2-funcsigs-0:1.0.2-13.module+el8.1.0+3111+de3f2d8e
  • python2-idna-0:2.5-7.module+el8.1.0+3111+de3f2d8e
  • python2-ipaddress-0:1.0.18-6.module+el8.1.0+3111+de3f2d8e
  • python2-jinja2-0:2.10-8.module+el8.1.0+3111+de3f2d8e
  • python2-libs-0:2.7.17-1.module+el8.2.0+4561+f4e0d66a
  • python2-lxml-0:4.2.3-3.module+el8.1.0+3111+de3f2d8e
  • python2-lxml-debuginfo-0:4.2.3-3.module+el8.1.0+3111+de3f2d8e
  • python2-markupsafe-0:0.23-19.module+el8.1.0+3111+de3f2d8e
  • python2-mock-0:2.0.0-13.module+el8.1.0+3111+de3f2d8e
  • python2-nose-0:1.3.7-30.module+el8.1.0+3111+de3f2d8e
  • python2-numpy-1:1.14.2-13.module+el8.1.0+3323+7ac3e00f
  • python2-numpy-debuginfo-1:1.14.2-13.module+el8.1.0+3323+7ac3e00f
  • python2-numpy-doc-1:1.14.2-13.module+el8.1.0+3323+7ac3e00f
  • python2-numpy-f2py-1:1.14.2-13.module+el8.1.0+3323+7ac3e00f
  • python2-pip-0:9.0.3-16.module+el8.2.0+5478+b505947e
  • python2-pip-wheel-0:9.0.3-16.module+el8.2.0+5478+b505947e
  • python2-pluggy-0:0.6.0-8.module+el8.1.0+3111+de3f2d8e
  • python2-psycopg2-0:2.7.5-7.module+el8.1.0+3111+de3f2d8e
  • python2-psycopg2-debug-0:2.7.5-7.module+el8.1.0+3111+de3f2d8e
  • python2-psycopg2-debug-debuginfo-0:2.7.5-7.module+el8.1.0+3111+de3f2d8e
  • python2-psycopg2-debuginfo-0:2.7.5-7.module+el8.1.0+3111+de3f2d8e
  • python2-psycopg2-tests-0:2.7.5-7.module+el8.1.0+3111+de3f2d8e
  • python2-py-0:1.5.3-6.module+el8.1.0+3111+de3f2d8e
  • python2-pygments-0:2.2.0-20.module+el8.1.0+3111+de3f2d8e
  • python2-pymongo-0:3.6.1-11.module+el8.1.0+3446+c3d52da3
  • python2-pymongo-debuginfo-0:3.6.1-11.module+el8.1.0+3446+c3d52da3
  • python2-pymongo-gridfs-0:3.6.1-11.module+el8.1.0+3446+c3d52da3
  • python2-pysocks-0:1.6.8-6.module+el8.1.0+3111+de3f2d8e
  • python2-pytest-0:3.4.2-13.module+el8.1.0+3111+de3f2d8e
  • python2-pytest-mock-0:1.9.0-4.module+el8.1.0+3111+de3f2d8e
  • python2-pytz-0:2017.2-12.module+el8.1.0+3111+de3f2d8e
  • python2-pyyaml-0:3.12-16.module+el8.1.0+3111+de3f2d8e
  • python2-pyyaml-debuginfo-0:3.12-16.module+el8.1.0+3111+de3f2d8e
  • python2-requests-0:2.20.0-3.module+el8.2.0+4577+feefd9b8
  • python2-rpm-macros-0:3-38.module+el8.1.0+3111+de3f2d8e
  • python2-scipy-0:1.0.0-20.module+el8.1.0+3323+7ac3e00f
  • python2-scipy-debuginfo-0:1.0.0-20.module+el8.1.0+3323+7ac3e00f
  • python2-setuptools-0:39.0.1-11.module+el8.1.0+3446+c3d52da3
  • python2-setuptools-wheel-0:39.0.1-11.module+el8.1.0+3446+c3d52da3
  • python2-setuptools_scm-0:1.15.7-6.module+el8.1.0+3111+de3f2d8e
  • python2-six-0:1.11.0-5.module+el8.1.0+3111+de3f2d8e
  • python2-sqlalchemy-0:1.3.2-1.module+el8.1.0+2994+98e054d6
  • python2-test-0:2.7.17-1.module+el8.2.0+4561+f4e0d66a
  • python2-tkinter-0:2.7.17-1.module+el8.2.0+4561+f4e0d66a
  • python2-tools-0:2.7.17-1.module+el8.2.0+4561+f4e0d66a
  • python2-urllib3-0:1.24.2-1.module+el8.1.0+3280+19512f10
  • python2-virtualenv-0:15.1.0-19.module+el8.1.0+3507+d69c168d
  • python2-wheel-1:0.31.1-2.module+el8.1.0+3725+aac5cd17
  • python2-wheel-wheel-1:0.31.1-2.module+el8.1.0+3725+aac5cd17
  • scipy-debugsource-0:1.0.0-20.module+el8.1.0+3323+7ac3e00f
  • platform-python-0:3.6.8-23.el8
  • platform-python-debug-0:3.6.8-23.el8
  • platform-python-devel-0:3.6.8-23.el8
  • python3-debuginfo-0:3.6.8-23.el8
  • python3-debugsource-0:3.6.8-23.el8
  • python3-idle-0:3.6.8-23.el8
  • python3-libs-0:3.6.8-23.el8
  • python3-test-0:3.6.8-23.el8
  • python3-tkinter-0:3.6.8-23.el8

References