SB2020093040 - Red Hat Enterprise Linux 7 update for python3

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2019-16935)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when processing the server_title field in the XML-RPC server (Lib/DocXMLRPCServer.py) in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Resource management error (CVE-ID: CVE-2020-8492)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in urllib.request.AbstractBasicAuthHandler when processing HTTP responses. A remote attacker who controls a HTTP server can send a specially crafted HTTP response to the client application and conduct Regular Expression Denial of Service (ReDoS) attack.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2020:3888