Anolis OS update for python38:3.8 module



| Updated: 2025-03-28
Risk High
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2007-4559
CVE-2001-1267
CVE-2023-32681
CWE-ID CWE-22
CWE-200
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #3 is available.
Vulnerable software
 Anolis OS
Operating systems & Components / Operating system

python38-rpm-macros
Operating systems & Components / Operating system package or component

python38-requests
Operating systems & Components / Operating system package or component

python38-pytz
Operating systems & Components / Operating system package or component

python38-pip-wheel
Operating systems & Components / Operating system package or component

python38-pip
Operating systems & Components / Operating system package or component

python38-numpy-doc
Operating systems & Components / Operating system package or component

python38-tkinter
Operating systems & Components / Operating system package or component

python38-test
Operating systems & Components / Operating system package or component

python38-scipy
Operating systems & Components / Operating system package or component

python38-numpy-f2py
Operating systems & Components / Operating system package or component

python38-numpy
Operating systems & Components / Operating system package or component

python38-mod_wsgi
Operating systems & Components / Operating system package or component

python38-libs
Operating systems & Components / Operating system package or component

python38-idle
Operating systems & Components / Operating system package or component

python38-devel
Operating systems & Components / Operating system package or component

python38-debug
Operating systems & Components / Operating system package or component

python38
Operating systems & Components / Operating system package or component

python38-jinja2
Operating systems & Components / Operating system package or component

python38-wheel-wheel
Operating systems & Components / Operating system package or component

python38-wheel
Operating systems & Components / Operating system package or component

python38-wcwidth
Operating systems & Components / Operating system package or component

python38-urllib3
Operating systems & Components / Operating system package or component

python38-setuptools-wheel
Operating systems & Components / Operating system package or component

python38-setuptools
Operating systems & Components / Operating system package or component

python38-pytest
Operating systems & Components / Operating system package or component

python38-pyparsing
Operating systems & Components / Operating system package or component

python38-py
Operating systems & Components / Operating system package or component

python38-pluggy
Operating systems & Components / Operating system package or component

python38-packaging
Operating systems & Components / Operating system package or component

python38-more-itertools
Operating systems & Components / Operating system package or component

python38-babel
Operating systems & Components / Operating system package or component

python38-attrs
Operating systems & Components / Operating system package or component

python38-atomicwrites
Operating systems & Components / Operating system package or component

python38-psutil
Operating systems & Components / Operating system package or component

python38-lxml
Operating systems & Components / Operating system package or component

python38-six
Operating systems & Components / Operating system package or component

python38-pysocks
Operating systems & Components / Operating system package or component

python38-pycparser
Operating systems & Components / Operating system package or component

python38-ply
Operating systems & Components / Operating system package or component

python38-idna
Operating systems & Components / Operating system package or component

python38-chardet
Operating systems & Components / Operating system package or component

python38-asn1crypto
Operating systems & Components / Operating system package or component

python38-PyMySQL
Operating systems & Components / Operating system package or component

python38-pyyaml
Operating systems & Components / Operating system package or component

python38-psycopg2-tests
Operating systems & Components / Operating system package or component

python38-psycopg2-doc
Operating systems & Components / Operating system package or component

python38-psycopg2
Operating systems & Components / Operating system package or component

python38-markupsafe
Operating systems & Components / Operating system package or component

python38-cryptography
Operating systems & Components / Operating system package or component

python38-cffi
Operating systems & Components / Operating system package or component

python38-Cython
Operating systems & Components / Operating system package or component

Vendor OpenAnolis

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Path traversal

EUVDB-ID: #VU67583

Risk: High

CVSSv4.0: 8.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2007-4559

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper validation of filenames in the tarfile module in Python. A remote attacker can create a specially crafted archive with symbolic links inside or filenames that contain directory traversal characters (e.g. "..") and overwrite arbitrary files on the system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-rpm-macros: before 3.8.17-2.0.1

python38-requests: before 2.22.0-10

python38-pytz: before 2019.3-4

python38-pip-wheel: before 19.3.1-7

python38-pip: before 19.3.1-7

python38-numpy-doc: before 1.17.3-7.0.1

python38-tkinter: before 3.8.17-2.0.1

python38-test: before 3.8.17-2.0.1

python38-scipy: before 1.3.1-5.0.2

python38-numpy-f2py: before 1.17.3-7.0.1

python38-numpy: before 1.17.3-7.0.1

python38-mod_wsgi: before 4.6.8-5

python38-libs: before 3.8.17-2.0.1

python38-idle: before 3.8.17-2.0.1

python38-devel: before 3.8.17-2.0.1

python38-debug: before 3.8.17-2.0.1

python38: before 3.8.17-2.0.1

python38-jinja2: before 2.11.3-1

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-packaging: before 19.2-3

python38-more-itertools: before 7.2.0-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-psutil: before 5.6.4-4

python38-lxml: before 4.4.1-7

python38-six: before 1.12.0-10

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2023:0938


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Path traversal

EUVDB-ID: #VU93014

Risk: High

CVSSv4.0: 6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2001-1267

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can trick the victim to open a specially crafted archive and overwrite arbitrary files on the system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-rpm-macros: before 3.8.17-2.0.1

python38-requests: before 2.22.0-10

python38-pytz: before 2019.3-4

python38-pip-wheel: before 19.3.1-7

python38-pip: before 19.3.1-7

python38-numpy-doc: before 1.17.3-7.0.1

python38-tkinter: before 3.8.17-2.0.1

python38-test: before 3.8.17-2.0.1

python38-scipy: before 1.3.1-5.0.2

python38-numpy-f2py: before 1.17.3-7.0.1

python38-numpy: before 1.17.3-7.0.1

python38-mod_wsgi: before 4.6.8-5

python38-libs: before 3.8.17-2.0.1

python38-idle: before 3.8.17-2.0.1

python38-devel: before 3.8.17-2.0.1

python38-debug: before 3.8.17-2.0.1

python38: before 3.8.17-2.0.1

python38-jinja2: before 2.11.3-1

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-packaging: before 19.2-3

python38-more-itertools: before 7.2.0-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-psutil: before 5.6.4-4

python38-lxml: before 4.4.1-7

python38-six: before 1.12.0-10

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2023:0938


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Information disclosure

EUVDB-ID: #VU77164

Risk: Medium

CVSSv4.0: 5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2023-32681

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-rpm-macros: before 3.8.17-2.0.1

python38-requests: before 2.22.0-10

python38-pytz: before 2019.3-4

python38-pip-wheel: before 19.3.1-7

python38-pip: before 19.3.1-7

python38-numpy-doc: before 1.17.3-7.0.1

python38-tkinter: before 3.8.17-2.0.1

python38-test: before 3.8.17-2.0.1

python38-scipy: before 1.3.1-5.0.2

python38-numpy-f2py: before 1.17.3-7.0.1

python38-numpy: before 1.17.3-7.0.1

python38-mod_wsgi: before 4.6.8-5

python38-libs: before 3.8.17-2.0.1

python38-idle: before 3.8.17-2.0.1

python38-devel: before 3.8.17-2.0.1

python38-debug: before 3.8.17-2.0.1

python38: before 3.8.17-2.0.1

python38-jinja2: before 2.11.3-1

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-packaging: before 19.2-3

python38-more-itertools: before 7.2.0-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-psutil: before 5.6.4-4

python38-lxml: before 4.4.1-7

python38-six: before 1.12.0-10

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2023:0938


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###