Anolis OS update for python38:3.8 module
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2020-14343 CVE-2020-1747 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system python38-wheel-wheel Operating systems & Components / Operating system package or component python38-wheel Operating systems & Components / Operating system package or component python38-urllib3 Operating systems & Components / Operating system package or component python38-six Operating systems & Components / Operating system package or component python38-setuptools-wheel Operating systems & Components / Operating system package or component python38-setuptools Operating systems & Components / Operating system package or component python38-rpm-macros Operating systems & Components / Operating system package or component python38-requests Operating systems & Components / Operating system package or component python38-pytz Operating systems & Components / Operating system package or component python38-pysocks Operating systems & Components / Operating system package or component python38-pycparser Operating systems & Components / Operating system package or component python38-ply Operating systems & Components / Operating system package or component python38-pip-wheel Operating systems & Components / Operating system package or component python38-pip Operating systems & Components / Operating system package or component python38-numpy-doc Operating systems & Components / Operating system package or component python38-jinja2 Operating systems & Components / Operating system package or component python38-idna Operating systems & Components / Operating system package or component python38-chardet Operating systems & Components / Operating system package or component python38-babel Operating systems & Components / Operating system package or component python38-asn1crypto Operating systems & Components / Operating system package or component python38-PyMySQL Operating systems & Components / Operating system package or component python38-tkinter Operating systems & Components / Operating system package or component python38-test Operating systems & Components / Operating system package or component python38-scipy Operating systems & Components / Operating system package or component python38-pyyaml Operating systems & Components / Operating system package or component python38-psycopg2-tests Operating systems & Components / Operating system package or component python38-psycopg2-doc Operating systems & Components / Operating system package or component python38-psycopg2 Operating systems & Components / Operating system package or component python38-psutil Operating systems & Components / Operating system package or component python38-numpy-f2py Operating systems & Components / Operating system package or component python38-numpy Operating systems & Components / Operating system package or component python38-mod_wsgi Operating systems & Components / Operating system package or component python38-markupsafe Operating systems & Components / Operating system package or component python38-lxml Operating systems & Components / Operating system package or component python38-libs Operating systems & Components / Operating system package or component python38-idle Operating systems & Components / Operating system package or component python38-devel Operating systems & Components / Operating system package or component python38-debug Operating systems & Components / Operating system package or component python38-cryptography Operating systems & Components / Operating system package or component python38-cffi Operating systems & Components / Operating system package or component python38-Cython Operating systems & Components / Operating system package or component python38 Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU54520
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2020-14343
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input when processing untrusted YAML files through the full_load method or with the FullLoader loader. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the system by abusing the python/object/new constructor.
Note, the vulnerability exists due to incomplete patch for vulnerability #VU25823.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
python38-wheel-wheel: before 0.33.6-5
python38-wheel: before 0.33.6-5
python38-urllib3: before 1.25.7-4
python38-six: before 1.12.0-10
python38-setuptools-wheel: before 41.6.0-4
python38-setuptools: before 41.6.0-4
python38-rpm-macros: before 3.8.6-3
python38-requests: before 2.22.0-9
python38-pytz: before 2019.3-3
python38-pysocks: before 1.7.1-4
python38-pycparser: before 2.19-3
python38-ply: before 3.11-10
python38-pip-wheel: before 19.3.1-1
python38-pip: before 19.3.1-1
python38-numpy-doc: before 1.17.3-5
python38-jinja2: before 2.10.3-4
python38-idna: before 2.8-6
python38-chardet: before 3.0.4-19
python38-babel: before 2.7.0-10
python38-asn1crypto: before 1.2.0-3
python38-PyMySQL: before 0.10.1-1
python38-tkinter: before 3.8.6-3
python38-test: before 3.8.6-3
python38-scipy: before 1.3.1-4
python38-pyyaml: before 5.4.1-1
python38-psycopg2-tests: before 2.8.4-4
python38-psycopg2-doc: before 2.8.4-4
python38-psycopg2: before 2.8.4-4
python38-psutil: before 5.6.4-3
python38-numpy-f2py: before 1.17.3-5
python38-numpy: before 1.17.3-5
python38-mod_wsgi: before 4.6.8-3
python38-markupsafe: before 1.1.1-6
python38-lxml: before 4.4.1-5
python38-libs: before 3.8.6-3
python38-idle: before 3.8.6-3
python38-devel: before 3.8.6-3
python38-debug: before 3.8.6-3
python38-cryptography: before 2.8-3
python38-cffi: before 1.13.2-3
python38-Cython: before 0.29.14-4
python38: before 3.8.6-3
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:python38-wheel-wheel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-wheel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-urllib3:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-six:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-setuptools-wheel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-setuptools:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-rpm-macros:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-requests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-pytz:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-pysocks:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-pycparser:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-ply:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-pip-wheel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-pip:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-numpy-doc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-jinja2:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-idna:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-chardet:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-babel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-asn1crypto:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-pymysql:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-tkinter:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-test:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-scipy:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-pyyaml:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-psycopg2-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-psycopg2-doc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-psycopg2:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-psutil:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-numpy-f2py:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-numpy:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-mod_wsgi:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-markupsafe:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-lxml:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-libs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-idle:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-debug:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-cryptography:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-cffi:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-cython:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2021:0056
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Input validation error
EUVDB-ID: #VU25823
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-1747
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input when processing untrusted YAML files passed via the "full_load" method or with the "FullLoader" loader. A remote attacker can pass specially crafted input to the application and execute arbitrary code by abusing the python/object/new constructor.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
python38-wheel-wheel: before 0.33.6-5
python38-wheel: before 0.33.6-5
python38-urllib3: before 1.25.7-4
python38-six: before 1.12.0-10
python38-setuptools-wheel: before 41.6.0-4
python38-setuptools: before 41.6.0-4
python38-rpm-macros: before 3.8.6-3
python38-requests: before 2.22.0-9
python38-pytz: before 2019.3-3
python38-pysocks: before 1.7.1-4
python38-pycparser: before 2.19-3
python38-ply: before 3.11-10
python38-pip-wheel: before 19.3.1-1
python38-pip: before 19.3.1-1
python38-numpy-doc: before 1.17.3-5
python38-jinja2: before 2.10.3-4
python38-idna: before 2.8-6
python38-chardet: before 3.0.4-19
python38-babel: before 2.7.0-10
python38-asn1crypto: before 1.2.0-3
python38-PyMySQL: before 0.10.1-1
python38-tkinter: before 3.8.6-3
python38-test: before 3.8.6-3
python38-scipy: before 1.3.1-4
python38-pyyaml: before 5.4.1-1
python38-psycopg2-tests: before 2.8.4-4
python38-psycopg2-doc: before 2.8.4-4
python38-psycopg2: before 2.8.4-4
python38-psutil: before 5.6.4-3
python38-numpy-f2py: before 1.17.3-5
python38-numpy: before 1.17.3-5
python38-mod_wsgi: before 4.6.8-3
python38-markupsafe: before 1.1.1-6
python38-lxml: before 4.4.1-5
python38-libs: before 3.8.6-3
python38-idle: before 3.8.6-3
python38-devel: before 3.8.6-3
python38-debug: before 3.8.6-3
python38-cryptography: before 2.8-3
python38-cffi: before 1.13.2-3
python38-Cython: before 0.29.14-4
python38: before 3.8.6-3
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:python38-wheel-wheel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-wheel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-urllib3:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-six:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-setuptools-wheel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-setuptools:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-rpm-macros:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-requests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-pytz:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-pysocks:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-pycparser:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-ply:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-pip-wheel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-pip:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-numpy-doc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-jinja2:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-idna:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-chardet:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-babel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-asn1crypto:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-pymysql:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-tkinter:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-test:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-scipy:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-pyyaml:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-psycopg2-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-psycopg2-doc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-psycopg2:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-psutil:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-numpy-f2py:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-numpy:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-mod_wsgi:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-markupsafe:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-lxml:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-libs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-idle:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-debug:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-cryptography:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-cffi:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38-cython:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python38:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2021:0056
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
