Anolis OS update for python27:2.7 module

Published: 2025-03-28

Risk	Medium
Patch available	YES
Number of vulnerabilities	5
CVE-ID	CVE-2022-40897 CVE-2022-48560 CVE-2022-48565 CVE-2023-43804 CVE-2024-22195
CWE-ID	CWE-185 CWE-416 CWE-611 CWE-200 CWE-79
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available.
Vulnerable software	Anolis OS Operating systems & Components / Operating system python2-urllib3 Operating systems & Components / Operating system package or component python2-setuptools-wheel Operating systems & Components / Operating system package or component python2-setuptools Operating systems & Components / Operating system package or component python2-requests Operating systems & Components / Operating system package or component python2-pytz Operating systems & Components / Operating system package or component python2-jinja2 Operating systems & Components / Operating system package or component python2-tools Operating systems & Components / Operating system package or component python2-tkinter Operating systems & Components / Operating system package or component python2-test Operating systems & Components / Operating system package or component python2-scipy Operating systems & Components / Operating system package or component python2-psycopg2-tests Operating systems & Components / Operating system package or component python2-psycopg2-debug Operating systems & Components / Operating system package or component python2-psycopg2 Operating systems & Components / Operating system package or component python2-libs Operating systems & Components / Operating system package or component python2-devel Operating systems & Components / Operating system package or component python2-debug Operating systems & Components / Operating system package or component python2-coverage Operating systems & Components / Operating system package or component python2 Operating systems & Components / Operating system package or component python-psycopg2-doc Operating systems & Components / Operating system package or component python2-virtualenv Operating systems & Components / Operating system package or component python2-pip-wheel Operating systems & Components / Operating system package or component python2-pip Operating systems & Components / Operating system package or component python2-numpy-doc Operating systems & Components / Operating system package or component python2-numpy-f2py Operating systems & Components / Operating system package or component python2-numpy Operating systems & Components / Operating system package or component python2-wheel-wheel Operating systems & Components / Operating system package or component python2-wheel Operating systems & Components / Operating system package or component python2-six Operating systems & Components / Operating system package or component python2-setuptools_scm Operating systems & Components / Operating system package or component python2-rpm-macros Operating systems & Components / Operating system package or component python2-pytest-mock Operating systems & Components / Operating system package or component python2-pytest Operating systems & Components / Operating system package or component python2-pysocks Operating systems & Components / Operating system package or component python2-pygments Operating systems & Components / Operating system package or component python2-py Operating systems & Components / Operating system package or component python2-pluggy Operating systems & Components / Operating system package or component python2-nose Operating systems & Components / Operating system package or component python2-mock Operating systems & Components / Operating system package or component python2-ipaddress Operating systems & Components / Operating system package or component python2-idna Operating systems & Components / Operating system package or component python2-funcsigs Operating systems & Components / Operating system package or component python2-docutils Operating systems & Components / Operating system package or component python2-docs-info Operating systems & Components / Operating system package or component python2-docs Operating systems & Components / Operating system package or component python2-dns Operating systems & Components / Operating system package or component python2-chardet Operating systems & Components / Operating system package or component python2-backports-ssl_match_hostname Operating systems & Components / Operating system package or component python2-babel Operating systems & Components / Operating system package or component python2-attrs Operating systems & Components / Operating system package or component python2-PyMySQL Operating systems & Components / Operating system package or component python-sqlalchemy-doc Operating systems & Components / Operating system package or component python-nose-docs Operating systems & Components / Operating system package or component babel Operating systems & Components / Operating system package or component python2-sqlalchemy Operating systems & Components / Operating system package or component python2-pyyaml Operating systems & Components / Operating system package or component python2-pymongo-gridfs Operating systems & Components / Operating system package or component python2-pymongo Operating systems & Components / Operating system package or component python2-markupsafe Operating systems & Components / Operating system package or component python2-lxml Operating systems & Components / Operating system package or component python2-bson Operating systems & Components / Operating system package or component python2-backports Operating systems & Components / Operating system package or component python2-Cython Operating systems & Components / Operating system package or component
Vendor	OpenAnolis

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Incorrect Regular Expression

EUVDB-ID: #VU71379

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-40897

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing HTML content. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python2-urllib3: before 1.24.2-4

python2-setuptools-wheel: before 39.0.1-14

python2-setuptools: before 39.0.1-14

python2-requests: before 2.20.0-4

python2-pytz: before 2017.2-13

python2-jinja2: before 2.10-10

python2-tools: before 2.7.18-17.0.1

python2-tkinter: before 2.7.18-17.0.1

python2-test: before 2.7.18-17.0.1

python2-scipy: before 1.0.0-22

python2-psycopg2-tests: before 2.7.5-8

python2-psycopg2-debug: before 2.7.5-8

python2-psycopg2: before 2.7.5-8

python2-libs: before 2.7.18-17.0.1

python2-devel: before 2.7.18-17.0.1

python2-debug: before 2.7.18-17.0.1

python2-coverage: before 4.5.1-5

python2: before 2.7.18-17.0.1

python-psycopg2-doc: before 2.7.5-8

python2-virtualenv: before 15.1.0-22

python2-pip-wheel: before 9.0.3-19.0.1

python2-pip: before 9.0.3-19.0.1

python2-numpy-doc: before 1.14.2-16.0.1

python2-numpy-f2py: before 1.14.2-16.0.1

python2-numpy: before 1.14.2-16.0.1

python2-wheel-wheel: before 0.31.1-3

python2-wheel: before 0.31.1-3

python2-six: before 1.11.0-6

python2-setuptools_scm: before 1.15.7-6

python2-rpm-macros: before 3-38

python2-pytest-mock: before 1.9.0-4

python2-pytest: before 3.4.2-13

python2-pysocks: before 1.6.8-6

python2-pygments: before 2.2.0-22

python2-py: before 1.5.3-6

python2-pluggy: before 0.6.0-8

python2-nose: before 1.3.7-31

python2-mock: before 2.0.0-13

python2-ipaddress: before 1.0.18-6

python2-idna: before 2.5-7

python2-funcsigs: before 1.0.2-13

python2-docutils: before 0.14-12

python2-docs-info: before 2.7.16-2

python2-docs: before 2.7.16-2

python2-dns: before 1.15.0-10

python2-chardet: before 3.0.4-10

python2-backports-ssl_match_hostname: before 3.5.0.1-12

python2-babel: before 2.5.1-10

python2-attrs: before 17.4.0-10

python2-PyMySQL: before 0.8.0-10

python-sqlalchemy-doc: before 1.3.2-2

python-nose-docs: before 1.3.7-31

babel: before 2.5.1-10

python2-sqlalchemy: before 1.3.2-2

python2-pyyaml: before 3.12-16

python2-pymongo-gridfs: before 3.7.0-1.0.1

python2-pymongo: before 3.7.0-1.0.1

python2-markupsafe: before 0.23-19

python2-lxml: before 4.2.3-6

python2-bson: before 3.7.0-1.0.1

python2-backports: before 1.0-16

python2-Cython: before 0.28.1-7

CPE2.3

External links

https://anas.openanolis.cn/errata/detail/ANSA-2024:0469

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use-after-free

EUVDB-ID: #VU82078

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-48560

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to use-after-free exists via heappushpop in heapq. A remote attacker can trigger the vulnerability to perform a denial of service attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python2-urllib3: before 1.24.2-4

python2-setuptools-wheel: before 39.0.1-14

python2-setuptools: before 39.0.1-14

python2-requests: before 2.20.0-4

python2-pytz: before 2017.2-13

python2-jinja2: before 2.10-10

python2-tools: before 2.7.18-17.0.1

python2-tkinter: before 2.7.18-17.0.1

python2-test: before 2.7.18-17.0.1

python2-scipy: before 1.0.0-22

python2-psycopg2-tests: before 2.7.5-8

python2-psycopg2-debug: before 2.7.5-8

python2-psycopg2: before 2.7.5-8

python2-libs: before 2.7.18-17.0.1

python2-devel: before 2.7.18-17.0.1

python2-debug: before 2.7.18-17.0.1

python2-coverage: before 4.5.1-5

python2: before 2.7.18-17.0.1

python-psycopg2-doc: before 2.7.5-8

python2-virtualenv: before 15.1.0-22

python2-pip-wheel: before 9.0.3-19.0.1

python2-pip: before 9.0.3-19.0.1

python2-numpy-doc: before 1.14.2-16.0.1

python2-numpy-f2py: before 1.14.2-16.0.1

python2-numpy: before 1.14.2-16.0.1

python2-wheel-wheel: before 0.31.1-3

python2-wheel: before 0.31.1-3

python2-six: before 1.11.0-6

python2-setuptools_scm: before 1.15.7-6

python2-rpm-macros: before 3-38

python2-pytest-mock: before 1.9.0-4

python2-pytest: before 3.4.2-13

python2-pysocks: before 1.6.8-6

python2-pygments: before 2.2.0-22

python2-py: before 1.5.3-6

python2-pluggy: before 0.6.0-8

python2-nose: before 1.3.7-31

python2-mock: before 2.0.0-13

python2-ipaddress: before 1.0.18-6

python2-idna: before 2.5-7

python2-funcsigs: before 1.0.2-13

python2-docutils: before 0.14-12

python2-docs-info: before 2.7.16-2

python2-docs: before 2.7.16-2

python2-dns: before 1.15.0-10

python2-chardet: before 3.0.4-10

python2-backports-ssl_match_hostname: before 3.5.0.1-12

python2-babel: before 2.5.1-10

python2-attrs: before 17.4.0-10

python2-PyMySQL: before 0.8.0-10

python-sqlalchemy-doc: before 1.3.2-2

python-nose-docs: before 1.3.7-31

babel: before 2.5.1-10

python2-sqlalchemy: before 1.3.2-2

python2-pyyaml: before 3.12-16

python2-pymongo-gridfs: before 3.7.0-1.0.1

python2-pymongo: before 3.7.0-1.0.1

python2-markupsafe: before 0.23-19

python2-lxml: before 4.2.3-6

python2-bson: before 3.7.0-1.0.1

python2-backports: before 1.0-16

python2-Cython: before 0.28.1-7

CPE2.3

External links

https://anas.openanolis.cn/errata/detail/ANSA-2024:0469

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) XML External Entity injection

EUVDB-ID: #VU80564

Risk: Medium

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2022-48565

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied XML input within the plistlib module. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.

Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python2-urllib3: before 1.24.2-4

python2-setuptools-wheel: before 39.0.1-14

python2-setuptools: before 39.0.1-14

python2-requests: before 2.20.0-4

python2-pytz: before 2017.2-13

python2-jinja2: before 2.10-10

python2-tools: before 2.7.18-17.0.1

python2-tkinter: before 2.7.18-17.0.1

python2-test: before 2.7.18-17.0.1

python2-scipy: before 1.0.0-22

python2-psycopg2-tests: before 2.7.5-8

python2-psycopg2-debug: before 2.7.5-8

python2-psycopg2: before 2.7.5-8

python2-libs: before 2.7.18-17.0.1

python2-devel: before 2.7.18-17.0.1

python2-debug: before 2.7.18-17.0.1

python2-coverage: before 4.5.1-5

python2: before 2.7.18-17.0.1

python-psycopg2-doc: before 2.7.5-8

python2-virtualenv: before 15.1.0-22

python2-pip-wheel: before 9.0.3-19.0.1

python2-pip: before 9.0.3-19.0.1

python2-numpy-doc: before 1.14.2-16.0.1

python2-numpy-f2py: before 1.14.2-16.0.1

python2-numpy: before 1.14.2-16.0.1

python2-wheel-wheel: before 0.31.1-3

python2-wheel: before 0.31.1-3

python2-six: before 1.11.0-6

python2-setuptools_scm: before 1.15.7-6

python2-rpm-macros: before 3-38

python2-pytest-mock: before 1.9.0-4

python2-pytest: before 3.4.2-13

python2-pysocks: before 1.6.8-6

python2-pygments: before 2.2.0-22

python2-py: before 1.5.3-6

python2-pluggy: before 0.6.0-8

python2-nose: before 1.3.7-31

python2-mock: before 2.0.0-13

python2-ipaddress: before 1.0.18-6

python2-idna: before 2.5-7

python2-funcsigs: before 1.0.2-13

python2-docutils: before 0.14-12

python2-docs-info: before 2.7.16-2

python2-docs: before 2.7.16-2

python2-dns: before 1.15.0-10

python2-chardet: before 3.0.4-10

python2-backports-ssl_match_hostname: before 3.5.0.1-12

python2-babel: before 2.5.1-10

python2-attrs: before 17.4.0-10

python2-PyMySQL: before 0.8.0-10

python-sqlalchemy-doc: before 1.3.2-2

python-nose-docs: before 1.3.7-31

babel: before 2.5.1-10

python2-sqlalchemy: before 1.3.2-2

python2-pyyaml: before 3.12-16

python2-pymongo-gridfs: before 3.7.0-1.0.1

python2-pymongo: before 3.7.0-1.0.1

python2-markupsafe: before 0.23-19

python2-lxml: before 4.2.3-6

python2-bson: before 3.7.0-1.0.1

python2-backports: before 1.0-16

python2-Cython: before 0.28.1-7

CPE2.3

External links

https://anas.openanolis.cn/errata/detail/ANSA-2024:0469

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Information disclosure

EUVDB-ID: #VU81322

Risk: Low

CVSSv4.0: 2.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2023-43804

CWE-ID: CWE-200 - Information exposure

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to urllib does not strip the "Cookie" HTTP header during cross-origin HTTP redirects. A remote attacker can gain unauthorized access to sensitive information.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python2-urllib3: before 1.24.2-4

python2-setuptools-wheel: before 39.0.1-14

python2-setuptools: before 39.0.1-14

python2-requests: before 2.20.0-4

python2-pytz: before 2017.2-13

python2-jinja2: before 2.10-10

python2-tools: before 2.7.18-17.0.1

python2-tkinter: before 2.7.18-17.0.1

python2-test: before 2.7.18-17.0.1

python2-scipy: before 1.0.0-22

python2-psycopg2-tests: before 2.7.5-8

python2-psycopg2-debug: before 2.7.5-8

python2-psycopg2: before 2.7.5-8

python2-libs: before 2.7.18-17.0.1

python2-devel: before 2.7.18-17.0.1

python2-debug: before 2.7.18-17.0.1

python2-coverage: before 4.5.1-5

python2: before 2.7.18-17.0.1

python-psycopg2-doc: before 2.7.5-8

python2-virtualenv: before 15.1.0-22

python2-pip-wheel: before 9.0.3-19.0.1

python2-pip: before 9.0.3-19.0.1

python2-numpy-doc: before 1.14.2-16.0.1

python2-numpy-f2py: before 1.14.2-16.0.1

python2-numpy: before 1.14.2-16.0.1

python2-wheel-wheel: before 0.31.1-3

python2-wheel: before 0.31.1-3

python2-six: before 1.11.0-6

python2-setuptools_scm: before 1.15.7-6

python2-rpm-macros: before 3-38

python2-pytest-mock: before 1.9.0-4

python2-pytest: before 3.4.2-13

python2-pysocks: before 1.6.8-6

python2-pygments: before 2.2.0-22

python2-py: before 1.5.3-6

python2-pluggy: before 0.6.0-8

python2-nose: before 1.3.7-31

python2-mock: before 2.0.0-13

python2-ipaddress: before 1.0.18-6

python2-idna: before 2.5-7

python2-funcsigs: before 1.0.2-13

python2-docutils: before 0.14-12

python2-docs-info: before 2.7.16-2

python2-docs: before 2.7.16-2

python2-dns: before 1.15.0-10

python2-chardet: before 3.0.4-10

python2-backports-ssl_match_hostname: before 3.5.0.1-12

python2-babel: before 2.5.1-10

python2-attrs: before 17.4.0-10

python2-PyMySQL: before 0.8.0-10

python-sqlalchemy-doc: before 1.3.2-2

python-nose-docs: before 1.3.7-31

babel: before 2.5.1-10

python2-sqlalchemy: before 1.3.2-2

python2-pyyaml: before 3.12-16

python2-pymongo-gridfs: before 3.7.0-1.0.1

python2-pymongo: before 3.7.0-1.0.1

python2-markupsafe: before 0.23-19

python2-lxml: before 4.2.3-6

python2-bson: before 3.7.0-1.0.1

python2-backports: before 1.0-16

python2-Cython: before 0.28.1-7

CPE2.3

External links

https://anas.openanolis.cn/errata/detail/ANSA-2024:0469

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Cross-site scripting

EUVDB-ID: #VU85368

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-22195

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the xmlattr filter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python2-urllib3: before 1.24.2-4

python2-setuptools-wheel: before 39.0.1-14

python2-setuptools: before 39.0.1-14

python2-requests: before 2.20.0-4

python2-pytz: before 2017.2-13

python2-jinja2: before 2.10-10

python2-tools: before 2.7.18-17.0.1

python2-tkinter: before 2.7.18-17.0.1

python2-test: before 2.7.18-17.0.1

python2-scipy: before 1.0.0-22

python2-psycopg2-tests: before 2.7.5-8

python2-psycopg2-debug: before 2.7.5-8

python2-psycopg2: before 2.7.5-8

python2-libs: before 2.7.18-17.0.1

python2-devel: before 2.7.18-17.0.1

python2-debug: before 2.7.18-17.0.1

python2-coverage: before 4.5.1-5

python2: before 2.7.18-17.0.1

python-psycopg2-doc: before 2.7.5-8

python2-virtualenv: before 15.1.0-22

python2-pip-wheel: before 9.0.3-19.0.1

python2-pip: before 9.0.3-19.0.1

python2-numpy-doc: before 1.14.2-16.0.1

python2-numpy-f2py: before 1.14.2-16.0.1

python2-numpy: before 1.14.2-16.0.1

python2-wheel-wheel: before 0.31.1-3

python2-wheel: before 0.31.1-3

python2-six: before 1.11.0-6

python2-setuptools_scm: before 1.15.7-6

python2-rpm-macros: before 3-38

python2-pytest-mock: before 1.9.0-4

python2-pytest: before 3.4.2-13

python2-pysocks: before 1.6.8-6

python2-pygments: before 2.2.0-22

python2-py: before 1.5.3-6

python2-pluggy: before 0.6.0-8

python2-nose: before 1.3.7-31

python2-mock: before 2.0.0-13

python2-ipaddress: before 1.0.18-6

python2-idna: before 2.5-7

python2-funcsigs: before 1.0.2-13

python2-docutils: before 0.14-12

python2-docs-info: before 2.7.16-2

python2-docs: before 2.7.16-2

python2-dns: before 1.15.0-10

python2-chardet: before 3.0.4-10

python2-backports-ssl_match_hostname: before 3.5.0.1-12

python2-babel: before 2.5.1-10

python2-attrs: before 17.4.0-10

python2-PyMySQL: before 0.8.0-10

python-sqlalchemy-doc: before 1.3.2-2

python-nose-docs: before 1.3.7-31

babel: before 2.5.1-10

python2-sqlalchemy: before 1.3.2-2

python2-pyyaml: before 3.12-16

python2-pymongo-gridfs: before 3.7.0-1.0.1

python2-pymongo: before 3.7.0-1.0.1

python2-markupsafe: before 0.23-19

python2-lxml: before 4.2.3-6

python2-bson: before 3.7.0-1.0.1

python2-backports: before 1.0-16

python2-Cython: before 0.28.1-7

CPE2.3

External links

https://anas.openanolis.cn/errata/detail/ANSA-2024:0469

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.