openSUSE Security Update : python-Jinja2 (openSUSE-2016-1159)

2016-10-1200:00:00

www.tenable.com

CVSS2

4.4

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

EPSS

Percentile

5.1%

JSON

This update for python-Jinja2 fixes the following issues :

Update to version 2.8 :

Added target parameter to urlize function.
Added support for followsymlinks to the file system loader.
The truncate filter now counts the length.
Added equalto filter that helps with select filters.
Changed cache keys to use absolute file names if available instead of load names.
Fixed loop length calculation for some iterators.
Changed how Jinja2 enforces strings to be native strings in Python 2 to work when people break their default encoding.
Added :func:make_logging_undefined which returns an undefined object that logs failures into a logger.
If unmarshalling of cached data fails the template will be reloaded now.
Implemented a block set tag.
Default cache size was incrased to 400 from a low 50.
Fixed is number test to accept long integers in all Python versions.
Changed is number to accept Decimal as a number.
Added a check for default arguments followed by non-default arguments. This change makes (% macro m(x, y=1, z) %)...(% endmacro %) a syntax error. The previous behavior for this code was broken anyway (resulting in the default value being applied to y).
Add ability to use custom subclasses of jinja2.compiler.CodeGenerator and jinja2.runtime.Context by adding two new attributes to the environment (code_generator_class and context_class) (pull request #404).
added support for context/environment/evalctx decorator functions on the finalize callback of the environment.
escape query strings for urlencode properly. Previously slashes were not escaped in that place.
Add ‘base’ parameter to ‘int’ filter.
Update to 2.7.3 (boo#858239, CVE-2014-0012)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2016-1159.
#
# The text description of this plugin is (C) SUSE LLC.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(93995);
  script_version("2.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2014-0012");

  script_name(english:"openSUSE Security Update : python-Jinja2 (openSUSE-2016-1159)");
  script_summary(english:"Check for the openSUSE-2016-1159 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for python-Jinja2 fixes the following issues :

Update to version 2.8 :

  - Added `target` parameter to urlize function.

  - Added support for `followsymlinks` to the file system
    loader.

  - The truncate filter now counts the length.

  - Added equalto filter that helps with select filters.

  - Changed cache keys to use absolute file names if
    available instead of load names.

  - Fixed loop length calculation for some iterators.

  - Changed how Jinja2 enforces strings to be native strings
    in Python 2 to work when people break their default
    encoding.

  - Added :func:`make_logging_undefined` which returns an
    undefined object that logs failures into a logger.

  - If unmarshalling of cached data fails the template will
    be reloaded now.

  - Implemented a block ``set`` tag.

  - Default cache size was incrased to 400 from a low 50.

  - Fixed ``is number`` test to accept long integers in all
    Python versions.

  - Changed ``is number`` to accept Decimal as a number.

  - Added a check for default arguments followed by
    non-default arguments. This change makes ``(% macro m(x,
    y=1, z) %)...(% endmacro %)`` a syntax error. The
    previous behavior for this code was broken anyway
    (resulting in the default value being applied to `y`).

  - Add ability to use custom subclasses of
    ``jinja2.compiler.CodeGenerator`` and
    ``jinja2.runtime.Context`` by adding two new attributes
    to the environment (`code_generator_class` and
    `context_class`) (pull request ``#404``).

  - added support for context/environment/evalctx decorator
    functions on the finalize callback of the environment.

  - escape query strings for urlencode properly. Previously
    slashes were not escaped in that place.

  - Add 'base' parameter to 'int' filter.

  - Update to 2.7.3 (boo#858239, CVE-2014-0012)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=858239"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected python-Jinja2 packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-Jinja2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-Jinja2-emacs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-Jinja2-vim");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/05/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/10/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/12");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.2", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);



flag = 0;

if ( rpm_check(release:"SUSE13.2", reference:"python-Jinja2-2.8-3.3.1") ) flag++;
if ( rpm_check(release:"SUSE13.2", reference:"python-Jinja2-emacs-2.8-3.3.1") ) flag++;
if ( rpm_check(release:"SUSE13.2", reference:"python-Jinja2-vim-2.8-3.3.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-Jinja2 / python-Jinja2-emacs / python-Jinja2-vim");
}