Lucene search

Gentoo FoundationMGASA-2014-0028

HistoryJan 25, 2014 - 1:04 a.m.

Updated python-jinja2 package fixes two security vulnerabilities

2014-01-2501:04:09

Gentoo Foundation

advisories.mageia.org

CVSS2

4.4

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

EPSS

Percentile

10.1%

JSON

Updated python-jinja2 packages fix security vulnerability: Jinja2, a template engine written in pure python, was found to use /tmp as a default directory for jinja2.bccache.FileSystemBytecodeCache, which is insecure because the /tmp directory is world-writable and the filenames used like ‘FileSystemBytecodeCache’ are often predictable. A malicious user could exploit this bug to execute arbitrary code as another user. (CVE-2014-1402)

OSVersionArchitecturePackageVersionFilename
Mageia3noarchpython-jinja2< 2.5.5-8.2python-jinja2-2.5.5-8.2.mga3

OS	Version	Architecture	Package	Version	Filename
Mageia	3	noarch	python-jinja2	< 2.5.5-8.2	python-jinja2-2.5.5-8.2.mga3

References

bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747

openwall.com/lists/oss-security/2014/01/10/2

openwall.com/lists/oss-security/2014/01/10/3

bugs.mageia.org/show_bug.cgi?id=12265

bugzilla.redhat.com/show_bug.cgi?id=1051421

CVSS2

4.4

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

EPSS

Percentile

10.1%

JSON

Related for MGASA-2014-0028