DATABASE RESOURCES PRICING ABOUT US

{"id": "ELSA-2019-1587", "type": "oraclelinux", "bulletinFamily": "unix", "title": "python security update", "description": "[2.7.5-80.0.1]\n- Add Oracle Linux distribution in platform.py [orabug 20812544]\n[2.7.5-80]\n- Security fix for CVE-2019-10160\nResolves: rhbz#1718401", "published": "2019-06-20T00:00:00", "modified": "2019-06-20T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "http://linux.oracle.com/errata/ELSA-2019-1587.html", "reporter": "OracleLinux", "references": [], "cvelist": ["CVE-2019-10160"], "immutableFields": [], "lastseen": "2021-07-28T14:24:31", "viewCount": 24, "enchantments": {"dependencies": {"references": [{"type": "amazon", "idList": ["ALAS-2019-1258", "ALAS-2019-1259", "ALAS-2019-1324", "ALAS2-2019-1258", "ALAS2-2019-1259"]}, {"type": "centos", "idList": ["CESA-2019:1587"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:EDF9B83EB83E197F691D5842752D4768"]}, {"type": "cloudlinux", "idList": ["CLSA-2021:1616001357"]}, {"type": "cve", "idList": ["CVE-2019-10160"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1834-1:7FA17", "DEBIAN:DLA-2280-1:96280", "DEBIAN:DLA-2337-1:70801"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-10160"]}, {"type": "fedora", "idList": ["FEDORA:504CC6389DFC", "FEDORA:7A99560A8F88", "FEDORA:7D6AB6133B32", "FEDORA:88C4462CD8F9", "FEDORA:9848360648DC", "FEDORA:9F764605D68D", "FEDORA:B52EF60A8F8C", "FEDORA:BF65760525B8", "FEDORA:C291D604A73C", "FEDORA:DBDE4606041A", "FEDORA:E51866176380", "FEDORA:EA23E62567AD"]}, {"type": "ibm", "idList": ["22C6665D00A9702426CEE593F4765FD3CD4EE170F8AA7F50D0505C6B2799BC21", "2D313E61C8DDD54F55567321F7E7638E346F11C56DF4960FF32482A9F20F2D09", "519ACEECE46E573E03F7FA0C1AF13E8FB0B460ACD56DD6FD91E7D025F5BC2CC6"]}, {"type": "nessus", "idList": ["AL2_ALAS-2019-1258.NASL", "AL2_ALAS-2019-1259.NASL", "ALA_ALAS-2019-1258.NASL", "ALA_ALAS-2019-1259.NASL", "ALA_ALAS-2019-1324.NASL", "CENTOS_RHSA-2019-1587.NASL", "DEBIAN_DLA-1834.NASL", "DEBIAN_DLA-2280.NASL", "DEBIAN_DLA-2337.NASL", "EULEROS_SA-2019-1771.NASL", "EULEROS_SA-2019-1778.NASL", "EULEROS_SA-2019-1797.NASL", "EULEROS_SA-2019-1866.NASL", "EULEROS_SA-2019-1934.NASL", "EULEROS_SA-2019-2019.NASL", "FEDORA_2019-2B1F72899A.NASL", "FEDORA_2019-50772CF122.NASL", "FEDORA_2019-57462FA10D.NASL", "FEDORA_2019-5DC275C9F2.NASL", "FEDORA_2019-60A1DEFCD1.NASL", "FEDORA_2019-7723D4774A.NASL", "FEDORA_2019-7DF59302E0.NASL", "FEDORA_2019-9BFB4A3E4B.NASL", "FEDORA_2019-B06EC6159B.NASL", "FEDORA_2019-D202CDA4F8.NASL", "NEWSTART_CGSL_NS-SA-2019-0160_PYTHON.NASL", "NEWSTART_CGSL_NS-SA-2019-0163_PYTHON.NASL", "OPENSUSE-2019-1906.NASL", "OPENSUSE-2020-86.NASL", "ORACLELINUX_ELSA-2019-1587.NASL", "PHOTONOS_PHSA-2019-1_0-0240_PYTHON2.NASL", "PHOTONOS_PHSA-2019-1_0-0240_PYTHON3.NASL", "PHOTONOS_PHSA-2019-2_0-0165_PYTHON2.NASL", "PHOTONOS_PHSA-2019-2_0-0165_PYTHON3.NASL", "REDHAT-RHSA-2019-1587.NASL", "REDHAT-RHSA-2019-2437.NASL", "SL_20190620_PYTHON_ON_SL7_X.NASL", "SUSE_SU-2019-14142-1.NASL", "SUSE_SU-2019-2050-1.NASL", "SUSE_SU-2019-2053-1.NASL", "SUSE_SU-2019-2053-2.NASL", "SUSE_SU-2019-2064-1.NASL", "SUSE_SU-2019-2091-1.NASL", "SUSE_SU-2020-0114-1.NASL", "SUSE_SU-2020-0234-1.NASL", "SUSE_SU-2020-0302-1.NASL", "UBUNTU_USN-4127-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310844168", "OPENVAS:1361412562310852650", "OPENVAS:1361412562310853008", "OPENVAS:1361412562310876569", "OPENVAS:1361412562310876576", "OPENVAS:1361412562310876616", "OPENVAS:1361412562310876619", "OPENVAS:1361412562310876633", "OPENVAS:1361412562310876635", "OPENVAS:1361412562310876817", "OPENVAS:1361412562310876820", "OPENVAS:1361412562310876974", "OPENVAS:1361412562310876976", "OPENVAS:1361412562310877216", "OPENVAS:1361412562310877282", "OPENVAS:1361412562310883071", "OPENVAS:1361412562310891834", "OPENVAS:1361412562310892280", "OPENVAS:1361412562311220191771", "OPENVAS:1361412562311220191778", "OPENVAS:1361412562311220191797", "OPENVAS:1361412562311220191866", "OPENVAS:1361412562311220191934", "OPENVAS:1361412562311220192019"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-1467", "ELSA-2019-2030", "ELSA-2019-3520"]}, {"type": "photon", "idList": ["PHSA-2019-0021", "PHSA-2019-0165", "PHSA-2019-0240", "PHSA-2019-1.0-0240", "PHSA-2019-2.0-0165", "PHSA-2019-3.0-0021"]}, {"type": "redhat", "idList": ["RHSA-2019:1587", "RHSA-2019:1700", "RHSA-2019:2437"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-10160"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1906-1", "OPENSUSE-SU-2020:0086-1"]}, {"type": "ubuntu", "idList": ["USN-4127-1", "USN-4127-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-10160"]}], "rev": 4}, "score": {"value": 6.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "amazon", "idList": ["ALAS-2019-1258", "ALAS-2019-1259"]}, {"type": "centos", "idList": ["CESA-2019:1587"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:EDF9B83EB83E197F691D5842752D4768"]}, {"type": "cloudlinux", "idList": ["CLSA-2021:1616001357"]}, {"type": "cve", "idList": ["CVE-2019-10160"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1834-1:7FA17"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-10160"]}, {"type": "fedora", "idList": ["FEDORA:504CC6389DFC", "FEDORA:7A99560A8F88", "FEDORA:7D6AB6133B32", "FEDORA:88C4462CD8F9", "FEDORA:9848360648DC", "FEDORA:9F764605D68D", "FEDORA:B52EF60A8F8C", "FEDORA:BF65760525B8", "FEDORA:C291D604A73C", "FEDORA:DBDE4606041A", "FEDORA:E51866176380", "FEDORA:EA23E62567AD"]}, {"type": "ibm", "idList": ["22C6665D00A9702426CEE593F4765FD3CD4EE170F8AA7F50D0505C6B2799BC21"]}, {"type": "nessus", "idList": ["AL2_ALAS-2019-1258.NASL", "AL2_ALAS-2019-1259.NASL", "ALA_ALAS-2019-1258.NASL", "ALA_ALAS-2019-1259.NASL", "CENTOS_RHSA-2019-1587.NASL", "DEBIAN_DLA-1834.NASL", "EULEROS_SA-2019-1771.NASL", "EULEROS_SA-2019-1778.NASL", "EULEROS_SA-2019-1797.NASL", "EULEROS_SA-2019-1866.NASL", "EULEROS_SA-2019-1934.NASL", "EULEROS_SA-2019-2019.NASL", "FEDORA_2019-2B1F72899A.NASL", "FEDORA_2019-50772CF122.NASL", "FEDORA_2019-5DC275C9F2.NASL", "FEDORA_2019-60A1DEFCD1.NASL", "FEDORA_2019-7723D4774A.NASL", "FEDORA_2019-7DF59302E0.NASL", "FEDORA_2019-9BFB4A3E4B.NASL", "PHOTONOS_PHSA-2019-1_0-0240_PYTHON2.NASL", "PHOTONOS_PHSA-2019-1_0-0240_PYTHON3.NASL", "PHOTONOS_PHSA-2019-2_0-0165_PYTHON2.NASL", "PHOTONOS_PHSA-2019-2_0-0165_PYTHON3.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310844168", "OPENVAS:1361412562310852650", "OPENVAS:1361412562310876633", "OPENVAS:1361412562310876635", "OPENVAS:1361412562310876817", "OPENVAS:1361412562310876820", "OPENVAS:1361412562310891834"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-1467", "ELSA-2019-2030"]}, {"type": "photon", "idList": ["PHSA-2019-1.0-0240", "PHSA-2019-2.0-0165", "PHSA-2019-3.0-0021"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-10160"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1906-1"]}, {"type": "ubuntu", "idList": ["USN-4127-1", "USN-4127-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-10160"]}]}, "exploitation": null, "vulnersScore": 6.8}, "affectedPackage": [{"OS": "oracle linux", "OSVersion": "7", "arch": "src", "packageVersion": "2.7.5-80.0.1.el7_6", "packageFilename": "python-2.7.5-80.0.1.el7_6.src.rpm", "operator": "lt", "packageName": "python"}, {"OS": "oracle linux", "OSVersion": "7", "arch": "aarch64", "packageVersion": "2.7.5-80.0.1.el7_6", "packageFilename": "python-2.7.5-80.0.1.el7_6.aarch64.rpm", "operator": "lt", "packageName": "python"}, {"OS": "oracle linux", "OSVersion": "7", "arch": "aarch64", "packageVersion": "2.7.5-80.0.1.el7_6", "packageFilename": "python-debug-2.7.5-80.0.1.el7_6.aarch64.rpm", "operator": "lt", "packageName": "python-debug"}, {"OS": "oracle linux", "OSVersion": "7", "arch": "aarch64", "packageVersion": "2.7.5-80.0.1.el7_6", "packageFilename": "python-devel-2.7.5-80.0.1.el7_6.aarch64.rpm", "operator": "lt", "packageName": "python-devel"}, {"OS": "oracle linux", "OSVersion": "7", "arch": "aarch64", "packageVersion": "2.7.5-80.0.1.el7_6", "packageFilename": "python-libs-2.7.5-80.0.1.el7_6.aarch64.rpm", "operator": "lt", "packageName": "python-libs"}, {"OS": "oracle linux", "OSVersion": "7", "arch": "aarch64", "packageVersion": "2.7.5-80.0.1.el7_6", "packageFilename": "python-test-2.7.5-80.0.1.el7_6.aarch64.rpm", "operator": "lt", "packageName": "python-test"}, {"OS": "oracle linux", "OSVersion": "7", "arch": "aarch64", "packageVersion": "2.7.5-80.0.1.el7_6", "packageFilename": "python-tools-2.7.5-80.0.1.el7_6.aarch64.rpm", "operator": "lt", "packageName": "python-tools"}, {"OS": "oracle linux", "OSVersion": "7", "arch": "aarch64", "packageVersion": "2.7.5-80.0.1.el7_6", "packageFilename": "tkinter-2.7.5-80.0.1.el7_6.aarch64.rpm", "operator": "lt", "packageName": "tkinter"}, {"OS": "oracle linux", "OSVersion": "7", "arch": "src", "packageVersion": "2.7.5-80.0.1.el7_6", "packageFilename": "python-2.7.5-80.0.1.el7_6.src.rpm", "operator": "lt", "packageName": "python"}, {"OS": "oracle linux", "OSVersion": "7", "arch": "x86_64", "packageVersion": "2.7.5-80.0.1.el7_6", "packageFilename": "python-2.7.5-80.0.1.el7_6.x86_64.rpm", "operator": "lt", "packageName": "python"}, {"OS": "oracle linux", "OSVersion": "7", "arch": "x86_64", "packageVersion": "2.7.5-80.0.1.el7_6", "packageFilename": "python-debug-2.7.5-80.0.1.el7_6.x86_64.rpm", "operator": "lt", "packageName": "python-debug"}, {"OS": "oracle linux", "OSVersion": "7", "arch": "x86_64", "packageVersion": "2.7.5-80.0.1.el7_6", "packageFilename": "python-devel-2.7.5-80.0.1.el7_6.x86_64.rpm", "operator": "lt", "packageName": "python-devel"}, {"OS": "oracle linux", "OSVersion": "7", "arch": "i686", "packageVersion": "2.7.5-80.0.1.el7_6", "packageFilename": "python-libs-2.7.5-80.0.1.el7_6.i686.rpm", "operator": "lt", "packageName": "python-libs"}, {"OS": "oracle linux", "OSVersion": "7", "arch": "x86_64", "packageVersion": "2.7.5-80.0.1.el7_6", "packageFilename": "python-libs-2.7.5-80.0.1.el7_6.x86_64.rpm", "operator": "lt", "packageName": "python-libs"}, {"OS": "oracle linux", "OSVersion": "7", "arch": "x86_64", "packageVersion": "2.7.5-80.0.1.el7_6", "packageFilename": "python-test-2.7.5-80.0.1.el7_6.x86_64.rpm", "operator": "lt", "packageName": "python-test"}, {"OS": "oracle linux", "OSVersion": "7", "arch": "x86_64", "packageVersion": "2.7.5-80.0.1.el7_6", "packageFilename": "python-tools-2.7.5-80.0.1.el7_6.x86_64.rpm", "operator": "lt", "packageName": "python-tools"}, {"OS": "oracle linux", "OSVersion": "7", "arch": "x86_64", "packageVersion": "2.7.5-80.0.1.el7_6", "packageFilename": "tkinter-2.7.5-80.0.1.el7_6.x86_64.rpm", "operator": "lt", "packageName": "tkinter"}], "_state": {"dependencies": 1647589307, "score": 0}}

{"nessus": [{"lastseen": "2022-05-20T14:59:20", "description": "An update of the python2 package has been released.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-24T00:00:00", "type": "nessus", "title": "Photon OS 2.0: Python2 PHSA-2019-2.0-0165", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160"], "modified": "2022-05-19T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:python2", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2019-2_0-0165_PYTHON2.NASL", "href": "https://www.tenable.com/plugins/nessus/126108", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2019-2.0-0165. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(126108);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/19\");\n\n script_cve_id(\"CVE-2019-10160\");\n\n script_name(english:\"Photon OS 2.0: Python2 PHSA-2019-2.0-0165\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the python2 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-165.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/09/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:python2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-2.7.15-8.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-debuginfo-2.7.15-8.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-devel-2.7.15-8.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-libs-2.7.15-8.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-test-2.7.15-8.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python2-tools-2.7.15-8.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python2\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-20T14:59:16", "description": "An update of the python3 package has been released.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-24T00:00:00", "type": "nessus", "title": "Photon OS 1.0: Python3 PHSA-2019-1.0-0240", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160"], "modified": "2022-05-19T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:python3", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2019-1_0-0240_PYTHON3.NASL", "href": "https://www.tenable.com/plugins/nessus/126178", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2019-1.0-0240. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(126178);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/19\");\n\n script_cve_id(\"CVE-2019-10160\");\n\n script_name(english:\"Photon OS 1.0: Python3 PHSA-2019-1.0-0240\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the python3 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-240.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/09/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:python3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"python3-3.5.6-7.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"python3-debuginfo-3.5.6-7.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"python3-devel-3.5.6-7.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"python3-libs-3.5.6-7.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"python3-tools-3.5.6-7.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python3\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-20T15:00:07", "description": "An update of the python2 package has been released.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-24T00:00:00", "type": "nessus", "title": "Photon OS 1.0: Python2 PHSA-2019-1.0-0240", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160"], "modified": "2022-05-19T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:python2", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2019-1_0-0240_PYTHON2.NASL", "href": "https://www.tenable.com/plugins/nessus/126177", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2019-1.0-0240. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(126177);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/19\");\n\n script_cve_id(\"CVE-2019-10160\");\n\n script_name(english:\"Photon OS 1.0: Python2 PHSA-2019-1.0-0240\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the python2 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-240.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/09/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:python2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"python2-2.7.15-8.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"python2-debuginfo-2.7.15-8.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"python2-devel-2.7.15-8.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"python2-libs-2.7.15-8.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"python2-tools-2.7.15-8.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python2\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-20T14:59:45", "description": "An update of the python3 package has been released.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-24T00:00:00", "type": "nessus", "title": "Photon OS 2.0: Python3 PHSA-2019-2.0-0165", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160"], "modified": "2022-05-19T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:python3", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2019-2_0-0165_PYTHON3.NASL", "href": "https://www.tenable.com/plugins/nessus/126109", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2019-2.0-0165. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(126109);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/19\");\n\n script_cve_id(\"CVE-2019-10160\");\n\n script_name(english:\"Photon OS 2.0: Python3 PHSA-2019-2.0-0165\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the python3 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-165.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/09/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:python3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python3-3.6.5-7.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python3-curses-3.6.5-7.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python3-debuginfo-3.6.5-7.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python3-devel-3.6.5-7.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python3-libs-3.6.5-7.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python3-pip-3.6.5-7.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python3-setuptools-3.6.5-7.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python3-test-3.6.5-7.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python3-tools-3.6.5-7.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"python3-xml-3.6.5-7.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python3\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-03-24T22:00:07", "description": "A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : python34 / python35,python36 (ALAS-2019-1259)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2020-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:python34", "p-cpe:/a:amazon:linux:python34-debuginfo", "p-cpe:/a:amazon:linux:python34-devel", "p-cpe:/a:amazon:linux:python34-libs", "p-cpe:/a:amazon:linux:python34-test", "p-cpe:/a:amazon:linux:python34-tools", "p-cpe:/a:amazon:linux:python35", "p-cpe:/a:amazon:linux:python35-debuginfo", "p-cpe:/a:amazon:linux:python35-devel", "p-cpe:/a:amazon:linux:python35-libs", "p-cpe:/a:amazon:linux:python35-test", "p-cpe:/a:amazon:linux:python35-tools", "p-cpe:/a:amazon:linux:python36", "p-cpe:/a:amazon:linux:python36-debug", "p-cpe:/a:amazon:linux:python36-debuginfo", "p-cpe:/a:amazon:linux:python36-devel", "p-cpe:/a:amazon:linux:python36-libs", "p-cpe:/a:amazon:linux:python36-test", "p-cpe:/a:amazon:linux:python36-tools", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2019-1259.NASL", "href": "https://www.tenable.com/plugins/nessus/127815", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2019-1259.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127815);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2020/01/02\");\n\n script_cve_id(\"CVE-2019-10160\");\n script_xref(name:\"ALAS\", value:\"2019-1259\");\n\n script_name(english:\"Amazon Linux AMI : python34 / python35,python36 (ALAS-2019-1259)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A security regression of CVE-2019-9636 was discovered in python, since\ncommit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an\nattacker to exploit CVE-2019-9636 by abusing the user and password\nparts of a URL. When an application parses user-supplied URLs to store\ncookies, authentication credentials, or other kind of information, it\nis possible for an attacker to provide specially crafted URLs to make\nthe application locate host-related information (e.g. cookies,\nauthentication data) and send them to a different host than where it\nshould, unlike if the URLs had been correctly parsed. The result of an\nattack may vary based on the application.(CVE-2019-10160)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2019-1259.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Run 'yum update python34' to update your system.\n\nRun 'yum update python35' to update your system.\n\nRun 'yum update python36' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python34\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python34-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python34-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python34-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python34-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python34-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python35\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python35-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python35-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python35-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python35-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python35-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python36\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python36-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python36-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python36-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python36-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python36-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python36-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"python34-3.4.10-1.47.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python34-debuginfo-3.4.10-1.47.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python34-devel-3.4.10-1.47.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python34-libs-3.4.10-1.47.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python34-test-3.4.10-1.47.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python34-tools-3.4.10-1.47.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python35-3.5.7-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python35-debuginfo-3.5.7-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python35-devel-3.5.7-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python35-libs-3.5.7-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python35-test-3.5.7-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python35-tools-3.5.7-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python36-3.6.8-1.14.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python36-debug-3.6.8-1.14.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python36-debuginfo-3.6.8-1.14.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python36-devel-3.6.8-1.14.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python36-libs-3.6.8-1.14.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python36-test-3.6.8-1.14.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python36-tools-3.6.8-1.14.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python34 / python34-debuginfo / python34-devel / python34-libs / etc\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-03-24T22:03:27", "description": "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has python packages installed that are affected by a vulnerability:\n\n - A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed.\n The result of an attack may vary based on the application. (CVE-2019-10160)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-12T00:00:00", "type": "nessus", "title": "NewStart CGSL CORE 5.04 / MAIN 5.04 : python Vulnerability (NS-SA-2019-0160)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2021-01-14T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2019-0160_PYTHON.NASL", "href": "https://www.tenable.com/plugins/nessus/127440", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0160. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127440);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2019-10160\");\n\n script_name(english:\"NewStart CGSL CORE 5.04 / MAIN 5.04 : python Vulnerability (NS-SA-2019-0160)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has python packages installed that are affected by\na vulnerability:\n\n - A security regression of CVE-2019-9636 was discovered in\n python, since commit\n d537ab0ff9767ef024f26246899728f0116b1ec3, which still\n allows an attacker to exploit CVE-2019-9636 by abusing\n the user and password parts of a URL. When an\n application parses user-supplied URLs to store cookies,\n authentication credentials, or other kind of\n information, it is possible for an attacker to provide\n specially crafted URLs to make the application locate\n host-related information (e.g. cookies, authentication\n data) and send them to a different host than where it\n should, unlike if the URLs had been correctly parsed.\n The result of an attack may vary based on the\n application. (CVE-2019-10160)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0160\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL python packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL CORE 5.04\" &&\n release !~ \"CGSL MAIN 5.04\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL CORE 5.04\": [\n \"python-2.7.5-80.el7_6.cgslv5.0.1.gf55b118.lite\",\n \"python-debug-2.7.5-80.el7_6.cgslv5.0.1.gf55b118.lite\",\n \"python-debuginfo-2.7.5-80.el7_6.cgslv5.0.1.gf55b118.lite\",\n \"python-devel-2.7.5-80.el7_6.cgslv5.0.1.gf55b118.lite\",\n \"python-libs-2.7.5-80.el7_6.cgslv5.0.1.gf55b118.lite\",\n \"python-test-2.7.5-80.el7_6.cgslv5.0.1.gf55b118.lite\",\n \"python-tools-2.7.5-80.el7_6.cgslv5.0.1.gf55b118.lite\",\n \"tkinter-2.7.5-80.el7_6.cgslv5.0.1.gf55b118.lite\"\n ],\n \"CGSL MAIN 5.04\": [\n \"python-2.7.5-80.el7_6.cgslv5.0.1.gf55b118\",\n \"python-debug-2.7.5-80.el7_6.cgslv5.0.1.gf55b118\",\n \"python-debuginfo-2.7.5-80.el7_6.cgslv5.0.1.gf55b118\",\n \"python-devel-2.7.5-80.el7_6.cgslv5.0.1.gf55b118\",\n \"python-libs-2.7.5-80.el7_6.cgslv5.0.1.gf55b118\",\n \"python-test-2.7.5-80.el7_6.cgslv5.0.1.gf55b118\",\n \"python-tools-2.7.5-80.el7_6.cgslv5.0.1.gf55b118\",\n \"tkinter-2.7.5-80.el7_6.cgslv5.0.1.gf55b118\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-16T16:45:38", "description": "Security Fix(es) :\n\n - python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-24T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : python on SL7.x x86_64 (20190620)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2020-02-24T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:python", "p-cpe:/a:fermilab:scientific_linux:python-debug", "p-cpe:/a:fermilab:scientific_linux:python-debuginfo", "p-cpe:/a:fermilab:scientific_linux:python-devel", "p-cpe:/a:fermilab:scientific_linux:python-libs", "p-cpe:/a:fermilab:scientific_linux:python-test", "p-cpe:/a:fermilab:scientific_linux:python-tools", "p-cpe:/a:fermilab:scientific_linux:tkinter", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20190620_PYTHON_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/126145", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126145);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/24\");\n\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-9636\");\n\n script_name(english:\"Scientific Linux Security Update : python on SL7.x x86_64 (20190620)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - python: regression of CVE-2019-9636 due to functional\n fix to allow port numbers in netloc (CVE-2019-10160)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1906&L=SCIENTIFIC-LINUX-ERRATA&P=9350\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?99e5b4cf\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-2.7.5-80.el7_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-debug-2.7.5-80.el7_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-debuginfo-2.7.5-80.el7_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-devel-2.7.5-80.el7_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-libs-2.7.5-80.el7_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-test-2.7.5-80.el7_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-tools-2.7.5-80.el7_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"tkinter-2.7.5-80.el7_6\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python / python-debug / python-debuginfo / python-devel / etc\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-03-27T16:09:37", "description": "From Red Hat Security Advisory 2019:1587 :\n\nAn update for python is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nPython is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.\n\nSecurity Fix(es) :\n\n* python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-24T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : python (ELSA-2019-1587)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2020-01-10T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:python", "p-cpe:/a:oracle:linux:python-debug", "p-cpe:/a:oracle:linux:python-devel", "p-cpe:/a:oracle:linux:python-libs", "p-cpe:/a:oracle:linux:python-test", "p-cpe:/a:oracle:linux:python-tools", "p-cpe:/a:oracle:linux:tkinter", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2019-1587.NASL", "href": "https://www.tenable.com/plugins/nessus/126142", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2019:1587 and \n# Oracle Linux Security Advisory ELSA-2019-1587 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126142);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/10\");\n\n script_cve_id(\"CVE-2019-10160\");\n script_xref(name:\"RHSA\", value:\"2019:1587\");\n\n script_name(english:\"Oracle Linux 7 : python (ELSA-2019-1587)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2019:1587 :\n\nAn update for python is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nPython is an interpreted, interactive, object-oriented programming\nlanguage, which includes modules, classes, exceptions, very high level\ndynamic data types and dynamic typing. Python supports interfaces to\nmany system calls and libraries, as well as to various windowing\nsystems.\n\nSecurity Fix(es) :\n\n* python: regression of CVE-2019-9636 due to functional fix to allow\nport numbers in netloc (CVE-2019-10160)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2019-June/008851.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-2.7.5-80.0.1.el7_6\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-debug-2.7.5-80.0.1.el7_6\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-devel-2.7.5-80.0.1.el7_6\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-libs-2.7.5-80.0.1.el7_6\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-test-2.7.5-80.0.1.el7_6\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-tools-2.7.5-80.0.1.el7_6\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"tkinter-2.7.5-80.0.1.el7_6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python / python-debug / python-devel / python-libs / python-test / etc\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-16T16:52:53", "description": "This update for python fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-12T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2019:2064-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2021-01-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libpython2_7", "p-cpe:/a:novell:suse_linux:libpython2_7-1_0", "p-cpe:/a:novell:suse_linux:libpython2_7-1_0-32bit-debuginfo", "p-cpe:/a:novell:suse_linux:libpython2_7-1_0-debuginfo", "p-cpe:/a:novell:suse_linux:python", "p-cpe:/a:novell:suse_linux:python-32bit-debuginfo", "p-cpe:/a:novell:suse_linux:python-base", "p-cpe:/a:novell:suse_linux:python-base-32bit-debuginfo", "p-cpe:/a:novell:suse_linux:python-base-debuginfo", "p-cpe:/a:novell:suse_linux:python-base-debugsource", "p-cpe:/a:novell:suse_linux:python-curses", "p-cpe:/a:novell:suse_linux:python-curses-debuginfo", "p-cpe:/a:novell:suse_linux:python-debuginfo", "p-cpe:/a:novell:suse_linux:python-debugsource", "p-cpe:/a:novell:suse_linux:python-demo", "p-cpe:/a:novell:suse_linux:python-devel", "p-cpe:/a:novell:suse_linux:python-gdbm", "p-cpe:/a:novell:suse_linux:python-gdbm-debuginfo", "p-cpe:/a:novell:suse_linux:python-idle", "p-cpe:/a:novell:suse_linux:python-tk", "p-cpe:/a:novell:suse_linux:python-tk-debuginfo", "p-cpe:/a:novell:suse_linux:python-xml", "p-cpe:/a:novell:suse_linux:python-xml-debuginfo", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2019-2064-1.NASL", "href": "https://www.tenable.com/plugins/nessus/127770", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:2064-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127770);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-9636\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2019:2064-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for python fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2019-10160: Fixed a regression in urlparse() and urlsplit()\nintroduced by the fix for CVE-2019-9636 (bsc#1138459).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1138459\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-10160/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20192064-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b6e5218b\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Python2 15-SP1:zypper in -t patch\nSUSE-SLE-Module-Python2-15-SP1-2019-2064=1\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15-SP1:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2064=1\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-2019-2064=1\n\nSUSE Linux Enterprise Module for Desktop Applications 15-SP1:zypper in\n-t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2019-2064=1\n\nSUSE Linux Enterprise Module for Desktop Applications 15:zypper in -t\npatch SUSE-SLE-Module-Desktop-Applications-15-2019-2064=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP1:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-SP1-2019-2064=1\n\nSUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-2019-2064=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython2_7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython2_7-1_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython2_7-1_0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython2_7-1_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-base-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-base-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-curses-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-gdbm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-gdbm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-idle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-tk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-tk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-xml-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0/1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP0/1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-32bit-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-32bit-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"python-32bit-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"python-32bit-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"python-base-32bit-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"python-base-32bit-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libpython2_7-1_0-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libpython2_7-1_0-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-base-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-base-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-base-debugsource-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-curses-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-curses-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-debugsource-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-demo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-devel-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-gdbm-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-gdbm-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-idle-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-tk-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-tk-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-xml-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-xml-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libpython2_7-1_0-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libpython2_7-1_0-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-base-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-base-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-base-debugsource-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-curses-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-curses-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-debugsource-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-demo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-devel-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-gdbm-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-gdbm-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-idle-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-tk-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-tk-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-xml-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-xml-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-32bit-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-32bit-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"python-32bit-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"python-32bit-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"python-base-32bit-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"python-base-32bit-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libpython2_7-1_0-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libpython2_7-1_0-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-base-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-base-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-base-debugsource-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-curses-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-curses-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-debugsource-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-demo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-devel-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-gdbm-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-gdbm-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-idle-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-tk-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-tk-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-xml-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-xml-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libpython2_7-1_0-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libpython2_7-1_0-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-base-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-base-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-base-debugsource-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-curses-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-curses-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-debugsource-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-demo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-devel-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-gdbm-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-gdbm-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-idle-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-tk-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-tk-debuginfo-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-xml-2.7.14-7.14.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-xml-debuginfo-2.7.14-7.14.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-03-24T21:53:25", "description": "According to the version of the python packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability :\n\n - A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed.\n The result of an attack may vary based on the application.(CVE-2019-10160)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-17T00:00:00", "type": "nessus", "title": "EulerOS Virtualization for ARM 64 3.0.2.0 : python (EulerOS-SA-2019-1934)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:python", "p-cpe:/a:huawei:euleros:python-devel", "p-cpe:/a:huawei:euleros:python-libs", "p-cpe:/a:huawei:euleros:python-tools", "cpe:/o:huawei:euleros:uvp:3.0.2.0"], "id": "EULEROS_SA-2019-1934.NASL", "href": "https://www.tenable.com/plugins/nessus/128937", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(128937);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2019-10160\"\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.2.0 : python (EulerOS-SA-2019-1934)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the python packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerability :\n\n - A security regression of CVE-2019-9636 was discovered\n in python, since commit\n d537ab0ff9767ef024f26246899728f0116b1ec3, which still\n allows an attacker to exploit CVE-2019-9636 by abusing\n the user and password parts of a URL. When an\n application parses user-supplied URLs to store cookies,\n authentication credentials, or other kind of\n information, it is possible for an attacker to provide\n specially crafted URLs to make the application locate\n host-related information (e.g. cookies, authentication\n data) and send them to a different host than where it\n should, unlike if the URLs had been correctly parsed.\n The result of an attack may vary based on the\n application.(CVE-2019-10160)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1934\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1a7e99d3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected python package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"python-2.7.5-69.h22\",\n \"python-devel-2.7.5-69.h22\",\n \"python-libs-2.7.5-69.h22\",\n \"python-tools-2.7.5-69.h22\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-03-24T22:12:11", "description": "An update for python is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nPython is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.\n\nSecurity Fix(es) :\n\n* python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-25T00:00:00", "type": "nessus", "title": "CentOS 7 : python (CESA-2019:1587)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2020-01-10T00:00:00", "cpe": ["p-cpe:/a:centos:centos:python", "p-cpe:/a:centos:centos:python-debug", "p-cpe:/a:centos:centos:python-devel", "p-cpe:/a:centos:centos:python-libs", "p-cpe:/a:centos:centos:python-test", "p-cpe:/a:centos:centos:python-tools", "p-cpe:/a:centos:centos:tkinter", "cpe:/o:centos:centos:7"], "id": "CENTOS_RHSA-2019-1587.NASL", "href": "https://www.tenable.com/plugins/nessus/126219", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:1587 and \n# CentOS Errata and Security Advisory 2019:1587 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126219);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2020/01/10\");\n\n script_cve_id(\"CVE-2019-10160\");\n script_xref(name:\"RHSA\", value:\"2019:1587\");\n\n script_name(english:\"CentOS 7 : python (CESA-2019:1587)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for python is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nPython is an interpreted, interactive, object-oriented programming\nlanguage, which includes modules, classes, exceptions, very high level\ndynamic data types and dynamic typing. Python supports interfaces to\nmany system calls and libraries, as well as to various windowing\nsystems.\n\nSecurity Fix(es) :\n\n* python: regression of CVE-2019-9636 due to functional fix to allow\nport numbers in netloc (CVE-2019-10160)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2019-June/023337.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?82c7f778\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10160\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-2.7.5-80.el7_6\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-debug-2.7.5-80.el7_6\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-devel-2.7.5-80.el7_6\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-libs-2.7.5-80.el7_6\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-test-2.7.5-80.el7_6\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-tools-2.7.5-80.el7_6\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"tkinter-2.7.5-80.el7_6\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python / python-debug / python-devel / python-libs / python-test / etc\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-03-24T22:08:38", "description": "According to the version of the python3 packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed.\n The result of an attack may vary based on the application.(CVE-2019-10160)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-25T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP8 : python3 (EulerOS-SA-2019-1778)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:python3", "p-cpe:/a:huawei:euleros:python3-libs", "p-cpe:/a:huawei:euleros:python3-test", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-1778.NASL", "href": "https://www.tenable.com/plugins/nessus/127015", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127015);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2019-10160\"\n );\n\n script_name(english:\"EulerOS 2.0 SP8 : python3 (EulerOS-SA-2019-1778)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the python3 packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - A security regression of CVE-2019-9636 was discovered\n in python, since commit\n d537ab0ff9767ef024f26246899728f0116b1ec3, which still\n allows an attacker to exploit CVE-2019-9636 by abusing\n the user and password parts of a URL. When an\n application parses user-supplied URLs to store cookies,\n authentication credentials, or other kind of\n information, it is possible for an attacker to provide\n specially crafted URLs to make the application locate\n host-related information (e.g. cookies, authentication\n data) and send them to a different host than where it\n should, unlike if the URLs had been correctly parsed.\n The result of an attack may vary based on the\n application.(CVE-2019-10160)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1778\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?433bdc0b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected python3 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python3-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python3-test\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"python3-3.7.0-9.h7.eulerosv2r8\",\n \"python3-libs-3.7.0-9.h7.eulerosv2r8\",\n \"python3-test-3.7.0-9.h7.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python3\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-24T16:54:52", "description": "Fix CVE-2019-16056 (rhbz#1750457)\n\n----\n\nFix CVE-2019-10160 (rhbz#1718867)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-10-07T00:00:00", "type": "nessus", "title": "Fedora 31 : python34 (2019-50772cf122)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-16056"], "modified": "2022-05-23T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python34", "cpe:/o:fedoraproject:fedora:31"], "id": "FEDORA_2019-50772CF122.NASL", "href": "https://www.tenable.com/plugins/nessus/129618", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-50772cf122.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129618);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/23\");\n\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-16056\");\n script_xref(name:\"FEDORA\", value:\"2019-50772cf122\");\n\n script_name(english:\"Fedora 31 : python34 (2019-50772cf122)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Fix CVE-2019-16056 (rhbz#1750457)\n\n----\n\nFix CVE-2019-10160 (rhbz#1718867)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-50772cf122\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected python34 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-16056\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python34\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"python34-3.4.10-6.fc31\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python34\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-03-24T22:03:27", "description": "The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has python packages installed that are affected by a vulnerability:\n\n - A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed.\n The result of an attack may vary based on the application. (CVE-2019-10160)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-12T00:00:00", "type": "nessus", "title": "NewStart CGSL CORE 5.05 / MAIN 5.05 : python Vulnerability (NS-SA-2019-0163)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2021-01-14T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2019-0163_PYTHON.NASL", "href": "https://www.tenable.com/plugins/nessus/127446", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0163. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127446);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2019-10160\");\n\n script_name(english:\"NewStart CGSL CORE 5.05 / MAIN 5.05 : python Vulnerability (NS-SA-2019-0163)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has python packages installed that are affected by\na vulnerability:\n\n - A security regression of CVE-2019-9636 was discovered in\n python, since commit\n d537ab0ff9767ef024f26246899728f0116b1ec3, which still\n allows an attacker to exploit CVE-2019-9636 by abusing\n the user and password parts of a URL. When an\n application parses user-supplied URLs to store cookies,\n authentication credentials, or other kind of\n information, it is possible for an attacker to provide\n specially crafted URLs to make the application locate\n host-related information (e.g. cookies, authentication\n data) and send them to a different host than where it\n should, unlike if the URLs had been correctly parsed.\n The result of an attack may vary based on the\n application. (CVE-2019-10160)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0163\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL python packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL CORE 5.05\" &&\n release !~ \"CGSL MAIN 5.05\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL CORE 5.05\": [\n \"python-2.7.5-80.el7_6.cgslv5_5.0.1.gda86704.lite\",\n \"python-debug-2.7.5-80.el7_6.cgslv5_5.0.1.gda86704.lite\",\n \"python-debuginfo-2.7.5-80.el7_6.cgslv5_5.0.1.gda86704.lite\",\n \"python-devel-2.7.5-80.el7_6.cgslv5_5.0.1.gda86704.lite\",\n \"python-libs-2.7.5-80.el7_6.cgslv5_5.0.1.gda86704.lite\",\n \"python-test-2.7.5-80.el7_6.cgslv5_5.0.1.gda86704.lite\",\n \"python-tools-2.7.5-80.el7_6.cgslv5_5.0.1.gda86704.lite\",\n \"tkinter-2.7.5-80.el7_6.cgslv5_5.0.1.gda86704.lite\"\n ],\n \"CGSL MAIN 5.05\": [\n \"python-2.7.5-80.el7_6.cgslv5_5.0.1.g9a369ff\",\n \"python-debug-2.7.5-80.el7_6.cgslv5_5.0.1.g9a369ff\",\n \"python-debuginfo-2.7.5-80.el7_6.cgslv5_5.0.1.g9a369ff\",\n \"python-devel-2.7.5-80.el7_6.cgslv5_5.0.1.g9a369ff\",\n \"python-libs-2.7.5-80.el7_6.cgslv5_5.0.1.g9a369ff\",\n \"python-test-2.7.5-80.el7_6.cgslv5_5.0.1.g9a369ff\",\n \"python-tools-2.7.5-80.el7_6.cgslv5_5.0.1.g9a369ff\",\n \"tkinter-2.7.5-80.el7_6.cgslv5_5.0.1.g9a369ff\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-03-24T22:08:38", "description": "According to the version of the python2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed.\n The result of an attack may vary based on the application.(CVE-2019-10160)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-25T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP8 : python2 (EulerOS-SA-2019-1771)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:python-unversioned-command", "p-cpe:/a:huawei:euleros:python2", "p-cpe:/a:huawei:euleros:python2-devel", "p-cpe:/a:huawei:euleros:python2-libs", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-1771.NASL", "href": "https://www.tenable.com/plugins/nessus/127008", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127008);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2019-10160\"\n );\n\n script_name(english:\"EulerOS 2.0 SP8 : python2 (EulerOS-SA-2019-1771)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the python2 packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - A security regression of CVE-2019-9636 was discovered\n in python, since commit\n d537ab0ff9767ef024f26246899728f0116b1ec3, which still\n allows an attacker to exploit CVE-2019-9636 by abusing\n the user and password parts of a URL. When an\n application parses user-supplied URLs to store cookies,\n authentication credentials, or other kind of\n information, it is possible for an attacker to provide\n specially crafted URLs to make the application locate\n host-related information (e.g. cookies, authentication\n data) and send them to a different host than where it\n should, unlike if the URLs had been correctly parsed.\n The result of an attack may vary based on the\n application.(CVE-2019-10160)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1771\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e5579757\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected python2 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-unversioned-command\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python2-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"python-unversioned-command-2.7.15-10.h7.eulerosv2r8\",\n \"python2-2.7.15-10.h7.eulerosv2r8\",\n \"python2-devel-2.7.15-10.h7.eulerosv2r8\",\n \"python2-libs-2.7.15-10.h7.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python2\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-03-27T16:10:40", "description": "An update for python is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nPython is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.\n\nSecurity Fix(es) :\n\n* python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-21T00:00:00", "type": "nessus", "title": "RHEL 7 : python (RHSA-2019:1587)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2020-01-10T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:python", "p-cpe:/a:redhat:enterprise_linux:python-debug", "p-cpe:/a:redhat:enterprise_linux:python-debuginfo", "p-cpe:/a:redhat:enterprise_linux:python-devel", "p-cpe:/a:redhat:enterprise_linux:python-libs", "p-cpe:/a:redhat:enterprise_linux:python-test", "p-cpe:/a:redhat:enterprise_linux:python-tools", "p-cpe:/a:redhat:enterprise_linux:tkinter", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.6"], "id": "REDHAT-RHSA-2019-1587.NASL", "href": "https://www.tenable.com/plugins/nessus/126089", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:1587. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126089);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2020/01/10\");\n\n script_cve_id(\"CVE-2019-10160\");\n script_xref(name:\"RHSA\", value:\"2019:1587\");\n\n script_name(english:\"RHEL 7 : python (RHSA-2019:1587)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for python is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nPython is an interpreted, interactive, object-oriented programming\nlanguage, which includes modules, classes, exceptions, very high level\ndynamic data types and dynamic typing. Python supports interfaces to\nmany system calls and libraries, as well as to various windowing\nsystems.\n\nSecurity Fix(es) :\n\n* python: regression of CVE-2019-9636 due to functional fix to allow\nport numbers in netloc (CVE-2019-10160)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://python-security.readthedocs.io/vuln/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:1587\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-10160\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:1587\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-2.7.5-80.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-2.7.5-80.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-debug-2.7.5-80.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-debug-2.7.5-80.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"python-debuginfo-2.7.5-80.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-devel-2.7.5-80.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-devel-2.7.5-80.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"python-libs-2.7.5-80.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-test-2.7.5-80.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-test-2.7.5-80.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-tools-2.7.5-80.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-tools-2.7.5-80.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"tkinter-2.7.5-80.el7_6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"tkinter-2.7.5-80.el7_6\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python / python-debug / python-debuginfo / python-devel / etc\");\n }\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-15T18:07:10", "description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by:\nImproper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname).\nThe components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in:\nv2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9. (CVE-2019-9636)\n\nA security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed.\nThe result of an attack may vary based on the application.(CVE-2019-10160)\n\nImpact\n\nA remote attacker may be able to use a specially crafted URL to locate cookies or authentication data and send that information to a different host than when parsed correctly.\n\nBIG-IP Extended Application Verification (EAV) monitors using the Python urlsplit() function with URLs from an untrusted source may be impacted by this vulnerability.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-07-12T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : Python vulnerabilities (K57542514)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2022-04-21T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL57542514.NASL", "href": "https://www.tenable.com/plugins/nessus/151496", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K57542514.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(151496);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/21\");\n\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-9636\");\n\n script_name(english:\"F5 Networks BIG-IP : Python vulnerabilities (K57542514)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by:\nImproper Handling of Unicode Encoding (with an incorrect netloc)\nduring NFKC normalization. The impact is: Information disclosure\n(credentials, cookies, etc. that are cached against a given hostname).\nThe components are: urllib.parse.urlsplit, urllib.parse.urlparse. The\nattack vector is: A specially crafted URL could be incorrectly parsed\nto locate cookies or authentication data and send that information to\na different host than when parsed correctly. This is fixed in:\nv2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7,\nv3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11,\nv3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4,\nv3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7,\nv3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9. (CVE-2019-9636)\n\nA security regression of CVE-2019-9636 was discovered in python since\ncommit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions\n2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still\nallows an attacker to exploit CVE-2019-9636 by abusing the user and\npassword parts of a URL. When an application parses user-supplied URLs\nto store cookies, authentication credentials, or other kind of\ninformation, it is possible for an attacker to provide specially\ncrafted URLs to make the application locate host-related information\n(e.g. cookies, authentication data) and send them to a different host\nthan where it should, unlike if the URLs had been correctly parsed.\nThe result of an attack may vary based on the\napplication.(CVE-2019-10160)\n\nImpact\n\nA remote attacker may be able to use a specially crafted URL to locate\ncookies or authentication data and send that information to a\ndifferent host than when parsed correctly.\n\nBIG-IP Extended Application Verification (EAV) monitors using the\nPython urlsplit() function with URLs from an untrusted source may be\nimpacted by this vulnerability.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K57542514\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K57542514.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K57542514\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.5\",\"14.1.0-14.1.4\",\"13.1.0-13.1.5\",\"12.1.0-12.1.6\",\"11.6.1-11.6.5\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"16.1.0\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.5\",\"14.1.0-14.1.4\",\"13.1.0-13.1.5\",\"12.1.0-12.1.6\",\"11.6.1-11.6.5\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"16.1.0\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.5\",\"14.1.0-14.1.4\",\"13.1.0-13.1.5\",\"12.1.0-12.1.6\",\"11.6.1-11.6.5\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"16.1.0\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.5\",\"14.1.0-14.1.4\",\"13.1.0-13.1.5\",\"12.1.0-12.1.6\",\"11.6.1-11.6.5\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"16.1.0\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.5\",\"14.1.0-14.1.4\",\"13.1.0-13.1.5\",\"12.1.0-12.1.6\",\"11.6.1-11.6.5\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"16.1.0\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.5\",\"14.1.0-14.1.4\",\"13.1.0-13.1.5\",\"12.1.0-12.1.6\",\"11.6.1-11.6.5\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"16.1.0\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.5\",\"14.1.0-14.1.4\",\"13.1.0-13.1.5\",\"12.1.0-12.1.6\",\"11.6.1-11.6.5\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"16.1.0\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.5\",\"14.1.0-14.1.4\",\"13.1.0-13.1.5\",\"12.1.0-12.1.6\",\"11.6.1-11.6.5\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"16.1.0\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"16.0.0-16.0.1\",\"15.1.0-15.1.5\",\"14.1.0-14.1.4\",\"13.1.0-13.1.5\",\"12.1.0-12.1.6\",\"11.6.1-11.6.5\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"16.1.0\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-03-24T21:58:43", "description": "According to the version of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed.\n The result of an attack may vary based on the application.(CVE-2019-10160)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-23T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : python (EulerOS-SA-2019-1797)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:python", "p-cpe:/a:huawei:euleros:python-devel", "p-cpe:/a:huawei:euleros:python-libs", "p-cpe:/a:huawei:euleros:tkinter", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-1797.NASL", "href": "https://www.tenable.com/plugins/nessus/128089", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(128089);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2019-10160\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : python (EulerOS-SA-2019-1797)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the python packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - A security regression of CVE-2019-9636 was discovered\n in python, since commit\n d537ab0ff9767ef024f26246899728f0116b1ec3, which still\n allows an attacker to exploit CVE-2019-9636 by abusing\n the user and password parts of a URL. When an\n application parses user-supplied URLs to store cookies,\n authentication credentials, or other kind of\n information, it is possible for an attacker to provide\n specially crafted URLs to make the application locate\n host-related information (e.g. cookies, authentication\n data) and send them to a different host than where it\n should, unlike if the URLs had been correctly parsed.\n The result of an attack may vary based on the\n application.(CVE-2019-10160)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1797\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b2dbef6c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected python package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"python-2.7.5-69.h21.eulerosv2r7\",\n \"python-devel-2.7.5-69.h21.eulerosv2r7\",\n \"python-libs-2.7.5-69.h21.eulerosv2r7\",\n \"tkinter-2.7.5-69.h21.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-16T16:50:53", "description": "This update for python fixes the following issues :\n\nSecurity issue fixed :\n\n - CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-20T00:00:00", "type": "nessus", "title": "openSUSE Security Update : python (openSUSE-2019-1906)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2020-09-23T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libpython2_7-1_0", "p-cpe:/a:novell:opensuse:libpython2_7-1_0-32bit", "p-cpe:/a:novell:opensuse:libpython2_7-1_0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libpython2_7-1_0-debuginfo", "p-cpe:/a:novell:opensuse:python", "p-cpe:/a:novell:opensuse:python-32bit", "p-cpe:/a:novell:opensuse:python-32bit-debuginfo", "p-cpe:/a:novell:opensuse:python-base", "p-cpe:/a:novell:opensuse:python-base-32bit", "p-cpe:/a:novell:opensuse:python-base-32bit-debuginfo", "p-cpe:/a:novell:opensuse:python-base-debuginfo", "p-cpe:/a:novell:opensuse:python-base-debugsource", "p-cpe:/a:novell:opensuse:python-curses", "p-cpe:/a:novell:opensuse:python-curses-debuginfo", "p-cpe:/a:novell:opensuse:python-debuginfo", "p-cpe:/a:novell:opensuse:python-debugsource", "p-cpe:/a:novell:opensuse:python-demo", "p-cpe:/a:novell:opensuse:python-devel", "p-cpe:/a:novell:opensuse:python-doc-pdf", "p-cpe:/a:novell:opensuse:python-gdbm", "p-cpe:/a:novell:opensuse:python-gdbm-debuginfo", "p-cpe:/a:novell:opensuse:python-idle", "p-cpe:/a:novell:opensuse:python-tk", "p-cpe:/a:novell:opensuse:python-tk-debuginfo", "p-cpe:/a:novell:opensuse:python-xml", "p-cpe:/a:novell:opensuse:python-xml-debuginfo", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2019-1906.NASL", "href": "https://www.tenable.com/plugins/nessus/127998", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-1906.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127998);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/23\");\n\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-9636\");\n\n script_name(english:\"openSUSE Security Update : python (openSUSE-2019-1906)\");\n script_summary(english:\"Check for the openSUSE-2019-1906 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for python fixes the following issues :\n\nSecurity issue fixed :\n\n - CVE-2019-10160: Fixed a regression in urlparse() and\n urlsplit() introduced by the fix for CVE-2019-9636\n (bsc#1138459).\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1138459\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected python packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpython2_7-1_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpython2_7-1_0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpython2_7-1_0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpython2_7-1_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-base-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-base-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-base-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-curses-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-doc-pdf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-gdbm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-gdbm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-idle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-tk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-tk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-xml-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libpython2_7-1_0-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libpython2_7-1_0-debuginfo-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-base-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-base-debuginfo-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-base-debugsource-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-curses-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-curses-debuginfo-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-debuginfo-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-debugsource-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-demo-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-devel-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-doc-pdf-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-gdbm-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-gdbm-debuginfo-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-idle-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-tk-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-tk-debuginfo-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-xml-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python-xml-debuginfo-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-32bit-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-32bit-debuginfo-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"python-32bit-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"python-32bit-debuginfo-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"python-base-32bit-2.7.14-lp151.10.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"python-base-32bit-debuginfo-2.7.14-lp151.10.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libpython2_7-1_0 / libpython2_7-1_0-debuginfo / python-base / etc\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-03-24T22:00:08", "description": "A security regression of CVE-2019-9636 was discovered in python, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed.\nThe result of an attack may vary based on the application.\n(CVE-2019-10160)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-12T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : python (ALAS-2019-1258)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2020-01-06T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:python", "p-cpe:/a:amazon:linux:python-debug", "p-cpe:/a:amazon:linux:python-debuginfo", "p-cpe:/a:amazon:linux:python-devel", "p-cpe:/a:amazon:linux:python-libs", "p-cpe:/a:amazon:linux:python-test", "p-cpe:/a:amazon:linux:python-tools", "p-cpe:/a:amazon:linux:tkinter", "cpe:/o:amazon:linux:2"], "id": "AL2_ALAS-2019-1258.NASL", "href": "https://www.tenable.com/plugins/nessus/127462", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2019-1258.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127462);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2020/01/06\");\n\n script_cve_id(\"CVE-2019-10160\");\n script_xref(name:\"ALAS\", value:\"2019-1258\");\n\n script_name(english:\"Amazon Linux 2 : python (ALAS-2019-1258)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux 2 host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A security regression of CVE-2019-9636 was discovered in python, which\nstill allows an attacker to exploit CVE-2019-9636 by abusing the user\nand password parts of a URL. When an application parses user-supplied\nURLs to store cookies, authentication credentials, or other kind of\ninformation, it is possible for an attacker to provide specially\ncrafted URLs to make the application locate host-related information\n(e.g. cookies, authentication data) and send them to a different host\nthan where it should, unlike if the URLs had been correctly parsed.\nThe result of an attack may vary based on the application.\n(CVE-2019-10160)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/AL2/ALAS-2019-1258.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update python' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"AL2\", reference:\"python-2.7.16-2.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"python-debug-2.7.16-2.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"python-debuginfo-2.7.16-2.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"python-devel-2.7.16-2.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"python-libs-2.7.16-2.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"python-test-2.7.16-2.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"python-tools-2.7.16-2.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tkinter-2.7.16-2.amzn2.0.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python / python-debug / python-debuginfo / python-devel / etc\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-03-24T22:04:46", "description": "A security regression of CVE-2019-9636 was discovered in python, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed.\nThe result of an attack may vary based on the application.\n(CVE-2019-10160)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-12T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : python3 (ALAS-2019-1259)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2020-01-06T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:python3", "p-cpe:/a:amazon:linux:python3-debug", "p-cpe:/a:amazon:linux:python3-debuginfo", "p-cpe:/a:amazon:linux:python3-devel", "p-cpe:/a:amazon:linux:python3-libs", "p-cpe:/a:amazon:linux:python3-test", "p-cpe:/a:amazon:linux:python3-tkinter", "p-cpe:/a:amazon:linux:python3-tools", "cpe:/o:amazon:linux:2"], "id": "AL2_ALAS-2019-1259.NASL", "href": "https://www.tenable.com/plugins/nessus/127463", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2019-1259.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127463);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2020/01/06\");\n\n script_cve_id(\"CVE-2019-10160\");\n script_xref(name:\"ALAS\", value:\"2019-1259\");\n\n script_name(english:\"Amazon Linux 2 : python3 (ALAS-2019-1259)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux 2 host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A security regression of CVE-2019-9636 was discovered in python, which\nstill allows an attacker to exploit CVE-2019-9636 by abusing the user\nand password parts of a URL. When an application parses user-supplied\nURLs to store cookies, authentication credentials, or other kind of\ninformation, it is possible for an attacker to provide specially\ncrafted URLs to make the application locate host-related information\n(e.g. cookies, authentication data) and send them to a different host\nthan where it should, unlike if the URLs had been correctly parsed.\nThe result of an attack may vary based on the application.\n(CVE-2019-10160)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/AL2/ALAS-2019-1259.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update python3' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python3-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python3-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python3-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python3-tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python3-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"AL2\", reference:\"python3-3.7.4-1.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"python3-debug-3.7.4-1.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"python3-debuginfo-3.7.4-1.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"python3-devel-3.7.4-1.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"python3-libs-3.7.4-1.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"python3-test-3.7.4-1.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"python3-tkinter-3.7.4-1.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"python3-tools-3.7.4-1.amzn2.0.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python3 / python3-debug / python3-debuginfo / python3-devel / etc\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-20T15:10:20", "description": "According to the versions of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed.\n The result of an attack may vary based on the application.(CVE-2019-10160)\n\n - urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.(CVE-2019-9948)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-17T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP2 : python (EulerOS-SA-2019-1866)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636", "CVE-2019-9948"], "modified": "2022-05-19T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:python", "p-cpe:/a:huawei:euleros:python-devel", "p-cpe:/a:huawei:euleros:python-libs", "p-cpe:/a:huawei:euleros:tkinter", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-1866.NASL", "href": "https://www.tenable.com/plugins/nessus/128918", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(128918);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/19\");\n\n script_cve_id(\"CVE-2019-9948\", \"CVE-2019-10160\");\n\n script_name(english:\"EulerOS 2.0 SP2 : python (EulerOS-SA-2019-1866)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the python packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A security regression of CVE-2019-9636 was discovered\n in python, since commit\n d537ab0ff9767ef024f26246899728f0116b1ec3, which still\n allows an attacker to exploit CVE-2019-9636 by abusing\n the user and password parts of a URL. When an\n application parses user-supplied URLs to store cookies,\n authentication credentials, or other kind of\n information, it is possible for an attacker to provide\n specially crafted URLs to make the application locate\n host-related information (e.g. cookies, authentication\n data) and send them to a different host than where it\n should, unlike if the URLs had been correctly parsed.\n The result of an attack may vary based on the\n application.(CVE-2019-10160)\n\n - urllib in Python 2.x through 2.7.16 supports the\n local_file: scheme, which makes it easier for remote\n attackers to bypass protection mechanisms that\n blacklist file: URIs, as demonstrated by triggering a\n urllib.urlopen('local_file:///etc/passwd')\n call.(CVE-2019-9948)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1866\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d56d9eeb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected python packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9948\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-10160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"python-2.7.5-58.h15\",\n \"python-devel-2.7.5-58.h15\",\n \"python-libs-2.7.5-58.h15\",\n \"tkinter-2.7.5-58.h15\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-06-16T16:48:11", "description": "Update Python 3.6 to [3.6.9](https://www.python.org/downloads/release/python-369/), the latest security release of the 3.6 branch. [Changelog for 3.6.9 final](https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6- 9-final) and [3.6.9 release candidate 1](https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-9-re lease-candidate-1). Includes security fixes for CVE-2019-9636, CVE-2019-9740, CVE-2019-10160.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-15T00:00:00", "type": "nessus", "title": "Fedora 30 : python36 (2019-7723d4774a)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636", "CVE-2019-9740"], "modified": "2020-01-08T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python36", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2019-7723D4774A.NASL", "href": "https://www.tenable.com/plugins/nessus/126658", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-7723d4774a.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126658);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/08\");\n\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-9636\", \"CVE-2019-9740\");\n script_xref(name:\"FEDORA\", value:\"2019-7723d4774a\");\n\n script_name(english:\"Fedora 30 : python36 (2019-7723d4774a)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update Python 3.6 to\n[3.6.9](https://www.python.org/downloads/release/python-369/), the\nlatest security release of the 3.6 branch. [Changelog for 3.6.9\nfinal](https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-\n9-final) and [3.6.9 release candidate\n1](https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-9-re\nlease-candidate-1). Includes security fixes for CVE-2019-9636,\nCVE-2019-9740, CVE-2019-10160.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-7723d4774a\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-9-final\"\n );\n # https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-9-release-candidate-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f60517a0\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.python.org/downloads/release/python-369/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python36 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python36\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"python36-3.6.9-1.fc30\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python36\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-03-17T18:00:58", "description": "The remote SUSE Linux SLES11 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2019:14142-1 advisory.\n\n - http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. (CVE-2018-20852)\n\n - A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. (CVE-2019-10160)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-06-10T00:00:00", "type": "nessus", "title": "SUSE SLES11 Security Update : python (SUSE-SU-2019:14142-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-20852", "CVE-2019-10160", "CVE-2019-9636"], "modified": "2021-06-10T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libpython2_6-1_0", "p-cpe:/a:novell:suse_linux:libpython2_6-1_0-32bit", "p-cpe:/a:novell:suse_linux:python", "p-cpe:/a:novell:suse_linux:python-32bit", "p-cpe:/a:novell:suse_linux:python-base", "p-cpe:/a:novell:suse_linux:python-base-32bit", "p-cpe:/a:novell:suse_linux:python-curses", "p-cpe:/a:novell:suse_linux:python-demo", "p-cpe:/a:novell:suse_linux:python-doc", "p-cpe:/a:novell:suse_linux:python-doc-pdf", "p-cpe:/a:novell:suse_linux:python-gdbm", "p-cpe:/a:novell:suse_linux:python-idle", "p-cpe:/a:novell:suse_linux:python-tk", "p-cpe:/a:novell:suse_linux:python-xml", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_SU-2019-14142-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150669", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2019:14142-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150669);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/10\");\n\n script_cve_id(\"CVE-2018-20852\", \"CVE-2019-10160\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2019:14142-1\");\n\n script_name(english:\"SUSE SLES11 Security Update : python (SUSE-SU-2019:14142-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES11 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2019:14142-1 advisory.\n\n - http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not\n correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An\n attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix\n (e.g., pythonicexample.com to steal cookies for example.com). When a program uses\n http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing\n cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before\n 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. (CVE-2018-20852)\n\n - A security regression of CVE-2019-9636 was discovered in python since commit\n d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through\n v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts\n of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or\n other kind of information, it is possible for an attacker to provide specially crafted URLs to make the\n application locate host-related information (e.g. cookies, authentication data) and send them to a\n different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack\n may vary based on the application. (CVE-2019-10160)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1138459\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1141853\");\n # https://lists.suse.com/pipermail/sle-security-updates/2019-August/005804.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eda62aff\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-20852\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2019-10160\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-10160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython2_6-1_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython2_6-1_0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-base-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-doc-pdf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-gdbm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-idle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-tk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES11', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\npkgs = [\n {'reference':'libpython2_6-1_0-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'libpython2_6-1_0-32bit-2.6.9-40.29', 'sp':'4', 'cpu':'s390x', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'libpython2_6-1_0-32bit-2.6.9-40.29', 'sp':'4', 'cpu':'x86_64', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'python-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'python-32bit-2.6.9-40.29', 'sp':'4', 'cpu':'s390x', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'python-32bit-2.6.9-40.29', 'sp':'4', 'cpu':'x86_64', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'python-base-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'python-base-32bit-2.6.9-40.29', 'sp':'4', 'cpu':'s390x', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'python-base-32bit-2.6.9-40.29', 'sp':'4', 'cpu':'x86_64', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'python-curses-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'python-demo-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'python-doc-2.6-8.40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'python-doc-pdf-2.6-8.40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'python-gdbm-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'python-idle-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'python-tk-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'python-xml-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'libpython2_6-1_0-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'},\n {'reference':'libpython2_6-1_0-32bit-2.6.9-40.29', 'sp':'4', 'cpu':'s390x', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'},\n {'reference':'libpython2_6-1_0-32bit-2.6.9-40.29', 'sp':'4', 'cpu':'x86_64', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'},\n {'reference':'python-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'},\n {'reference':'python-32bit-2.6.9-40.29', 'sp':'4', 'cpu':'s390x', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'},\n {'reference':'python-32bit-2.6.9-40.29', 'sp':'4', 'cpu':'x86_64', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'},\n {'reference':'python-base-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'},\n {'reference':'python-base-32bit-2.6.9-40.29', 'sp':'4', 'cpu':'s390x', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'},\n {'reference':'python-base-32bit-2.6.9-40.29', 'sp':'4', 'cpu':'x86_64', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'},\n {'reference':'python-curses-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'},\n {'reference':'python-demo-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'},\n {'reference':'python-doc-2.6-8.40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'},\n {'reference':'python-doc-pdf-2.6-8.40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'},\n {'reference':'python-gdbm-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'},\n {'reference':'python-idle-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'},\n {'reference':'python-tk-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'},\n {'reference':'python-xml-2.6.9-40.29', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n exists_check = NULL;\n rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release && exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n else if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libpython2_6-1_0 / libpython2_6-1_0-32bit / python / python-32bit / etc');\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-16T16:52:10", "description": "This update for python fixes the following issues :\n\nCVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).\n\nCVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-12T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : python (SUSE-SU-2019:2091-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-20852", "CVE-2019-10160", "CVE-2019-9636"], "modified": "2021-01-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libpython2_7", "p-cpe:/a:novell:suse_linux:libpython2_7-1_0", "p-cpe:/a:novell:suse_linux:libpython2_7-1_0-debuginfo", "p-cpe:/a:novell:suse_linux:python", "p-cpe:/a:novell:suse_linux:python-base", "p-cpe:/a:novell:suse_linux:python-base-debuginfo", "p-cpe:/a:novell:suse_linux:python-base-debugsource", "p-cpe:/a:novell:suse_linux:python-curses", "p-cpe:/a:novell:suse_linux:python-curses-debuginfo", "p-cpe:/a:novell:suse_linux:python-debuginfo", "p-cpe:/a:novell:suse_linux:python-debugsource", "p-cpe:/a:novell:suse_linux:python-demo", "p-cpe:/a:novell:suse_linux:python-devel", "p-cpe:/a:novell:suse_linux:python-gdbm", "p-cpe:/a:novell:suse_linux:python-gdbm-debuginfo", "p-cpe:/a:novell:suse_linux:python-idle", "p-cpe:/a:novell:suse_linux:python-tk", "p-cpe:/a:novell:suse_linux:python-tk-debuginfo", "p-cpe:/a:novell:suse_linux:python-xml", "p-cpe:/a:novell:suse_linux:python-xml-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2019-2091-1.NASL", "href": "https://www.tenable.com/plugins/nessus/127783", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:2091-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127783);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2018-20852\", \"CVE-2019-10160\", \"CVE-2019-9636\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : python (SUSE-SU-2019:2091-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for python fixes the following issues :\n\nCVE-2019-10160: Fixed a regression in urlparse() and urlsplit()\nintroduced by the fix for CVE-2019-9636 (bsc#1138459).\n\nCVE-2018-20852: Fixed an information leak where cookies could be send\nto the wrong server because of incorrect domain validation\n(bsc#1141853).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1138459\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1141853\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-20852/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-10160/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20192091-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d1ac089d\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud Crowbar 8:zypper in -t patch\nSUSE-OpenStack-Cloud-Crowbar-8-2019-2091=1\n\nSUSE OpenStack Cloud 8:zypper in -t patch\nSUSE-OpenStack-Cloud-8-2019-2091=1\n\nSUSE OpenStack Cloud 7:zypper in -t patch\nSUSE-OpenStack-Cloud-7-2019-2091=1\n\nSUSE Linux Enterprise Workstation Extension 12-SP5:zypper in -t patch\nSUSE-SLE-WE-12-SP5-2019-2091=1\n\nSUSE Linux Enterprise Workstation Extension 12-SP4:zypper in -t patch\nSUSE-SLE-WE-12-SP4-2019-2091=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP5:zypper in -t\npatch SUSE-SLE-SDK-12-SP5-2019-2091=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP4:zypper in -t\npatch SUSE-SLE-SDK-12-SP4-2019-2091=1\n\nSUSE Linux Enterprise Server for SAP 12-SP3:zypper in -t patch\nSUSE-SLE-SAP-12-SP3-2019-2091=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch\nSUSE-SLE-SAP-12-SP2-2019-2091=1\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2019-2091=1\n\nSUSE Linux Enterprise Server 12-SP5:zypper in -t patch\nSUSE-SLE-SERVER-12-SP5-2019-2091=1\n\nSUSE Linux Enterprise Server 12-SP4:zypper in -t patch\nSUSE-SLE-SERVER-12-SP4-2019-2091=1\n\nSUSE Linux Enterprise Server 12-SP3-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2019-2091=1\n\nSUSE Linux Enterprise Server 12-SP3-BCL:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-BCL-2019-2091=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2019-2091=1\n\nSUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-BCL-2019-2091=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2019-2091=1\n\nSUSE Linux Enterprise Desktop 12-SP5:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP5-2019-2091=1\n\nSUSE Linux Enterprise Desktop 12-SP4:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP4-2019-2091=1\n\nSUSE Enterprise Storage 5:zypper in -t patch\nSUSE-Storage-5-2019-2091=1\n\nSUSE Enterprise Storage 4:zypper in -t patch\nSUSE-Storage-4-2019-2091=1\n\nSUSE CaaS Platform 3.0 :\n\nTo install this update, use the SUSE CaaS Platform Velum dashboard. It\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\n\nHPE Helion Openstack 8:zypper in -t patch\nHPE-Helion-OpenStack-8-2019-2091=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython2_7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython2_7-1_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython2_7-1_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-base-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-curses-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-gdbm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-gdbm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-idle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-tk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-tk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-xml-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1|2|3|4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1/2/3/4/5\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP4/5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libpython2_7-1_0-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libpython2_7-1_0-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libpython2_7-1_0-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libpython2_7-1_0-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-base-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-base-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-base-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-base-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-base-debugsource-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-curses-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-curses-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-debugsource-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-demo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-devel-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-gdbm-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-gdbm-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-idle-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-tk-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-tk-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-xml-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python-xml-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libpython2_7-1_0-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libpython2_7-1_0-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libpython2_7-1_0-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libpython2_7-1_0-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-base-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-base-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-base-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-base-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-base-debugsource-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-curses-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-curses-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-debugsource-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-demo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-gdbm-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-gdbm-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-idle-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-tk-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-tk-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-xml-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python-xml-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libpython2_7-1_0-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libpython2_7-1_0-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libpython2_7-1_0-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libpython2_7-1_0-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-base-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-base-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-base-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-base-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-base-debugsource-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-curses-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-curses-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-debugsource-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-demo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-gdbm-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-gdbm-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-idle-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-tk-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-tk-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-xml-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python-xml-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libpython2_7-1_0-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libpython2_7-1_0-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libpython2_7-1_0-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libpython2_7-1_0-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-base-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-base-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-base-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-base-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-base-debugsource-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-curses-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-curses-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-debugsource-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-demo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-devel-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-gdbm-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-gdbm-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-idle-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-tk-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-tk-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-xml-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python-xml-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libpython2_7-1_0-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libpython2_7-1_0-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libpython2_7-1_0-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libpython2_7-1_0-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-base-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-base-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-base-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-base-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-base-debugsource-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-curses-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-curses-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-debugsource-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-demo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-gdbm-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-gdbm-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-idle-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-tk-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-tk-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-xml-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python-xml-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python-base-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python-base-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python-base-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python-base-debugsource-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python-curses-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python-curses-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python-debugsource-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python-devel-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python-tk-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python-tk-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python-xml-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python-xml-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python-base-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python-base-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python-base-debuginfo-32bit-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python-base-debugsource-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python-curses-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python-curses-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python-debugsource-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python-devel-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python-tk-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python-tk-debuginfo-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python-xml-2.7.13-28.31.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python-xml-debuginfo-2.7.13-28.31.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-24T16:46:31", "description": "A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160)\n\nurllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.(CVE-2019-9948)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : python27 (ALAS-2019-1258)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636", "CVE-2019-9948"], "modified": "2022-05-23T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:python27", "p-cpe:/a:amazon:linux:python27-debuginfo", "p-cpe:/a:amazon:linux:python27-devel", "p-cpe:/a:amazon:linux:python27-libs", "p-cpe:/a:amazon:linux:python27-test", "p-cpe:/a:amazon:linux:python27-tools", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2019-1258.NASL", "href": "https://www.tenable.com/plugins/nessus/127814", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2019-1258.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127814);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/23\");\n\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-9948\");\n script_xref(name:\"ALAS\", value:\"2019-1258\");\n\n script_name(english:\"Amazon Linux AMI : python27 (ALAS-2019-1258)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A security regression of CVE-2019-9636 was discovered in python, since\ncommit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an\nattacker to exploit CVE-2019-9636 by abusing the user and password\nparts of a URL. When an application parses user-supplied URLs to store\ncookies, authentication credentials, or other kind of information, it\nis possible for an attacker to provide specially crafted URLs to make\nthe application locate host-related information (e.g. cookies,\nauthentication data) and send them to a different host than where it\nshould, unlike if the URLs had been correctly parsed. The result of an\nattack may vary based on the application.(CVE-2019-10160)\n\nurllib in Python 2.x through 2.7.16 supports the local_file: scheme,\nwhich makes it easier for remote attackers to bypass protection\nmechanisms that blacklist file: URIs, as demonstrated by triggering a\nurllib.urlopen('local_file:///etc/passwd') call.(CVE-2019-9948)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2019-1258.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Run 'yum update python27' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9948\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python27\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python27-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python27-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python27-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python27-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python27-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"python27-2.7.16-1.129.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python27-debuginfo-2.7.16-1.129.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python27-devel-2.7.16-1.129.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python27-libs-2.7.16-1.129.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python27-test-2.7.16-1.129.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python27-tools-2.7.16-1.129.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python27 / python27-debuginfo / python27-devel / python27-libs / etc\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-06-16T16:49:36", "description": "Update Python 3.6 to [3.6.9](https://www.python.org/downloads/release/python-369/), the latest security release of the 3.6 branch. [Changelog for 3.6.9 final](https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6- 9-final) and [3.6.9 release candidate 1](https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-9-re lease-candidate-1). Includes security fixes for CVE-2019-9636, CVE-2019-9740, CVE-2019-10160.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-15T00:00:00", "type": "nessus", "title": "Fedora 29 : python36 (2019-7df59302e0)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636", "CVE-2019-9740"], "modified": "2020-01-08T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python36", "cpe:/o:fedoraproject:fedora:29"], "id": "FEDORA_2019-7DF59302E0.NASL", "href": "https://www.tenable.com/plugins/nessus/126659", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-7df59302e0.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126659);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/08\");\n\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-9636\", \"CVE-2019-9740\");\n script_xref(name:\"FEDORA\", value:\"2019-7df59302e0\");\n\n script_name(english:\"Fedora 29 : python36 (2019-7df59302e0)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update Python 3.6 to\n[3.6.9](https://www.python.org/downloads/release/python-369/), the\nlatest security release of the 3.6 branch. [Changelog for 3.6.9\nfinal](https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-\n9-final) and [3.6.9 release candidate\n1](https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-9-re\nlease-candidate-1). Includes security fixes for CVE-2019-9636,\nCVE-2019-9740, CVE-2019-10160.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-7df59302e0\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-9-final\"\n );\n # https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-9-release-candidate-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f60517a0\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.python.org/downloads/release/python-369/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python36 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python36\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"python36-3.6.9-1.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python36\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-16T16:52:54", "description": "This update for python3 fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).\n\nCVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853).\n\nNon-security issue fixed: Fixed an issue where the SIGINT signal was ignored or not handled (bsc#1094814).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-12T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2019:2050-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-20852", "CVE-2019-10160", "CVE-2019-9636"], "modified": "2021-01-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libpython3_6m1_0", "p-cpe:/a:novell:suse_linux:libpython3_6m1_0-32bit-debuginfo", "p-cpe:/a:novell:suse_linux:libpython3_6m1_0-debuginfo", "p-cpe:/a:novell:suse_linux:python3", "p-cpe:/a:novell:suse_linux:python3-32bit-debuginfo", "p-cpe:/a:novell:suse_linux:python3-base", "p-cpe:/a:novell:suse_linux:python3-base-32bit-debuginfo", "p-cpe:/a:novell:suse_linux:python3-base-debuginfo", "p-cpe:/a:novell:suse_linux:python3-base-debugsource", "p-cpe:/a:novell:suse_linux:python3-curses", "p-cpe:/a:novell:suse_linux:python3-curses-debuginfo", "p-cpe:/a:novell:suse_linux:python3-dbm", "p-cpe:/a:novell:suse_linux:python3-dbm-debuginfo", "p-cpe:/a:novell:suse_linux:python3-debuginfo", "p-cpe:/a:novell:suse_linux:python3-debugsource", "p-cpe:/a:novell:suse_linux:python3-devel", "p-cpe:/a:novell:suse_linux:python3-devel-debuginfo", "p-cpe:/a:novell:suse_linux:python3-idle", "p-cpe:/a:novell:suse_linux:python3-testsuite", "p-cpe:/a:novell:suse_linux:python3-testsuite-debuginfo", "p-cpe:/a:novell:suse_linux:python3-tk", "p-cpe:/a:novell:suse_linux:python3-tk-debuginfo", "p-cpe:/a:novell:suse_linux:python3-tools", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2019-2050-1.NASL", "href": "https://www.tenable.com/plugins/nessus/127766", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:2050-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127766);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2018-20852\", \"CVE-2019-10160\", \"CVE-2019-9636\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2019:2050-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for python3 fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2019-10160: Fixed a regression in urlparse() and urlsplit()\nintroduced by the fix for CVE-2019-9636 (bsc#1138459).\n\nCVE-2018-20852: Fixed an information leak where cookies could be send\nto the wrong server because of incorrect domain validation\n(bsc#1141853).\n\nNon-security issue fixed: Fixed an issue where the SIGINT signal was\nignored or not handled (bsc#1094814).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1094814\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1138459\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1141853\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-20852/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-10160/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20192050-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?55e90a3c\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15-SP1:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2050=1\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-2019-2050=1\n\nSUSE Linux Enterprise Module for Development Tools 15-SP1:zypper in -t\npatch SUSE-SLE-Module-Development-Tools-15-SP1-2019-2050=1\n\nSUSE Linux Enterprise Module for Development Tools 15:zypper in -t\npatch SUSE-SLE-Module-Development-Tools-15-2019-2050=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP1:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-SP1-2019-2050=1\n\nSUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-2019-2050=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython3_6m1_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython3_6m1_0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython3_6m1_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-base-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-base-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-curses-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-dbm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-dbm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-idle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-testsuite-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-tk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-tk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0/1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP0/1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpython3_6m1_0-32bit-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpython3_6m1_0-32bit-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"python3-32bit-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"python3-32bit-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"python3-base-32bit-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"python3-base-32bit-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libpython3_6m1_0-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libpython3_6m1_0-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-base-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-base-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-base-debugsource-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-curses-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-curses-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-dbm-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-dbm-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-debugsource-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-devel-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-devel-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-idle-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-testsuite-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-testsuite-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-tk-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-tk-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-tools-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libpython3_6m1_0-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libpython3_6m1_0-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-base-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-base-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-base-debugsource-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-curses-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-curses-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-dbm-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-dbm-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-debugsource-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-devel-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-devel-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-idle-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-testsuite-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-testsuite-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-tk-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-tk-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-tools-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpython3_6m1_0-32bit-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpython3_6m1_0-32bit-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"python3-32bit-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"python3-32bit-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"python3-base-32bit-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"python3-base-32bit-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libpython3_6m1_0-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libpython3_6m1_0-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-base-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-base-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-base-debugsource-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-curses-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-curses-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-dbm-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-dbm-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-debugsource-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-devel-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-devel-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-idle-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-testsuite-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-testsuite-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-tk-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-tk-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-tools-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libpython3_6m1_0-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libpython3_6m1_0-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-base-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-base-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-base-debugsource-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-curses-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-curses-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-dbm-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-dbm-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-debugsource-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-devel-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-devel-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-idle-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-testsuite-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-testsuite-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-tk-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-tk-debuginfo-3.6.8-3.23.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-tools-3.6.8-3.23.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python3\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-16T16:55:59", "description": "Fix CVE-2019-16056 (rhbz#1750457)\n\n----\n\nFix CVE-2019-10160 (rhbz#1718867)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-19T00:00:00", "type": "nessus", "title": "Fedora 30 : python34 (2019-2b1f72899a)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-16056", "CVE-2019-9636"], "modified": "2019-12-27T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python34", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2019-2B1F72899A.NASL", "href": "https://www.tenable.com/plugins/nessus/129027", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-2b1f72899a.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129027);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/12/27\");\n\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-16056\", \"CVE-2019-9636\");\n script_xref(name:\"FEDORA\", value:\"2019-2b1f72899a\");\n\n script_name(english:\"Fedora 30 : python34 (2019-2b1f72899a)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix CVE-2019-16056 (rhbz#1750457)\n\n----\n\nFix CVE-2019-10160 (rhbz#1718867)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-2b1f72899a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python34 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python34\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"python34-3.4.10-3.fc30\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python34\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-16T16:55:58", "description": "Fix CVE-2019-16056 (rhbz#1750457)\n\n----\n\nFix CVE-2019-10160 (rhbz#1718867)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-19T00:00:00", "type": "nessus", "title": "Fedora 29 : python34 (2019-5dc275c9f2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-16056", "CVE-2019-9636"], "modified": "2019-12-27T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python34", "cpe:/o:fedoraproject:fedora:29"], "id": "FEDORA_2019-5DC275C9F2.NASL", "href": "https://www.tenable.com/plugins/nessus/129029", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-5dc275c9f2.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129029);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/12/27\");\n\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-16056\", \"CVE-2019-9636\");\n script_xref(name:\"FEDORA\", value:\"2019-5dc275c9f2\");\n\n script_name(english:\"Fedora 29 : python34 (2019-5dc275c9f2)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix CVE-2019-16056 (rhbz#1750457)\n\n----\n\nFix CVE-2019-10160 (rhbz#1718867)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-5dc275c9f2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python34 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python34\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"python34-3.4.10-3.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python34\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-16T16:52:09", "description": "[Python 3.7.4](https://www.python.org/downloads/release/python-374/) is the fourth and most recent maintenance release of Python 3.7.\n[Changelog for final](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7- 4-final), [3.7.4 release candidate 2](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-re lease-candidate-2) and [3.7.4 release candidate 1](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-re lease-candidate-1). Contains security fixes for CVE-2019-9948 and CVE-2019-10160.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2019-08-12T00:00:00", "type": "nessus", "title": "Fedora 29 : python3 / python3-docs (2019-60a1defcd1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636", "CVE-2019-9948"], "modified": "2020-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python3", "p-cpe:/a:fedoraproject:fedora:python3-docs", "cpe:/o:fedoraproject:fedora:29"], "id": "FEDORA_2019-60A1DEFCD1.NASL", "href": "https://www.tenable.com/plugins/nessus/127514", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-60a1defcd1.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127514);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/06\");\n\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-9636\", \"CVE-2019-9948\");\n script_xref(name:\"FEDORA\", value:\"2019-60a1defcd1\");\n\n script_name(english:\"Fedora 29 : python3 / python3-docs (2019-60a1defcd1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"[Python 3.7.4](https://www.python.org/downloads/release/python-374/)\nis the fourth and most recent maintenance release of Python 3.7.\n[Changelog for\nfinal](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-\n4-final), [3.7.4 release candidate\n2](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-re\nlease-candidate-2) and [3.7.4 release candidate\n1](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-re\nlease-candidate-1). Contains security fixes for CVE-2019-9948 and\nCVE-2019-10160.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-60a1defcd1\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-final\"\n );\n # https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-release-candidate-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?aac1c460\"\n );\n # https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-release-candidate-2\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?660eae69\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.python.org/downloads/release/python-374/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python3 and / or python3-docs packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9948\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python3-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"python3-3.7.4-1.fc29\")) flag++;\nif (rpm_check(release:\"FC29\", reference:\"python3-docs-3.7.4-1.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python3 / python3-docs\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-06-16T16:48:55", "description": "[Python 3.7.4](https://www.python.org/downloads/release/python-374/) is the fourth and most recent maintenance release of Python 3.7.\n[Changelog for final](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7- 4-final), [3.7.4 release candidate 2](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-re lease-candidate-2) and [3.7.4 release candidate 1](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-re lease-candidate-1). Contains security fixes for CVE-2019-9948 and CVE-2019-10160.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-29T00:00:00", "type": "nessus", "title": "Fedora 30 : python3 / python3-docs (2019-9bfb4a3e4b)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636", "CVE-2019-9948"], "modified": "2022-05-23T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python3", "p-cpe:/a:fedoraproject:fedora:python3-docs", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2019-9BFB4A3E4B.NASL", "href": "https://www.tenable.com/plugins/nessus/127105", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-9bfb4a3e4b.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127105);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/23\");\n\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-9636\", \"CVE-2019-9948\");\n script_xref(name:\"FEDORA\", value:\"2019-9bfb4a3e4b\");\n\n script_name(english:\"Fedora 30 : python3 / python3-docs (2019-9bfb4a3e4b)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"[Python 3.7.4](https://www.python.org/downloads/release/python-374/)\nis the fourth and most recent maintenance release of Python 3.7.\n[Changelog for\nfinal](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-\n4-final), [3.7.4 release candidate\n2](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-re\nlease-candidate-2) and [3.7.4 release candidate\n1](https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-re\nlease-candidate-1). Contains security fixes for CVE-2019-9948 and\nCVE-2019-10160.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-9bfb4a3e4b\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-final\"\n );\n # https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-release-candidate-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?aac1c460\"\n );\n # https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-4-release-candidate-2\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?660eae69\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.python.org/downloads/release/python-374/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected python3 and / or python3-docs packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9948\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python3-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"python3-3.7.4-1.fc30\")) flag++;\nif (rpm_check(release:\"FC30\", reference:\"python3-docs-3.7.4-1.fc30\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python3 / python3-docs\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-06-16T16:52:50", "description": "This update for python3 fixes the following issues :\n\nCVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).\n\nCVE-2018-14647: Fixed a denial of service vulnerability caused by a crafted XML document (bsc#1109847).\n\nCVE-2018-1000802: Fixed a command injection in the shutil module (bsc#1109663).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-12T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : python3 (SUSE-SU-2019:2053-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000802", "CVE-2018-14647", "CVE-2019-10160", "CVE-2019-9636"], "modified": "2021-01-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libpython3_4m1_0", "p-cpe:/a:novell:suse_linux:libpython3_4m1_0-debuginfo", "p-cpe:/a:novell:suse_linux:python3", "p-cpe:/a:novell:suse_linux:python3-base", "p-cpe:/a:novell:suse_linux:python3-base-debuginfo", "p-cpe:/a:novell:suse_linux:python3-base-debugsource", "p-cpe:/a:novell:suse_linux:python3-curses", "p-cpe:/a:novell:suse_linux:python3-curses-debuginfo", "p-cpe:/a:novell:suse_linux:python3-debuginfo", "p-cpe:/a:novell:suse_linux:python3-debugsource", "p-cpe:/a:novell:suse_linux:python3-tk", "p-cpe:/a:novell:suse_linux:python3-tk-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2019-2053-1.NASL", "href": "https://www.tenable.com/plugins/nessus/127768", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:2053-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127768);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2018-1000802\", \"CVE-2018-14647\", \"CVE-2019-10160\", \"CVE-2019-9636\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : python3 (SUSE-SU-2019:2053-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for python3 fixes the following issues :\n\nCVE-2019-10160: Fixed a regression in urlparse() and urlsplit()\nintroduced by the fix for CVE-2019-9636 (bsc#1138459).\n\nCVE-2018-14647: Fixed a denial of service vulnerability caused by a\ncrafted XML document (bsc#1109847).\n\nCVE-2018-1000802: Fixed a command injection in the shutil module\n(bsc#1109663).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1109663\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1109847\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1138459\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1000802/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-14647/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-10160/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20192053-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2b5f13c3\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 8:zypper in -t patch\nSUSE-OpenStack-Cloud-8-2019-2053=1\n\nSUSE OpenStack Cloud 7:zypper in -t patch\nSUSE-OpenStack-Cloud-7-2019-2053=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP5:zypper in -t\npatch SUSE-SLE-SDK-12-SP5-2019-2053=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP4:zypper in -t\npatch SUSE-SLE-SDK-12-SP4-2019-2053=1\n\nSUSE Linux Enterprise Server for SAP 12-SP3:zypper in -t patch\nSUSE-SLE-SAP-12-SP3-2019-2053=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch\nSUSE-SLE-SAP-12-SP2-2019-2053=1\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2019-2053=1\n\nSUSE Linux Enterprise Server 12-SP5:zypper in -t patch\nSUSE-SLE-SERVER-12-SP5-2019-2053=1\n\nSUSE Linux Enterprise Server 12-SP4:zypper in -t patch\nSUSE-SLE-SERVER-12-SP4-2019-2053=1\n\nSUSE Linux Enterprise Server 12-SP3-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2019-2053=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2019-2053=1\n\nSUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-BCL-2019-2053=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2019-2053=1\n\nSUSE Linux Enterprise Module for Web Scripting 12:zypper in -t patch\nSUSE-SLE-Module-Web-Scripting-12-2019-2053=1\n\nSUSE Linux Enterprise Desktop 12-SP5:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP5-2019-2053=1\n\nSUSE Linux Enterprise Desktop 12-SP4:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP4-2019-2053=1\n\nSUSE Enterprise Storage 5:zypper in -t patch\nSUSE-Storage-5-2019-2053=1\n\nSUSE Enterprise Storage 4:zypper in -t patch\nSUSE-Storage-4-2019-2053=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython3_4m1_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython3_4m1_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-base-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-curses-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-tk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-tk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0|1|2|3|4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0/1/2/3/4/5\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP4/5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libpython3_4m1_0-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libpython3_4m1_0-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python3-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python3-base-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python3-base-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python3-base-debugsource-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python3-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"python3-debugsource-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libpython3_4m1_0-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"libpython3_4m1_0-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python3-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python3-base-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python3-base-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python3-base-debugsource-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python3-curses-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python3-curses-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python3-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"python3-debugsource-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libpython3_4m1_0-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libpython3_4m1_0-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"python3-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"python3-base-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"python3-base-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"python3-base-debugsource-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"python3-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"python3-debugsource-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libpython3_4m1_0-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libpython3_4m1_0-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python3-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python3-base-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python3-base-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python3-base-debugsource-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python3-curses-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python3-curses-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python3-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"python3-debugsource-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libpython3_4m1_0-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libpython3_4m1_0-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python3-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python3-base-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python3-base-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python3-base-debugsource-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python3-curses-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python3-curses-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python3-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"python3-debugsource-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libpython3_4m1_0-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libpython3_4m1_0-32bit-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libpython3_4m1_0-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libpython3_4m1_0-debuginfo-32bit-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python3-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python3-base-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python3-base-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python3-base-debuginfo-32bit-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python3-base-debugsource-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python3-curses-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python3-curses-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python3-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python3-debugsource-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python3-tk-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python3-tk-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libpython3_4m1_0-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"libpython3_4m1_0-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python3-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python3-base-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python3-base-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python3-base-debugsource-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python3-curses-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python3-curses-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python3-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"4\", cpu:\"x86_64\", reference:\"python3-debugsource-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"libpython3_4m1_0-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"libpython3_4m1_0-32bit-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"libpython3_4m1_0-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"libpython3_4m1_0-debuginfo-32bit-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python3-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python3-base-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python3-base-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python3-base-debuginfo-32bit-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python3-base-debugsource-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python3-curses-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python3-curses-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python3-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python3-debugsource-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python3-tk-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"5\", cpu:\"x86_64\", reference:\"python3-tk-debuginfo-3.4.6-25.29.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python3\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T16:53:34", "description": "This update for python3 fixes the following issues :\n\nCVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).\n\nCVE-2018-14647: Fixed a denial of service vulnerability caused by a crafted XML document (bsc#1109847).\n\nCVE-2018-1000802: Fixed a command injection in the shutil module (bsc#1109663).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-20T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : python3 (SUSE-SU-2019:2053-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000802", "CVE-2018-14647", "CVE-2019-10160", "CVE-2019-9636"], "modified": "2020-01-02T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libpython3_4m1_0", "p-cpe:/a:novell:suse_linux:libpython3_4m1_0-debuginfo", "p-cpe:/a:novell:suse_linux:python3", "p-cpe:/a:novell:suse_linux:python3-base", "p-cpe:/a:novell:suse_linux:python3-base-debuginfo", "p-cpe:/a:novell:suse_linux:python3-base-debugsource", "p-cpe:/a:novell:suse_linux:python3-curses", "p-cpe:/a:novell:suse_linux:python3-curses-debuginfo", "p-cpe:/a:novell:suse_linux:python3-debuginfo", "p-cpe:/a:novell:suse_linux:python3-debugsource", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2019-2053-2.NASL", "href": "https://www.tenable.com/plugins/nessus/128019", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:2053-2.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128019);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/02\");\n\n script_cve_id(\"CVE-2018-1000802\", \"CVE-2018-14647\", \"CVE-2019-10160\", \"CVE-2019-9636\");\n\n script_name(english:\"SUSE SLES12 Security Update : python3 (SUSE-SU-2019:2053-2)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for python3 fixes the following issues :\n\nCVE-2019-10160: Fixed a regression in urlparse() and urlsplit()\nintroduced by the fix for CVE-2019-9636 (bsc#1138459).\n\nCVE-2018-14647: Fixed a denial of service vulnerability caused by a\ncrafted XML document (bsc#1109847).\n\nCVE-2018-1000802: Fixed a command injection in the shutil module\n(bsc#1109663).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1109663\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1109847\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1138459\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1000802/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-14647/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-10160/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20192053-2/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cd1ae08c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud Crowbar 8:zypper in -t patch\nSUSE-OpenStack-Cloud-Crowbar-8-2019-2053=1\n\nSUSE Linux Enterprise Server 12-SP3-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2019-2053=1\n\nSUSE Linux Enterprise Server 12-SP3-BCL:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-BCL-2019-2053=1\n\nSUSE Enterprise Storage 5:zypper in -t patch\nSUSE-Storage-5-2019-2053=1\n\nHPE Helion Openstack 8:zypper in -t patch\nHPE-Helion-OpenStack-8-2019-2053=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython3_4m1_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython3_4m1_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-base-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-curses-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"libpython3_4m1_0-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"libpython3_4m1_0-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"python3-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"python3-base-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"python3-base-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"python3-base-debugsource-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"python3-curses-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"python3-curses-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"python3-debuginfo-3.4.6-25.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"python3-debugsource-3.4.6-25.29.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python3\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-20T15:08:14", "description": "According to the versions of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed.\n The result of an attack may vary based on the application.(CVE-2019-10160)urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.(CVE-2019-9948)Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM.(CVE-2018-14647)python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free.\n Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow.\n As for the Use-After-Free, Thread3-i1/4zMalloc-i1/4zThread1-i1/4zFree's-i1/4zThread2-Re-us es-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.(CVE-2018-1000030)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-24T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP3 : python (EulerOS-SA-2019-2019)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1000030", "CVE-2018-14647", "CVE-2019-10160", "CVE-2019-9636", "CVE-2019-9948"], "modified": "2022-05-19T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:python", "p-cpe:/a:huawei:euleros:python-devel", "p-cpe:/a:huawei:euleros:python-libs", "p-cpe:/a:huawei:euleros:tkinter", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2019.NASL", "href": "https://www.tenable.com/plugins/nessus/129212", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(129212);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/19\");\n\n script_cve_id(\n \"CVE-2018-14647\",\n \"CVE-2018-1000030\",\n \"CVE-2019-9948\",\n \"CVE-2019-10160\"\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : python (EulerOS-SA-2019-2019)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the python packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Python is an interpreted, interactive, object-oriented\n programming language, which includes modules, classes,\n exceptions, very high level dynamic data types and\n dynamic typing. Python supports interfaces to many\n system calls and libraries, as well as to various\n windowing systems.Security Fix(es):A security\n regression of CVE-2019-9636 was discovered in python,\n since commit d537ab0ff9767ef024f26246899728f0116b1ec3,\n which still allows an attacker to exploit CVE-2019-9636\n by abusing the user and password parts of a URL. When\n an application parses user-supplied URLs to store\n cookies, authentication credentials, or other kind of\n information, it is possible for an attacker to provide\n specially crafted URLs to make the application locate\n host-related information (e.g. cookies, authentication\n data) and send them to a different host than where it\n should, unlike if the URLs had been correctly parsed.\n The result of an attack may vary based on the\n application.(CVE-2019-10160)urllib in Python 2.x\n through 2.7.16 supports the local_file: scheme, which\n makes it easier for remote attackers to bypass\n protection mechanisms that blacklist file: URIs, as\n demonstrated by triggering a\n urllib.urlopen('local_file:///etc/passwd')\n call.(CVE-2019-9948)Python's elementtree C accelerator\n failed to initialise Expat's hash salt during\n initialization. This could make it easy to conduct\n denial of service attacks against Expat by constructing\n an XML document that would cause pathological hash\n collisions in Expat's internal data structures,\n consuming large amounts CPU and\n RAM.(CVE-2018-14647)python 2.7.14 is vulnerable to a\n Heap-Buffer-Overflow as well as a Heap-Use-After-Free.\n Python versions prior to 2.7.14 may also be vulnerable\n and it appears that Python 2.7.17 and prior may also be\n vulnerable however this has not been confirmed. The\n vulnerability lies when multiply threads are handling\n large amounts of data. In both cases there is\n essentially a race condition that occurs. For the\n Heap-Buffer-Overflow, Thread 2 is creating the size for\n a buffer, but Thread1 is already writing to the buffer\n without knowing how much to write. So when a large\n amount of data is being processed, it is very easy to\n cause memory corruption using a Heap-Buffer-Overflow.\n As for the Use-After-Free,\n Thread3-i1/4zMalloc-i1/4zThread1-i1/4zFree's-i1/4zThread2-Re-us\n es-Free'd Memory. The PSRT has stated that this is not\n a security vulnerability due to the fact that the\n attacker must be able to run code, however in some\n situations, such as function as a service, this\n vulnerability can potentially be used by an attacker to\n violate a trust boundary, as such the DWF feels this\n issue deserves a CVE.(CVE-2018-1000030)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2019\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?927445bd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected python packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9948\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-10160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"python-2.7.5-58.h18\",\n \"python-devel-2.7.5-58.h18\",\n \"python-libs-2.7.5-58.h18\",\n \"tkinter-2.7.5-58.h18\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-06-16T17:00:41", "description": "Python 3.5 has now entered 'security fixes only' mode, and as such the only changes since Python 3.5.4 are security fixes.\n\nhttps://www.python.org/downloads/release/python-358/\n\nhttps://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-8\n\nSecurity fix for CVE-2019-9740, CVE-2019-10160, CVE-2019-16935, CVE-2019-18348 , CVE-2019-16056.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-11-12T00:00:00", "type": "nessus", "title": "Fedora 29 : python35 (2019-d202cda4f8)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-16056", "CVE-2019-16935", "CVE-2019-18348", "CVE-2019-9636", "CVE-2019-9740"], "modified": "2019-12-12T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python35", "cpe:/o:fedoraproject:fedora:29"], "id": "FEDORA_2019-D202CDA4F8.NASL", "href": "https://www.tenable.com/plugins/nessus/130797", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-d202cda4f8.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130797);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/12\");\n\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-16056\", \"CVE-2019-16935\", \"CVE-2019-18348\", \"CVE-2019-9636\", \"CVE-2019-9740\");\n script_xref(name:\"FEDORA\", value:\"2019-d202cda4f8\");\n\n script_name(english:\"Fedora 29 : python35 (2019-d202cda4f8)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Python 3.5 has now entered 'security fixes only' mode, and as such the\nonly changes since Python 3.5.4 are security fixes.\n\nhttps://www.python.org/downloads/release/python-358/\n\nhttps://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-8\n\nSecurity fix for CVE-2019-9740, CVE-2019-10160, CVE-2019-16935,\nCVE-2019-18348 , CVE-2019-16056.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-d202cda4f8\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python35 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python35\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"python35-3.5.8-2.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python35\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-16T17:01:35", "description": "Python 3.5 has now entered 'security fixes only' mode, and as such the only changes since Python 3.5.4 are security fixes.\n\nhttps://www.python.org/downloads/release/python-358/\n\nhttps://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-8\n\nSecurity fix for CVE-2019-9740, CVE-2019-10160, CVE-2019-16935, CVE-2019-18348 , CVE-2019-16056.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-11-12T00:00:00", "type": "nessus", "title": "Fedora 30 : python35 (2019-b06ec6159b)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-16056", "CVE-2019-16935", "CVE-2019-18348", "CVE-2019-9636", "CVE-2019-9740"], "modified": "2019-12-12T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python35", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2019-B06EC6159B.NASL", "href": "https://www.tenable.com/plugins/nessus/130793", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-b06ec6159b.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130793);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/12\");\n\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-16056\", \"CVE-2019-16935\", \"CVE-2019-18348\", \"CVE-2019-9636\", \"CVE-2019-9740\");\n script_xref(name:\"FEDORA\", value:\"2019-b06ec6159b\");\n\n script_name(english:\"Fedora 30 : python35 (2019-b06ec6159b)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Python 3.5 has now entered 'security fixes only' mode, and as such the\nonly changes since Python 3.5.4 are security fixes.\n\nhttps://www.python.org/downloads/release/python-358/\n\nhttps://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-8\n\nSecurity fix for CVE-2019-9740, CVE-2019-10160, CVE-2019-16935,\nCVE-2019-18348 , CVE-2019-16056.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-b06ec6159b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python35 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python35\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"python35-3.5.8-2.fc30\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python35\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-16T17:01:33", "description": "Python 3.5 has now entered 'security fixes only' mode, and as such the only changes since Python 3.5.4 are security fixes.\n\nhttps://www.python.org/downloads/release/python-358/\n\nhttps://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-8\n\nSecurity fix for CVE-2019-9740, CVE-2019-10160, CVE-2019-16935, CVE-2019-18348 , CVE-2019-16056.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-11-12T00:00:00", "type": "nessus", "title": "Fedora 31 : python35 (2019-57462fa10d)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-16056", "CVE-2019-16935", "CVE-2019-18348", "CVE-2019-9636", "CVE-2019-9740"], "modified": "2019-12-12T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python35", "cpe:/o:fedoraproject:fedora:31"], "id": "FEDORA_2019-57462FA10D.NASL", "href": "https://www.tenable.com/plugins/nessus/130784", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-57462fa10d.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130784);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/12\");\n\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-16056\", \"CVE-2019-16935\", \"CVE-2019-18348\", \"CVE-2019-9636\", \"CVE-2019-9740\");\n script_xref(name:\"FEDORA\", value:\"2019-57462fa10d\");\n\n script_name(english:\"Fedora 31 : python35 (2019-57462fa10d)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Python 3.5 has now entered 'security fixes only' mode, and as such the\nonly changes since Python 3.5.4 are security fixes.\n\nhttps://www.python.org/downloads/release/python-358/\n\nhttps://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-8\n\nSecurity fix for CVE-2019-9740, CVE-2019-10160, CVE-2019-16935,\nCVE-2019-18348 , CVE-2019-16056.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-57462fa10d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python35 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python35\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"python35-3.5.8-2.fc31\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python35\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-20T15:06:52", "description": "An update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor.\nRed Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.\n\nThe following packages have been upgraded to a later upstream version:\nimgbased (1.1.9), ovirt-node-ng (4.3.5), redhat-release-virtualization-host (4.3.5), redhat-virtualization-host (4.3.5). (BZ#1669357, BZ#1669365, BZ#1684986, BZ# 1711193, BZ#1717250, BZ#1726917)\n\nSecurity Fix(es) :\n\n* python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)\n\n* rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled (CVE-2018-16881)\n\n* edk2: stack overflow in XHCI causing denial of service (CVE-2019-0161)\n\n* openssl: 0-byte record padding oracle (CVE-2019-1559)\n\n* cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment (CVE-2019-10139)\n\n* sssd: improper implementation of GPOs due to too restrictive permissions (CVE-2018-16838)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-20T00:00:00", "type": "nessus", "title": "RHEL 7 : Virtualization Manager (RHSA-2019:2437)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-16838", "CVE-2018-16881", "CVE-2019-0161", "CVE-2019-10139", "CVE-2019-10160", "CVE-2019-1559", "CVE-2019-9636"], "modified": "2022-05-19T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:imgbased", "p-cpe:/a:redhat:enterprise_linux:ovirt-node-ng-nodectl", "p-cpe:/a:redhat:enterprise_linux:python-imgbased", "p-cpe:/a:redhat:enterprise_linux:python2-ovirt-node-ng-nodectl", "p-cpe:/a:redhat:enterprise_linux:redhat-release-virtualization-host", "p-cpe:/a:redhat:enterprise_linux:redhat-virtualization-host-image-update", "p-cpe:/a:redhat:enterprise_linux:redhat-virtualization-host-image-update-placeholder", "cpe:/o:redhat:enterprise_linux:7"], "id": "REDHAT-RHSA-2019-2437.NASL", "href": "https://www.tenable.com/plugins/nessus/127986", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:2437. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127986);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/19\");\n\n script_cve_id(\n \"CVE-2018-16838\",\n \"CVE-2018-16881\",\n \"CVE-2019-0161\",\n \"CVE-2019-1559\",\n \"CVE-2019-10139\",\n \"CVE-2019-10160\"\n );\n script_xref(name:\"RHSA\", value:\"2019:2437\");\n\n script_name(english:\"RHEL 7 : Virtualization Manager (RHSA-2019:2437)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for redhat-virtualization-host is now available for Red Hat\nVirtualization 4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe redhat-virtualization-host packages provide the Red Hat\nVirtualization Host. These packages include\nredhat-release-virtualization-host, ovirt-node, and rhev-hypervisor.\nRed Hat Virtualization Hosts (RHVH) are installed using a special\nbuild of Red Hat Enterprise Linux with only the packages required to\nhost virtual machines. RHVH features a Cockpit user interface for\nmonitoring the host's resources and performing administrative tasks.\n\nThe following packages have been upgraded to a later upstream version:\nimgbased (1.1.9), ovirt-node-ng (4.3.5),\nredhat-release-virtualization-host (4.3.5), redhat-virtualization-host\n(4.3.5). (BZ#1669357, BZ#1669365, BZ#1684986, BZ# 1711193, BZ#1717250,\nBZ#1726917)\n\nSecurity Fix(es) :\n\n* python: regression of CVE-2019-9636 due to functional fix to allow\nport numbers in netloc (CVE-2019-10160)\n\n* rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is\nenabled (CVE-2018-16881)\n\n* edk2: stack overflow in XHCI causing denial of service\n(CVE-2019-0161)\n\n* openssl: 0-byte record padding oracle (CVE-2019-1559)\n\n* cockpit-ovirt: admin and appliance passwords saved in plain text\nvariable file during HE deployment (CVE-2019-10139)\n\n* sssd: improper implementation of GPOs due to too restrictive\npermissions (CVE-2018-16838)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2019:2437\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2018-16838\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2018-16881\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-0161\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-1559\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-10139\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-10160\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-16838\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-10160\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:imgbased\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ovirt-node-ng-nodectl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-imgbased\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-ovirt-node-ng-nodectl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:redhat-release-virtualization-host\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:redhat-virtualization-host-image-update\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:redhat-virtualization-host-image-update-placeholder\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:2437\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", reference:\"imgbased-1.1.9-0.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ovirt-node-ng-nodectl-4.3.5-0.20190717.0.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"python-imgbased-1.1.9-0.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"python2-ovirt-node-ng-nodectl-4.3.5-0.20190717.0.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"redhat-release-virtualization-host-4.3.5-2.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"redhat-virtualization-host-image-update-4.3.5-20190722.0.el7_7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"redhat-virtualization-host-image-update-placeholder-4.3.5-2.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"imgbased / ovirt-node-ng-nodectl / python-imgbased / etc\");\n }\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2022-06-16T17:00:17", "description": "A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. (CVE-2019-10160)\n\nAn issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. (CVE-2019-9740)\n\nurllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. (CVE-2019-9948)\n\nAn issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. (CVE-2019-9947)\n\nAn issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340 ; however, this CVE applies to Python more generally. (CVE-2019-16056)\n\nPython 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by:\nImproper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname).\nThe components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. (CVE-2019-9636)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-11-25T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : python34 (ALAS-2019-1324)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10160", "CVE-2019-11340", "CVE-2019-16056", "CVE-2019-9636", "CVE-2019-9740", "CVE-2019-9947", "CVE-2019-9948"], "modified": "2022-05-18T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:python34", "p-cpe:/a:amazon:linux:python34-debuginfo", "p-cpe:/a:amazon:linux:python34-devel", "p-cpe:/a:amazon:linux:python34-libs", "p-cpe:/a:amazon:linux:python34-test", "p-cpe:/a:amazon:linux:python34-tools", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2019-1324.NASL", "href": "https://www.tenable.com/plugins/nessus/131244", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2019-1324.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(131244);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/18\");\n\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-16056\", \"CVE-2019-9636\", \"CVE-2019-9740\", \"CVE-2019-9947\", \"CVE-2019-9948\");\n script_xref(name:\"ALAS\", value:\"2019-1324\");\n\n script_name(english:\"Amazon Linux AMI : python34 (ALAS-2019-1324)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A security regression of CVE-2019-9636 was discovered in python, since\ncommit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an\nattacker to exploit CVE-2019-9636 by abusing the user and password\nparts of a URL. When an application parses user-supplied URLs to store\ncookies, authentication credentials, or other kind of information, it\nis possible for an attacker to provide specially crafted URLs to make\nthe application locate host-related information (e.g. cookies,\nauthentication data) and send them to a different host than where it\nshould, unlike if the URLs had been correctly parsed. The result of an\nattack may vary based on the application. (CVE-2019-10160)\n\nAn issue was discovered in urllib2 in Python 2.x through 2.7.16 and\nurllib in Python 3.x through 3.7.3. CRLF injection is possible if the\nattacker controls a url parameter, as demonstrated by the first\nargument to urllib.request.urlopen with \\r\\n (specifically in the\nquery string after a ? character) followed by an HTTP header or a\nRedis command. (CVE-2019-9740)\n\nurllib in Python 2.x through 2.7.16 supports the local_file: scheme,\nwhich makes it easier for remote attackers to bypass protection\nmechanisms that blacklist file: URIs, as demonstrated by triggering a\nurllib.urlopen('local_file:///etc/passwd') call. (CVE-2019-9948)\n\nAn issue was discovered in urllib2 in Python 2.x through 2.7.16 and\nurllib in Python 3.x through 3.7.3. CRLF injection is possible if the\nattacker controls a url parameter, as demonstrated by the first\nargument to urllib.request.urlopen with \\r\\n (specifically in the path\ncomponent of a URL that lacks a ? character) followed by an HTTP\nheader or a Redis command. This is similar to the CVE-2019-9740 query\nstring issue. (CVE-2019-9947)\n\nAn issue was discovered in Python through 2.7.16, 3.x through 3.5.7,\n3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly\nparses email addresses that contain multiple @ characters. An\napplication that uses the email module and implements some kind of\nchecks on the From/To headers of a message could be tricked into\naccepting an email address that should be denied. An attack may be the\nsame as in CVE-2019-11340 ; however, this CVE applies to Python more\ngenerally. (CVE-2019-16056)\n\nPython 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by:\nImproper Handling of Unicode Encoding (with an incorrect netloc)\nduring NFKC normalization. The impact is: Information disclosure\n(credentials, cookies, etc. that are cached against a given hostname).\nThe components are: urllib.parse.urlsplit, urllib.parse.urlparse. The\nattack vector is: A specially crafted URL could be incorrectly parsed\nto locate cookies or authentication data and send that information to\na different host than when parsed correctly. (CVE-2019-9636)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2019-1324.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Run 'yum update python34' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9948\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python34\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python34-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python34-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python34-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python34-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python34-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"python34-3.4.10-1.49.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python34-debuginfo-3.4.10-1.49.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python34-devel-3.4.10-1.49.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python34-libs-3.4.10-1.49.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python34-test-3.4.10-1.49.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python34-tools-3.4.10-1.49.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python34 / python34-debuginfo / python34-devel / python34-libs / etc\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-06-16T16:46:29", "description": "Multiple vulnerabilities were discovered in Python, an interactive high-level object-oriented language, including \n\nCVE-2018-14647\n\nPython's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM.\n\nCVE-2019-5010\n\nNULL pointer dereference using a specially crafted X509 certificate.\n\nCVE-2019-9636\n\nImproper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization resulting in information disclosure (credentials, cookies, etc. that are cached against a given hostname).\nA specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.\n\nCVE-2019-9740\n\nAn issue was discovered in urllib2 where CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.\n\nCVE-2019-9947\n\nAn issue was discovered in urllib2 where CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.\n\nCVE-2019-9948\n\nurllib supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file:\nURIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.\n\nCVE-2019-10160\n\nA security regression of CVE-2019-9636 was discovered which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed.\nThe result of an attack may vary based on the application.\n\nFor Debian 8 'Jessie', these problems have been fixed in version 2.7.9-2+deb8u3.\n\nWe recommend that you upgrade your python2.7 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2019-06-25T00:00:00", "type": "nessus", "title": "Debian DLA-1834-1 : python2.7 security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14647", "CVE-2019-10160", "CVE-2019-5010", "CVE-2019-9636", "CVE-2019-9740", "CVE-2019-9947", "CVE-2019-9948"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:idle-python2.7", "p-cpe:/a:debian:debian_linux:libpython2.7", "p-cpe:/a:debian:debian_linux:libpython2.7-dbg", "p-cpe:/a:debian:debian_linux:libpython2.7-dev", "p-cpe:/a:debian:debian_linux:libpython2.7-minimal", "p-cpe:/a:debian:debian_linux:libpython2.7-stdlib", "p-cpe:/a:debian:debian_linux:libpython2.7-testsuite", "p-cpe:/a:debian:debian_linux:python2.7", "p-cpe:/a:debian:debian_linux:python2.7-dbg", "p-cpe:/a:debian:debian_linux:python2.7-dev", "p-cpe:/a:debian:debian_linux:python2.7-doc", "p-cpe:/a:debian:debian_linux:python2.7-examples", "p-cpe:/a:debian:debian_linux:python2.7-minimal", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-1834.NASL", "href": "https://www.tenable.com/plugins/nessus/126222", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1834-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(126222);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2018-14647\", \"CVE-2019-10160\", \"CVE-2019-5010\", \"CVE-2019-9636\", \"CVE-2019-9740\", \"CVE-2019-9947\", \"CVE-2019-9948\");\n\n script_name(english:\"Debian DLA-1834-1 : python2.7 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities were discovered in Python, an interactive\nhigh-level object-oriented language, including \n\nCVE-2018-14647\n\nPython's elementtree C accelerator failed to initialise Expat's hash\nsalt during initialization. This could make it easy to conduct denial\nof service attacks against Expat by constructing an XML document that\nwould cause pathological hash collisions in Expat's internal data\nstructures, consuming large amounts CPU and RAM.\n\nCVE-2019-5010\n\nNULL pointer dereference using a specially crafted X509 certificate.\n\nCVE-2019-9636\n\nImproper Handling of Unicode Encoding (with an incorrect netloc)\nduring NFKC normalization resulting in information disclosure\n(credentials, cookies, etc. that are cached against a given hostname).\nA specially crafted URL could be incorrectly parsed to locate cookies\nor authentication data and send that information to a different host\nthan when parsed correctly.\n\nCVE-2019-9740\n\nAn issue was discovered in urllib2 where CRLF injection is possible if\nthe attacker controls a url parameter, as demonstrated by the first\nargument to urllib.request.urlopen with \\r\\n (specifically in the\nquery string after a ? character) followed by an HTTP header or a\nRedis command.\n\nCVE-2019-9947\n\nAn issue was discovered in urllib2 where CRLF injection is possible if\nthe attacker controls a url parameter, as demonstrated by the first\nargument to urllib.request.urlopen with \\r\\n (specifically in the path\ncomponent of a URL that lacks a ? character) followed by an HTTP\nheader or a Redis command. This is similar to the CVE-2019-9740 query\nstring issue.\n\nCVE-2019-9948\n\nurllib supports the local_file: scheme, which makes it easier for\nremote attackers to bypass protection mechanisms that blacklist file:\nURIs, as demonstrated by triggering a\nurllib.urlopen('local_file:///etc/passwd') call.\n\nCVE-2019-10160\n\nA security regression of CVE-2019-9636 was discovered which still\nallows an attacker to exploit CVE-2019-9636 by abusing the user and\npassword parts of a URL. When an application parses user-supplied URLs\nto store cookies, authentication credentials, or other kind of\ninformation, it is possible for an attacker to provide specially\ncrafted URLs to make the application locate host-related information\n(e.g. cookies, authentication data) and send them to a different host\nthan where it should, unlike if the URLs had been correctly parsed.\nThe result of an attack may vary based on the application.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2.7.9-2+deb8u3.\n\nWe recommend that you upgrade your python2.7 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/python2.7\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9948\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:idle-python2.7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython2.7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython2.7-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython2.7-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython2.7-minimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython2.7-stdlib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython2.7-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python2.7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python2.7-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python2.7-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python2.7-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python2.7-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python2.7-minimal\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/09/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"idle-python2.7\", reference:\"2.7.9-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpython2.7\", reference:\"2.7.9-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpython2.7-dbg\", reference:\"2.7.9-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpython2.7-dev\", reference:\"2.7.9-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpython2.7-minimal\", reference:\"2.7.9-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpython2.7-stdlib\", reference:\"2.7.9-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpython2.7-testsuite\", reference:\"2.7.9-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"python2.7\", reference:\"2.7.9-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"python2.7-dbg\", reference:\"2.7.9-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"python2.7-dev\", reference:\"2.7.9-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"python2.7-doc\", reference:\"2.7.9-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"python2.7-examples\", reference:\"2.7.9-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"python2.7-minimal\", reference:\"2.7.9-2+deb8u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-06-16T16:55:26", "description": "It was discovered that Python incorrectly handled certain pickle files. An attacker could possibly use this issue to consume memory, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-20406)\n\nIt was discovered that Python incorrectly validated the domain when handling cookies. An attacker could possibly trick Python into sending cookies to the wrong domain. (CVE-2018-20852)\n\nJonathan Birch and Panayiotis Panayiotou discovered that Python incorrectly handled Unicode encoding during NFKC normalization. An attacker could possibly use this issue to obtain sensitive information. (CVE-2019-9636, CVE-2019-10160)\n\nColin Read and Nicolas Edet discovered that Python incorrectly handled parsing certain X509 certificates. An attacker could possibly use this issue to cause Python to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.\n(CVE-2019-5010)\n\nIt was discovered that Python incorrectly handled certain urls. A remote attacker could possibly use this issue to perform CRLF injection attacks. (CVE-2019-9740, CVE-2019-9947)\n\nSihoon Lee discovered that Python incorrectly handled the local_file:\nscheme. A remote attacker could possibly use this issue to bypass blacklist meschanisms. (CVE-2019-9948).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-10T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : python2.7, python3.5, python3.6, python3.7 vulnerabilities (USN-4127-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-20406", "CVE-2018-20852", "CVE-2019-10160", "CVE-2019-5010", "CVE-2019-9636", "CVE-2019-9740", "CVE-2019-9947", "CVE-2019-9948"], "modified": "2022-05-23T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:python2.7", "p-cpe:/a:canonical:ubuntu_linux:python2.7-minimal", "p-cpe:/a:canonical:ubuntu_linux:python3.5", "p-cpe:/a:canonical:ubuntu_linux:python3.5-minimal", "p-cpe:/a:canonical:ubuntu_linux:python3.6", "p-cpe:/a:canonical:ubuntu_linux:python3.6-minimal", "p-cpe:/a:canonical:ubuntu_linux:python3.7", "p-cpe:/a:canonical:ubuntu_linux:python3.7-minimal", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:19.04"], "id": "UBUNTU_USN-4127-1.NASL", "href": "https://www.tenable.com/plugins/nessus/128631", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4127-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128631);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/23\");\n\n script_cve_id(\"CVE-2018-20406\", \"CVE-2018-20852\", \"CVE-2019-10160\", \"CVE-2019-5010\", \"CVE-2019-9636\", \"CVE-2019-9740\", \"CVE-2019-9947\", \"CVE-2019-9948\");\n script_xref(name:\"USN\", value:\"4127-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : python2.7, python3.5, python3.6, python3.7 vulnerabilities (USN-4127-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that Python incorrectly handled certain pickle\nfiles. An attacker could possibly use this issue to consume memory,\nleading to a denial of service. This issue only affected Ubuntu 16.04\nLTS and Ubuntu 18.04 LTS. (CVE-2018-20406)\n\nIt was discovered that Python incorrectly validated the domain when\nhandling cookies. An attacker could possibly trick Python into sending\ncookies to the wrong domain. (CVE-2018-20852)\n\nJonathan Birch and Panayiotis Panayiotou discovered that Python\nincorrectly handled Unicode encoding during NFKC normalization. An\nattacker could possibly use this issue to obtain sensitive\ninformation. (CVE-2019-9636, CVE-2019-10160)\n\nColin Read and Nicolas Edet discovered that Python incorrectly handled\nparsing certain X509 certificates. An attacker could possibly use this\nissue to cause Python to crash, resulting in a denial of service. This\nissue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.\n(CVE-2019-5010)\n\nIt was discovered that Python incorrectly handled certain urls. A\nremote attacker could possibly use this issue to perform CRLF\ninjection attacks. (CVE-2019-9740, CVE-2019-9947)\n\nSihoon Lee discovered that Python incorrectly handled the local_file:\nscheme. A remote attacker could possibly use this issue to bypass\nblacklist meschanisms. (CVE-2019-9948).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4127-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9948\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python2.7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python2.7-minimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python3.5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python3.5-minimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python3.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python3.6-minimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python3.7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python3.7-minimal\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:19.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2019-2022 Canonical, Inc. / NASL script (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04|19\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04 / 18.04 / 19.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"python2.7\", pkgver:\"2.7.12-1ubuntu0~16.04.8\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"python2.7-minimal\", pkgver:\"2.7.12-1ubuntu0~16.04.8\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"python3.5\", pkgver:\"3.5.2-2ubuntu0~16.04.8\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"python3.5-minimal\", pkgver:\"3.5.2-2ubuntu0~16.04.8\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"python2.7\", pkgver:\"2.7.15-4ubuntu4~18.04.1\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"python2.7-minimal\", pkgver:\"2.7.15-4ubuntu4~18.04.1\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"python3.6\", pkgver:\"3.6.8-1~18.04.2\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"python3.6-minimal\", pkgver:\"3.6.8-1~18.04.2\")) flag++;\nif (ubuntu_check(osver:\"19.04\", pkgname:\"python2.7\", pkgver:\"2.7.16-2ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"19.04\", pkgname:\"python2.7-minimal\", pkgver:\"2.7.16-2ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"19.04\", pkgname:\"python3.7\", pkgver:\"3.7.3-2ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"19.04\", pkgname:\"python3.7-minimal\", pkgver:\"3.7.3-2ubuntu0.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python2.7 / python2.7-minimal / python3.5 / python3.5-minimal / etc\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-06-16T15:40:06", "description": "Multiple vulnerabilities were discovered in Python2.7, an interactive high-level object-oriented language.\n\nCVE-2018-20852\n\nBy using a malicious server an attacker might steal cookies that are meant for other domains.\n\nCVE-2019-5010\n\nNULL pointer dereference using a specially crafted X509 certificate.\n\nCVE-2019-9636\n\nImproper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization resulting in information disclosure (credentials, cookies, etc. that are cached against a given hostname).\nA specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.\n\nCVE-2019-9740\n\nAn issue was discovered in urllib2 where CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.\n\nCVE-2019-9947\n\nAn issue was discovered in urllib2 where CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.\n\nCVE-2019-9948\n\nurllib supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file:\nURIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.\n\nCVE-2019-10160\n\nA security regression of CVE-2019-9636 was discovered which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed.\nThe result of an attack may vary based on the application.\n\nCVE-2019-16056\n\nThe email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied.\n\nCVE-2019-20907\n\nOpening a crafted tar file could result in an infinite loop due to missing header validation.\n\nFor Debian 9 stretch, these problems have been fixed in version 2.7.13-2+deb9u4.\n\nWe recommend that you upgrade your python2.7 packages.\n\nFor the detailed security status of python2.7 please refer to its security tracker page at:\nhttps://security-tracker.debian.org/tracker/python2.7\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-08-24T00:00:00", "type": "nessus", "title": "Debian DLA-2337-1 : python2.7 security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-20852", "CVE-2019-10160", "CVE-2019-16056", "CVE-2019-20907", "CVE-2019-5010", "CVE-2019-9636", "CVE-2019-9740", "CVE-2019-9947", "CVE-2019-9948"], "modified": "2022-05-13T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:idle-python2.7", "p-cpe:/a:debian:debian_linux:libpython2.7", "p-cpe:/a:debian:debian_linux:libpython2.7-dbg", "p-cpe:/a:debian:debian_linux:libpython2.7-dev", "p-cpe:/a:debian:debian_linux:libpython2.7-minimal", "p-cpe:/a:debian:debian_linux:libpython2.7-stdlib", "p-cpe:/a:debian:debian_linux:libpython2.7-testsuite", "p-cpe:/a:debian:debian_linux:python2.7", "p-cpe:/a:debian:debian_linux:python2.7-dbg", "p-cpe:/a:debian:debian_linux:python2.7-dev", "p-cpe:/a:debian:debian_linux:python2.7-doc", "p-cpe:/a:debian:debian_linux:python2.7-examples", "p-cpe:/a:debian:debian_linux:python2.7-minimal", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2337.NASL", "href": "https://www.tenable.com/plugins/nessus/139757", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2337-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139757);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/13\");\n\n script_cve_id(\"CVE-2018-20852\", \"CVE-2019-10160\", \"CVE-2019-16056\", \"CVE-2019-20907\", \"CVE-2019-5010\", \"CVE-2019-9636\", \"CVE-2019-9740\", \"CVE-2019-9947\", \"CVE-2019-9948\");\n script_xref(name:\"IAVA\", value:\"2020-A-0340-S\");\n\n script_name(english:\"Debian DLA-2337-1 : python2.7 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Multiple vulnerabilities were discovered in Python2.7, an interactive\nhigh-level object-oriented language.\n\nCVE-2018-20852\n\nBy using a malicious server an attacker might steal cookies that are\nmeant for other domains.\n\nCVE-2019-5010\n\nNULL pointer dereference using a specially crafted X509 certificate.\n\nCVE-2019-9636\n\nImproper Handling of Unicode Encoding (with an incorrect netloc)\nduring NFKC normalization resulting in information disclosure\n(credentials, cookies, etc. that are cached against a given hostname).\nA specially crafted URL could be incorrectly parsed to locate cookies\nor authentication data and send that information to a different host\nthan when parsed correctly.\n\nCVE-2019-9740\n\nAn issue was discovered in urllib2 where CRLF injection is possible if\nthe attacker controls a url parameter, as demonstrated by the first\nargument to urllib.request.urlopen with \\r\\n (specifically in the\nquery string after a ? character) followed by an HTTP header or a\nRedis command.\n\nCVE-2019-9947\n\nAn issue was discovered in urllib2 where CRLF injection is possible if\nthe attacker controls a url parameter, as demonstrated by the first\nargument to urllib.request.urlopen with \\r\\n (specifically in the path\ncomponent of a URL that lacks a ? character) followed by an HTTP\nheader or a Redis command. This is similar to the CVE-2019-9740 query\nstring issue.\n\nCVE-2019-9948\n\nurllib supports the local_file: scheme, which makes it easier for\nremote attackers to bypass protection mechanisms that blacklist file:\nURIs, as demonstrated by triggering a\nurllib.urlopen('local_file:///etc/passwd') call.\n\nCVE-2019-10160\n\nA security regression of CVE-2019-9636 was discovered which still\nallows an attacker to exploit CVE-2019-9636 by abusing the user and\npassword parts of a URL. When an application parses user-supplied URLs\nto store cookies, authentication credentials, or other kind of\ninformation, it is possible for an attacker to provide specially\ncrafted URLs to make the application locate host-related information\n(e.g. cookies, authentication data) and send them to a different host\nthan where it should, unlike if the URLs had been correctly parsed.\nThe result of an attack may vary based on the application.\n\nCVE-2019-16056\n\nThe email module wrongly parses email addresses that contain multiple\n@ characters. An application that uses the email module and implements\nsome kind of checks on the From/To headers of a message could be\ntricked into accepting an email address that should be denied.\n\nCVE-2019-20907\n\nOpening a crafted tar file could result in an infinite loop due to\nmissing header validation.\n\nFor Debian 9 stretch, these problems have been fixed in version\n2.7.13-2+deb9u4.\n\nWe recommend that you upgrade your python2.7 packages.\n\nFor the detailed security status of python2.7 please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/python2.7\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/python2.7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/python2.7\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9948\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:idle-python2.7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython2.7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython2.7-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython2.7-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython2.7-minimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython2.7-stdlib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython2.7-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python2.7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python2.7-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python2.7-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python2.7-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python2.7-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python2.7-minimal\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"idle-python2.7\", reference:\"2.7.13-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libpython2.7\", reference:\"2.7.13-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libpython2.7-dbg\", reference:\"2.7.13-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libpython2.7-dev\", reference:\"2.7.13-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libpython2.7-minimal\", reference:\"2.7.13-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libpython2.7-stdlib\", reference:\"2.7.13-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libpython2.7-testsuite\", reference:\"2.7.13-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python2.7\", reference:\"2.7.13-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python2.7-dbg\", reference:\"2.7.13-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python2.7-dev\", reference:\"2.7.13-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python2.7-doc\", reference:\"2.7.13-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python2.7-examples\", reference:\"2.7.13-2+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python2.7-minimal\", reference:\"2.7.13-2+deb9u4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-06-16T15:26:12", "description": "This update for python36 to version 3.6.10 fixes the following issues :\n\nCVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507).\n\nCVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ signs (bsc#1149955).\n\nCVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-02-04T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : python36 (SUSE-SU-2020:0302-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-18207", "CVE-2018-1000802", "CVE-2018-1060", "CVE-2018-20852", "CVE-2019-10160", "CVE-2019-15903", "CVE-2019-16056", "CVE-2019-5010", "CVE-2019-9636", "CVE-2019-9947"], "modified": "2020-02-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libpython3_6m1_0", "p-cpe:/a:novell:suse_linux:libpython3_6m1_0-debuginfo", "p-cpe:/a:novell:suse_linux:python36", "p-cpe:/a:novell:suse_linux:python36-base", "p-cpe:/a:novell:suse_linux:python36-base-debuginfo", "p-cpe:/a:novell:suse_linux:python36-base-debugsource", "p-cpe:/a:novell:suse_linux:python36-debuginfo", "p-cpe:/a:novell:suse_linux:python36-debugsource", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2020-0302-1.NASL", "href": "https://www.tenable.com/plugins/nessus/133448", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:0302-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(133448);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2020/02/06\");\n\n script_cve_id(\"CVE-2017-18207\", \"CVE-2018-1000802\", \"CVE-2018-1060\", \"CVE-2018-20852\", \"CVE-2019-10160\", \"CVE-2019-15903\", \"CVE-2019-16056\", \"CVE-2019-5010\", \"CVE-2019-9636\", \"CVE-2019-9947\");\n\n script_name(english:\"SUSE SLES12 Security Update : python36 (SUSE-SU-2020:0302-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for python36 to version 3.6.10 fixes the following \nissues :\n\nCVE-2017-18207: Fixed a denial of service in\nWave_read._read_fmt_chunk() (bsc#1083507).\n\nCVE-2019-16056: Fixed an issue where email parsing could fail for\nmultiple @ signs (bsc#1149955).\n\nCVE-2019-15903: Fixed a heap-based buffer over-read in libexpat\n(bsc#1149429).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1027282\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1029377\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1081750\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083507\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1086001\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1088009\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1094814\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1109663\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1137942\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1138459\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1141853\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1149121\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1149429\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1149792\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1149955\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1151490\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1159035\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1159622\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=709442\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=951166\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=983582\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-18207/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1000802/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1060/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-20852/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-10160/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-15903/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-16056/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-5010/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-9636/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-9947/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20200302-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?68a41617\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-302=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython3_6m1_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython3_6m1_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python36\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python36-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python36-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python36-base-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python36-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python36-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libpython3_6m1_0-3.6.10-4.3.5\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"libpython3_6m1_0-debuginfo-3.6.10-4.3.5\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python36-3.6.10-4.3.5\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python36-base-3.6.10-4.3.5\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python36-base-debuginfo-3.6.10-4.3.5\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python36-base-debugsource-3.6.10-4.3.5\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python36-debuginfo-3.6.10-4.3.5\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"python36-debugsource-3.6.10-4.3.5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python36\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T15:38:14", "description": "Multiple security issues were discovered in Python, an interactive high-level object-oriented language.\n\nCVE-2018-20406\n\nModules/_pickle.c has an integer overflow via a large LONG_BINPUT value that is mishandled during a 'resize to twice the size' attempt.\nThis issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data.\n\nCVE-2018-20852\n\nhttp.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com).\nWhen a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker.\n\nCVE-2019-5010\n\nAn exploitable denial of service vulnerability exists in the X509 certificate parser. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.\n\nCVE-2019-9636\n\nImproper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname).\nThe components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.\n\nCVE-2019-9740\n\nAn issue was discovered in urllib2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.\n\nCVE-2019-9947\n\nAn issue was discovered in urllib2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.\n\nCVE-2019-9948\n\nurllib supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file:\nURIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.\n\nCVE-2019-10160\n\nA security regression was discovered in python, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.\n\nCVE-2019-16056\n\nThe email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.\n\nCVE-2019-16935\n\nThe documentation XML-RPC server has XSS via the server_title field.\nThis occurs in Lib/xmlrpc/server.py. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.\n\nCVE-2019-18348\n\nAn issue was discovered in urllib2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue\n\nCVE-2020-8492\n\nPython allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.\n\nCVE-2020-14422\n\nLib/ipaddress.py improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.\n\nFor Debian 9 stretch, these problems have been fixed in version 3.5.3-1+deb9u2.\n\nWe recommend that you upgrade your python3.5 packages.\n\nFor the detailed security status of python3.5 please refer to its security tracker page at:\nhttps://security-tracker.debian.org/tracker/python3.5\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-16T00:00:00", "type": "nessus", "title": "Debian DLA-2280-1 : python3.5 security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-20406", "CVE-2018-20852", "CVE-2019-10160", "CVE-2019-11340", "CVE-2019-16056", "CVE-2019-16935", "CVE-2019-18348", "CVE-2019-5010", "CVE-2019-9636", "CVE-2019-9740", "CVE-2019-9947", "CVE-2019-9948", "CVE-2020-14422", "CVE-2020-8492"], "modified": "2022-05-13T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:idle-python3.5", "p-cpe:/a:debian:debian_linux:libpython3.5", "p-cpe:/a:debian:debian_linux:libpython3.5-dbg", "p-cpe:/a:debian:debian_linux:libpython3.5-dev", "p-cpe:/a:debian:debian_linux:libpython3.5-minimal", "p-cpe:/a:debian:debian_linux:libpython3.5-stdlib", "p-cpe:/a:debian:debian_linux:libpython3.5-testsuite", "p-cpe:/a:debian:debian_linux:python3.5", "p-cpe:/a:debian:debian_linux:python3.5-dbg", "p-cpe:/a:debian:debian_linux:python3.5-dev", "p-cpe:/a:debian:debian_linux:python3.5-doc", "p-cpe:/a:debian:debian_linux:python3.5-examples", "p-cpe:/a:debian:debian_linux:python3.5-minimal", "p-cpe:/a:debian:debian_linux:python3.5-venv", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2280.NASL", "href": "https://www.tenable.com/plugins/nessus/138529", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2280-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138529);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/13\");\n\n script_cve_id(\"CVE-2018-20406\", \"CVE-2018-20852\", \"CVE-2019-10160\", \"CVE-2019-16056\", \"CVE-2019-16935\", \"CVE-2019-18348\", \"CVE-2019-5010\", \"CVE-2019-9636\", \"CVE-2019-9740\", \"CVE-2019-9947\", \"CVE-2019-9948\", \"CVE-2020-14422\", \"CVE-2020-8492\");\n script_xref(name:\"IAVA\", value:\"2020-A-0340-S\");\n\n script_name(english:\"Debian DLA-2280-1 : python3.5 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Multiple security issues were discovered in Python, an interactive\nhigh-level object-oriented language.\n\nCVE-2018-20406\n\nModules/_pickle.c has an integer overflow via a large LONG_BINPUT\nvalue that is mishandled during a 'resize to twice the size' attempt.\nThis issue might cause memory exhaustion, but is only relevant if the\npickle format is used for serializing tens or hundreds of gigabytes of\ndata.\n\nCVE-2018-20852\n\nhttp.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py\ndoes not correctly validate the domain: it can be tricked into sending\nexisting cookies to the wrong server. An attacker may abuse this flaw\nby using a server with a hostname that has another valid hostname as a\nsuffix (e.g., pythonicexample.com to steal cookies for example.com).\nWhen a program uses http.cookiejar.DefaultPolicy and tries to do an\nHTTP connection to an attacker-controlled server, existing cookies can\nbe leaked to the attacker.\n\nCVE-2019-5010\n\nAn exploitable denial of service vulnerability exists in the X509\ncertificate parser. A specially crafted X509 certificate can cause a\nNULL pointer dereference, resulting in a denial of service. An\nattacker can initiate or accept TLS connections using crafted\ncertificates to trigger this vulnerability.\n\nCVE-2019-9636\n\nImproper Handling of Unicode Encoding (with an incorrect netloc)\nduring NFKC normalization. The impact is: Information disclosure\n(credentials, cookies, etc. that are cached against a given hostname).\nThe components are: urllib.parse.urlsplit, urllib.parse.urlparse. The\nattack vector is: A specially crafted URL could be incorrectly parsed\nto locate cookies or authentication data and send that information to\na different host than when parsed correctly.\n\nCVE-2019-9740\n\nAn issue was discovered in urllib2. CRLF injection is possible if the\nattacker controls a url parameter, as demonstrated by the first\nargument to urllib.request.urlopen with \\r\\n (specifically in the\nquery string after a ? character) followed by an HTTP header or a\nRedis command.\n\nCVE-2019-9947\n\nAn issue was discovered in urllib2. CRLF injection is possible if the\nattacker controls a url parameter, as demonstrated by the first\nargument to urllib.request.urlopen with \\r\\n (specifically in the path\ncomponent of a URL that lacks a ? character) followed by an HTTP\nheader or a Redis command. This is similar to the CVE-2019-9740 query\nstring issue.\n\nCVE-2019-9948\n\nurllib supports the local_file: scheme, which makes it easier for\nremote attackers to bypass protection mechanisms that blacklist file:\nURIs, as demonstrated by triggering a\nurllib.urlopen('local_file:///etc/passwd') call.\n\nCVE-2019-10160\n\nA security regression was discovered in python, which still allows an\nattacker to exploit CVE-2019-9636 by abusing the user and password\nparts of a URL. When an application parses user-supplied URLs to store\ncookies, authentication credentials, or other kind of information, it\nis possible for an attacker to provide specially crafted URLs to make\nthe application locate host-related information (e.g. cookies,\nauthentication data) and send them to a different host than where it\nshould, unlike if the URLs had been correctly parsed. The result of an\nattack may vary based on the application.\n\nCVE-2019-16056\n\nThe email module wrongly parses email addresses that contain multiple\n@ characters. An application that uses the email module and implements\nsome kind of checks on the From/To headers of a message could be\ntricked into accepting an email address that should be denied. An\nattack may be the same as in CVE-2019-11340; however, this CVE applies\nto Python more generally.\n\nCVE-2019-16935\n\nThe documentation XML-RPC server has XSS via the server_title field.\nThis occurs in Lib/xmlrpc/server.py. If set_server_title is called\nwith untrusted input, arbitrary JavaScript can be delivered to clients\nthat visit the http URL for this server.\n\nCVE-2019-18348\n\nAn issue was discovered in urllib2. CRLF injection is possible if the\nattacker controls a url parameter, as demonstrated by the first\nargument to urllib.request.urlopen with \\r\\n (specifically in the host\ncomponent of a URL) followed by an HTTP header. This is similar to the\nCVE-2019-9740 query string issue and the CVE-2019-9947 path string\nissue\n\nCVE-2020-8492\n\nPython allows an HTTP server to conduct Regular Expression Denial of\nService (ReDoS) attacks against a client because of\nurllib.request.AbstractBasicAuthHandler catastrophic backtracking.\n\nCVE-2020-14422\n\nLib/ipaddress.py improperly computes hash values in the IPv4Interface\nand IPv6Interface classes, which might allow a remote attacker to\ncause a denial of service if an application is affected by the\nperformance of a dictionary containing IPv4Interface or IPv6Interface\nobjects, and this attacker can cause many dictionary entries to be\ncreated.\n\nFor Debian 9 stretch, these problems have been fixed in version\n3.5.3-1+deb9u2.\n\nWe recommend that you upgrade your python3.5 packages.\n\nFor the detailed security status of python3.5 please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/python3.5\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/python3.5\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/python3.5\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9948\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:idle-python3.5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython3.5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython3.5-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython3.5-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython3.5-minimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython3.5-stdlib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython3.5-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.5-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.5-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.5-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.5-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.5-minimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.5-venv\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"idle-python3.5\", reference:\"3.5.3-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libpython3.5\", reference:\"3.5.3-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libpython3.5-dbg\", reference:\"3.5.3-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libpython3.5-dev\", reference:\"3.5.3-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libpython3.5-minimal\", reference:\"3.5.3-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libpython3.5-stdlib\", reference:\"3.5.3-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libpython3.5-testsuite\", reference:\"3.5.3-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python3.5\", reference:\"3.5.3-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python3.5-dbg\", reference:\"3.5.3-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python3.5-dev\", reference:\"3.5.3-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python3.5-doc\", reference:\"3.5.3-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python3.5-examples\", reference:\"3.5.3-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python3.5-minimal\", reference:\"3.5.3-1+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python3.5-venv\", reference:\"3.5.3-1+deb9u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-06-16T15:24:47", "description": "This update for python3 to version 3.6.10 fixes the following issues :\n\n - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507).\n\n - CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955).\n\n - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-22T00:00:00", "type": "nessus", "title": "openSUSE Security Update : python3 (openSUSE-2020-86) (BEAST) (httpoxy)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-3389", "CVE-2011-4944", "CVE-2012-0845", "CVE-2012-1150", "CVE-2013-1752", "CVE-2013-4238", "CVE-2014-2667", "CVE-2014-4650", "CVE-2016-0772", "CVE-2016-1000110", "CVE-2016-5636", "CVE-2016-5699", "CVE-2017-18207", "CVE-2018-1000802", "CVE-2018-1060", "CVE-2018-1061", "CVE-2018-14647", "CVE-2018-20406", "CVE-2018-20852", "CVE-2019-10160", "CVE-2019-15903", "CVE-2019-16056", "CVE-2019-16935", "CVE-2019-5010", "CVE-2019-9636", "CVE-2019-9947"], "modified": "2020-01-24T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libpython3_6m1_0", "p-cpe:/a:novell:opensuse:libpython3_6m1_0-32bit", "p-cpe:/a:novell:opensuse:libpython3_6m1_0-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libpython3_6m1_0-debuginfo", "p-cpe:/a:novell:opensuse:python3", "p-cpe:/a:novell:opensuse:python3-32bit", "p-cpe:/a:novell:opensuse:python3-32bit-debuginfo", "p-cpe:/a:novell:opensuse:python3-base", "p-cpe:/a:novell:opensuse:python3-base-32bit", "p-cpe:/a:novell:opensuse:python3-base-32bit-debuginfo", "p-cpe:/a:novell:opensuse:python3-base-debuginfo", "p-cpe:/a:novell:opensuse:python3-base-debugsource", "p-cpe:/a:novell:opensuse:python3-curses", "p-cpe:/a:novell:opensuse:python3-curses-debuginfo", "p-cpe:/a:novell:opensuse:python3-dbm", "p-cpe:/a:novell:opensuse:python3-dbm-debuginfo", "p-cpe:/a:novell:opensuse:python3-debuginfo", "p-cpe:/a:novell:opensuse:python3-debugsource", "p-cpe:/a:novell:opensuse:python3-devel", "p-cpe:/a:novell:opensuse:python3-devel-debuginfo", "p-cpe:/a:novell:opensuse:python3-idle", "p-cpe:/a:novell:opensuse:python3-testsuite", "p-cpe:/a:novell:opensuse:python3-testsuite-debuginfo", "p-cpe:/a:novell:opensuse:python3-tk", "p-cpe:/a:novell:opensuse:python3-tk-debuginfo", "p-cpe:/a:novell:opensuse:python3-tools", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2020-86.NASL", "href": "https://www.tenable.com/plugins/nessus/133172", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-86.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(133172);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2020/01/24\");\n\n script_cve_id(\"CVE-2011-3389\", \"CVE-2011-4944\", \"CVE-2012-0845\", \"CVE-2012-1150\", \"CVE-2013-1752\", \"CVE-2013-4238\", \"CVE-2014-2667\", \"CVE-2014-4650\", \"CVE-2016-0772\", \"CVE-2016-1000110\", \"CVE-2016-5636\", \"CVE-2016-5699\", \"CVE-2017-18207\", \"CVE-2018-1000802\", \"CVE-2018-1060\", \"CVE-2018-1061\", \"CVE-2018-14647\", \"CVE-2018-20406\", \"CVE-2018-20852\", \"CVE-2019-10160\", \"CVE-2019-15903\", \"CVE-2019-16056\", \"CVE-2019-16935\", \"CVE-2019-5010\", \"CVE-2019-9636\", \"CVE-2019-9947\");\n\n script_name(english:\"openSUSE Security Update : python3 (openSUSE-2020-86) (BEAST) (httpoxy)\");\n script_summary(english:\"Check for the openSUSE-2020-86 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for python3 to version 3.6.10 fixes the following issues :\n\n - CVE-2017-18207: Fixed a denial of service in\n Wave_read._read_fmt_chunk() (bsc#1083507).\n\n - CVE-2019-16056: Fixed an issue where email parsing could\n fail for multiple @ (bsc#1149955).\n\n - CVE-2019-15903: Fixed a heap-based buffer over-read in\n libexpat (bsc#1149429).\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1027282\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1029377\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1029902\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1040164\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1042670\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1070853\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1079761\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1081750\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1083507\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1086001\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1088004\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1088009\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1088573\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1094814\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107030\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1109663\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1109847\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1120644\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1122191\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1129346\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1130840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1133452\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1137942\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1138459\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1141853\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1149121\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1149792\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1149955\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1151490\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1153238\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1159035\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1159622\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=637176\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=658604\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=673071\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=709442\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=743787\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=747125\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=751718\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=754447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=754677\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=787526\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=809831\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=831629\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=834601\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=871152\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=885662\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=885882\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=917607\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=942751\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=951166\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=983582\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=984751\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=985177\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=985348\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=989523\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python3 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpython3_6m1_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpython3_6m1_0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpython3_6m1_0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpython3_6m1_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-base-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-base-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-base-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-curses-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-dbm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-dbm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-idle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-testsuite-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-tk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-tk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/09/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/22\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libpython3_6m1_0-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"libpython3_6m1_0-debuginfo-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-base-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-base-debuginfo-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-base-debugsource-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-curses-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-curses-debuginfo-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-dbm-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-dbm-debuginfo-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-debuginfo-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-debugsource-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-devel-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-devel-debuginfo-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-idle-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-testsuite-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-testsuite-debuginfo-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-tk-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-tk-debuginfo-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-tools-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libpython3_6m1_0-32bit-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"libpython3_6m1_0-32bit-debuginfo-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"python3-32bit-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"python3-32bit-debuginfo-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"python3-base-32bit-3.6.10-lp151.6.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", cpu:\"x86_64\", reference:\"python3-base-32bit-debuginfo-3.6.10-lp151.6.7.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libpython3_6m1_0 / libpython3_6m1_0-debuginfo / python3-base / etc\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:24:44", "description": "This update for python3 to version 3.6.10 fixes the following issues :\n\nCVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507).\n\nCVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955).\n\nCVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-17T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:0114-1) (BEAST) (httpoxy)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-3389", "CVE-2011-4944", "CVE-2012-0845", "CVE-2012-1150", "CVE-2013-1752", "CVE-2013-4238", "CVE-2014-2667", "CVE-2014-4650", "CVE-2016-0772", "CVE-2016-1000110", "CVE-2016-5636", "CVE-2016-5699", "CVE-2017-18207", "CVE-2018-1000802", "CVE-2018-1060", "CVE-2018-1061", "CVE-2018-14647", "CVE-2018-20406", "CVE-2018-20852", "CVE-2019-10160", "CVE-2019-15903", "CVE-2019-16056", "CVE-2019-16935", "CVE-2019-5010", "CVE-2019-9636", "CVE-2019-9947"], "modified": "2021-01-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libpython3_6m1_0", "p-cpe:/a:novell:suse_linux:libpython3_6m1_0-32bit-debuginfo", "p-cpe:/a:novell:suse_linux:libpython3_6m1_0-debuginfo", "p-cpe:/a:novell:suse_linux:python3", "p-cpe:/a:novell:suse_linux:python3-32bit-debuginfo", "p-cpe:/a:novell:suse_linux:python3-base", "p-cpe:/a:novell:suse_linux:python3-base-32bit-debuginfo", "p-cpe:/a:novell:suse_linux:python3-base-debuginfo", "p-cpe:/a:novell:suse_linux:python3-base-debugsource", "p-cpe:/a:novell:suse_linux:python3-curses", "p-cpe:/a:novell:suse_linux:python3-curses-debuginfo", "p-cpe:/a:novell:suse_linux:python3-dbm", "p-cpe:/a:novell:suse_linux:python3-dbm-debuginfo", "p-cpe:/a:novell:suse_linux:python3-debuginfo", "p-cpe:/a:novell:suse_linux:python3-debugsource", "p-cpe:/a:novell:suse_linux:python3-devel", "p-cpe:/a:novell:suse_linux:python3-devel-debuginfo", "p-cpe:/a:novell:suse_linux:python3-idle", "p-cpe:/a:novell:suse_linux:python3-testsuite", "p-cpe:/a:novell:suse_linux:python3-testsuite-debuginfo", "p-cpe:/a:novell:suse_linux:python3-tk", "p-cpe:/a:novell:suse_linux:python3-tk-debuginfo", "p-cpe:/a:novell:suse_linux:python3-tools", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2020-0114-1.NASL", "href": "https://www.tenable.com/plugins/nessus/133036", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:0114-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(133036);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2011-3389\", \"CVE-2011-4944\", \"CVE-2012-0845\", \"CVE-2012-1150\", \"CVE-2013-1752\", \"CVE-2013-4238\", \"CVE-2014-2667\", \"CVE-2014-4650\", \"CVE-2016-0772\", \"CVE-2016-1000110\", \"CVE-2016-5636\", \"CVE-2016-5699\", \"CVE-2017-18207\", \"CVE-2018-1000802\", \"CVE-2018-1060\", \"CVE-2018-1061\", \"CVE-2018-14647\", \"CVE-2018-20406\", \"CVE-2018-20852\", \"CVE-2019-10160\", \"CVE-2019-15903\", \"CVE-2019-16056\", \"CVE-2019-16935\", \"CVE-2019-5010\", \"CVE-2019-9636\", \"CVE-2019-9947\");\n script_bugtraq_id(49388, 49778, 51239, 52732, 61738, 63804, 66521, 68147);\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:0114-1) (BEAST) (httpoxy)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for python3 to version 3.6.10 fixes the following issues :\n\nCVE-2017-18207: Fixed a denial of service in\nWave_read._read_fmt_chunk() (bsc#1083507).\n\nCVE-2019-16056: Fixed an issue where email parsing could fail for\nmultiple @ (bsc#1149955).\n\nCVE-2019-15903: Fixed a heap-based buffer over-read in libexpat\n(bsc#1149429).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1027282\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1029377\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1029902\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1040164\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1042670\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1070853\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1079761\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1081750\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083507\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1086001\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1088004\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1088009\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1088573\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1094814\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107030\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1109663\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1109847\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1120644\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1122191\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1129346\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1130840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1133452\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1137942\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1138459\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1141853\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1149121\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1149792\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1149955\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1151490\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1153238\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1159035\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1159622\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=637176\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=658604\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=673071\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=709442\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=743787\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=747125\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=751718\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=754447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=754677\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=787526\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=809831\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=831629\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=834601\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=871152\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=885662\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=885882\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=917607\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=942751\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=951166\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=983582\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=984751\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=985177\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=985348\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=989523\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2011-3389/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2011-4944/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2012-0845/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2012-1150/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2013-1752/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2013-4238/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2014-2667/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2014-4650/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-0772/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-1000110/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5636/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5699/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-18207/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1000802/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1060/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1061/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-14647/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-20406/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-20852/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-10160/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-15903/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-16056/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-16935/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-5010/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-9636/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-9947/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20200114-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4a736fc2\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15-SP1 :\n\nzypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-114=1\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15 :\n\nzypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-114=1\n\nSUSE Linux Enterprise Module for Development Tools 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-114=1\n\nSUSE Linux Enterprise Module for Development Tools 15 :\n\nzypper in -t patch SUSE-SLE-Module-Development-Tools-15-2020-114=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-114=1\n\nSUSE Linux Enterprise Module for Basesystem 15 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-114=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython3_6m1_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython3_6m1_0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython3_6m1_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-base-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-base-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-curses-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-dbm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-dbm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-idle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-testsuite-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-tk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-tk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/09/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/17\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0/1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP0/1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpython3_6m1_0-32bit-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpython3_6m1_0-32bit-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"python3-32bit-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"python3-32bit-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"python3-base-32bit-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"python3-base-32bit-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libpython3_6m1_0-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libpython3_6m1_0-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-base-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-base-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-base-debugsource-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-curses-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-curses-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-dbm-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-dbm-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-debugsource-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-devel-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-devel-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-idle-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-testsuite-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-testsuite-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-tk-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-tk-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-tools-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"x86_64\", reference:\"libpython3_6m1_0-32bit-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"x86_64\", reference:\"python3-32bit-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"x86_64\", reference:\"python3-base-32bit-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libpython3_6m1_0-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libpython3_6m1_0-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-base-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-base-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-base-debugsource-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-curses-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-curses-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-dbm-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-dbm-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-debugsource-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-devel-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-devel-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-idle-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-testsuite-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-testsuite-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-tk-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-tk-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python3-tools-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpython3_6m1_0-32bit-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpython3_6m1_0-32bit-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"python3-32bit-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"python3-32bit-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"python3-base-32bit-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"python3-base-32bit-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libpython3_6m1_0-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libpython3_6m1_0-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-base-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-base-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-base-debugsource-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-curses-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-curses-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-dbm-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-dbm-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-debugsource-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-devel-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-devel-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-idle-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-testsuite-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-testsuite-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-tk-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-tk-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-tools-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", cpu:\"x86_64\", reference:\"libpython3_6m1_0-32bit-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", cpu:\"x86_64\", reference:\"python3-32bit-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", cpu:\"x86_64\", reference:\"python3-base-32bit-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libpython3_6m1_0-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libpython3_6m1_0-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-base-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-base-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-base-debugsource-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-curses-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-curses-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-dbm-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-dbm-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-debugsource-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-devel-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-devel-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-idle-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-testsuite-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-testsuite-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-tk-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-tk-debuginfo-3.6.10-3.42.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python3-tools-3.6.10-3.42.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python3\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:25:33", "description": "This update for python fixes the following issues :\n\nUpdated to version 2.7.17 to unify packages among openSUSE:Factory and SLE versions (bsc#1159035).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-27T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:0234-1) (BEAST) (httpoxy)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-2052", "CVE-2008-1721", "CVE-2008-2315", "CVE-2008-2316", "CVE-2008-3142", "CVE-2008-3143", "CVE-2008-3144", "CVE-2011-1521", "CVE-2011-3389", "CVE-2011-4944", "CVE-2012-0845", "CVE-2012-1150", "CVE-2013-1752", "CVE-2013-1753", "CVE-2013-4238", "CVE-2014-1912", "CVE-2014-4650", "CVE-2014-7185", "CVE-2016-0772", "CVE-2016-1000110", "CVE-2016-5636", "CVE-2016-5699", "CVE-2017-1000158", "CVE-2017-18207", "CVE-2018-1000030", "CVE-2018-1000802", "CVE-2018-1060", "CVE-2018-1061", "CVE-2018-14647", "CVE-2018-20852", "CVE-2019-10160", "CVE-2019-16056", "CVE-2019-16935", "CVE-2019-5010", "CVE-2019-9636", "CVE-2019-9947", "CVE-2019-9948"], "modified": "2021-01-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libpython2_7", "p-cpe:/a:novell:suse_linux:libpython2_7-1_0", "p-cpe:/a:novell:suse_linux:libpython2_7-1_0-32bit-debuginfo", "p-cpe:/a:novell:suse_linux:libpython2_7-1_0-debuginfo", "p-cpe:/a:novell:suse_linux:python", "p-cpe:/a:novell:suse_linux:python-32bit-debuginfo", "p-cpe:/a:novell:suse_linux:python-base", "p-cpe:/a:novell:suse_linux:python-base-32bit-debuginfo", "p-cpe:/a:novell:suse_linux:python-base-debuginfo", "p-cpe:/a:novell:suse_linux:python-base-debugsource", "p-cpe:/a:novell:suse_linux:python-curses", "p-cpe:/a:novell:suse_linux:python-curses-debuginfo", "p-cpe:/a:novell:suse_linux:python-debuginfo", "p-cpe:/a:novell:suse_linux:python-debugsource", "p-cpe:/a:novell:suse_linux:python-demo", "p-cpe:/a:novell:suse_linux:python-devel", "p-cpe:/a:novell:suse_linux:python-gdbm", "p-cpe:/a:novell:suse_linux:python-gdbm-debuginfo", "p-cpe:/a:novell:suse_linux:python-idle", "p-cpe:/a:novell:suse_linux:python-tk", "p-cpe:/a:novell:suse_linux:python-tk-debuginfo", "p-cpe:/a:novell:suse_linux:python-xml", "p-cpe:/a:novell:suse_linux:python-xml-debuginfo", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2020-0234-1.NASL", "href": "https://www.tenable.com/plugins/nessus/133259", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:0234-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(133259);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2007-2052\", \"CVE-2008-1721\", \"CVE-2008-2315\", \"CVE-2008-2316\", \"CVE-2008-3142\", \"CVE-2008-3143\", \"CVE-2008-3144\", \"CVE-2011-1521\", \"CVE-2011-3389\", \"CVE-2011-4944\", \"CVE-2012-0845\", \"CVE-2012-1150\", \"CVE-2013-1752\", \"CVE-2013-1753\", \"CVE-2013-4238\", \"CVE-2014-1912\", \"CVE-2014-4650\", \"CVE-2014-7185\", \"CVE-2016-0772\", \"CVE-2016-1000110\", \"CVE-2016-5636\", \"CVE-2016-5699\", \"CVE-2017-1000158\", \"CVE-2017-18207\", \"CVE-2018-1000030\", \"CVE-2018-1000802\", \"CVE-2018-1060\", \"CVE-2018-1061\", \"CVE-2018-14647\", \"CVE-2018-20852\", \"CVE-2019-10160\", \"CVE-2019-16056\", \"CVE-2019-16935\", \"CVE-2019-5010\", \"CVE-2019-9636\", \"CVE-2019-9947\", \"CVE-2019-9948\");\n script_bugtraq_id(28715, 30491, 47024, 49388, 49778, 51239, 52732, 61738, 63804, 65379, 66958, 68147, 70089);\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:0234-1) (BEAST) (httpoxy)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for python fixes the following issues :\n\nUpdated to version 2.7.17 to unify packages among openSUSE:Factory and\nSLE versions (bsc#1159035).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1027282\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1041090\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1042670\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1068664\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1073269\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1073748\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1078326\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1078485\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1079300\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1081750\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083507\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1084650\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1086001\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1088004\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1088009\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1109847\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1111793\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1113755\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1122191\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1129346\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1130840\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1130847\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1138459\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1141853\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1149792\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1149955\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1153238\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1153830\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1159035\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=214983\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=298378\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=346490\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=367853\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=379534\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=380942\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=399190\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=406051\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=425138\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=426563\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=430761\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=432677\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=436966\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=437293\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=441088\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=462375\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=525295\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=534721\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=551715\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=572673\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=577032\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=581765\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=603255\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=617751\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=637176\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=638233\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=658604\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=673071\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=682554\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=697251\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=707667\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=718009\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=747125\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=747794\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=751718\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=754447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=766778\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=794139\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=804978\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=827982\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=831442\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=834601\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=836739\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=856835\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=856836\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=857470\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=863741\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=885882\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=898572\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=901715\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=935856\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=945401\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=964182\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=984751\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=985177\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=985348\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=989523\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=997436\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2007-2052/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2008-1721/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2008-2315/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2008-2316/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2008-3142/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2008-3143/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2008-3144/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2011-1521/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2011-3389/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2011-4944/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2012-0845/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2012-1150/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2013-1752/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2013-1753/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2013-4238/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2014-1912/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2014-4650/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2014-7185/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-0772/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-1000110/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5636/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-5699/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000158/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-18207/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1000030/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1000802/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1060/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1061/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-14647/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-20852/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-10160/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-16056/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-16935/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-5010/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-9636/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-9947/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-9948/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20200234-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a7e022df\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Python2 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-234=1\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15-SP1 :\n\nzypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-234=1\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15 :\n\nzypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2020-234=1\n\nSUSE Linux Enterprise Module for Desktop Applications 15-SP1 :\n\nzypper in -t patch\nSUSE-SLE-Module-Desktop-Applications-15-SP1-2020-234=1\n\nSUSE Linux Enterprise Module for Desktop Applications 15 :\n\nzypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2020-234=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-234=1\n\nSUSE Linux Enterprise Module for Basesystem 15 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-2020-234=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(119, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython2_7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython2_7-1_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython2_7-1_0-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libpython2_7-1_0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-base-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-base-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-curses-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-gdbm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-gdbm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-idle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-tk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-tk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python-xml-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/04/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/27\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0/1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP0/1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-32bit-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-32bit-debuginfo-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"python-32bit-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"python-32bit-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"python-base-32bit-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"python-base-32bit-debuginfo-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libpython2_7-1_0-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"libpython2_7-1_0-debuginfo-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-base-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-base-debuginfo-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-base-debugsource-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-curses-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-curses-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-debugsource-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-demo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-devel-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-gdbm-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-gdbm-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-idle-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-tk-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-tk-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-xml-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python-xml-debuginfo-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libpython2_7-1_0-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libpython2_7-1_0-debuginfo-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-base-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-base-debuginfo-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-base-debugsource-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-curses-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-curses-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-debugsource-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-demo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-devel-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-gdbm-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-gdbm-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-idle-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-tk-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-tk-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-xml-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"python-xml-debuginfo-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-32bit-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"libpython2_7-1_0-32bit-debuginfo-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"python-32bit-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"python-32bit-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"python-base-32bit-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", cpu:\"x86_64\", reference:\"python-base-32bit-debuginfo-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libpython2_7-1_0-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"libpython2_7-1_0-debuginfo-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-base-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-base-debuginfo-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-base-debugsource-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-curses-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-curses-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-debugsource-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-demo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-devel-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-gdbm-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-gdbm-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-idle-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-tk-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-tk-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-xml-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python-xml-debuginfo-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libpython2_7-1_0-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libpython2_7-1_0-debuginfo-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-base-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-base-debuginfo-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-base-debugsource-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-curses-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-curses-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-debugsource-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-demo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-devel-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-gdbm-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-gdbm-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-idle-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-tk-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-tk-debuginfo-2.7.17-7.32.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-xml-2.7.17-7.32.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"python-xml-debuginfo-2.7.17-7.32.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:31:02", "description": "A security regression of CVE-2019-9636 was discovered in python since\ncommit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7,\n3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an\nattacker to exploit CVE-2019-9636 by abusing the user and password parts of\na URL. When an application parses user-supplied URLs to store cookies,\nauthentication credentials, or other kind of information, it is possible\nfor an attacker to provide specially crafted URLs to make the application\nlocate host-related information (e.g. cookies, authentication data) and\nsend them to a different host than where it should, unlike if the URLs had\nbeen correctly parsed. The result of an attack may vary based on the\napplication.\n\n#### Bugs\n\n * <https://bugs.python.org/issue36742>\n * <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-07T00:00:00", "type": "ubuntucve", "title": "CVE-2019-10160", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160"], "modified": "2019-06-07T00:00:00", "id": "UB:CVE-2019-10160", "href": "https://ubuntu.com/security/CVE-2019-10160", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cloudlinux": [{"lastseen": "2021-07-28T14:36:06", "description": "Security fix for CVE-2019-10160\nResolves: rhbz#1716744", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-03-17T17:15:57", "type": "cloudlinux", "title": "Security fix for CVE-2019-10160", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160"], "modified": "2021-03-17T17:15:57", "id": "CLSA-2021:1616001357", "href": "https://repo.cloudlinux.com/centos6-els/updateinfo.xml", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "ibm": [{"lastseen": "2021-12-30T21:46:30", "description": "## Summary\n\nIBM Cloud Kubernetes Service is vulnerable to CVE-2019-10160 Python security vulnerability which could allow a remote attacker to obtain sensitive information, caused by improper unicode encoding handling.\n\n## Vulnerability Details\n\nCVE-ID: [CVE-2019-10160](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160>)\n\nDescription: Python urllib.parse.urlsplit and urllib.parse.urlparse components could allow a remote attacker to obtain sensitive information, caused by improper unicode encoding handling. By using a specially-crafted URL, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/162358> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Cloud Kubernetes Service 1.15.0-1.15.2 \nIBM Cloud Kubernetes Service 1.14.0-1.14.5 \nIBM Cloud Kubernetes Service 1.13.0-1.13.9 \nIBM Cloud Kubernetes Service 1.5-1.12\n\n## Remediation/Fixes\n\nUpdates for IBM Cloud Kubernetes Service clusters at versions 1.13 and later are available that fix these vulnerabilities. IBM Cloud Kubernetes Service will attempt to automatically update your cluster master. However, in some situations, the update may not complete. In addition, you must update cluster worker nodes created before the fix was available to address these vulnerabilities.\n\nTo verify your clusters are no longer exposed, use the following IBM Cloud CLI commands to confirm the currently running versions:\n\n`ibmcloud ks clusters` \n`ibmcloud ks workers --cluster <cluster name or ID>`\n\nIf your cluster versions are at one of the following levels or later, your clusters are no longer exposed to these vulnerabilities:\n\n[1.13.10](<https://cloud.ibm.com/docs/containers?topic=containers-changelog#113_changelog>) \n[1.14.6](<https://cloud.ibm.com/docs/containers?topic=containers-changelog#114_changelog>) \n[1.15.3](<https://cloud.ibm.com/docs/containers?topic=containers-changelog#115_changelog>)\n\nIf one or more of your clusters is at version 1.13, 1.14 or 1.15 and has not had its master automatically updated then use the following IBM Cloud CLI command to complete the cluster master update, replacing \"1.##\" with the target version.\n\n`ibmcloud ks cluster-update --cluster <cluster name or ID> --kube-version 1.##`\n\nOnce your clusters have completed their master updates, see [Updating worker nodes](<https://cloud.ibm.com/docs/containers?topic=containers-update#worker_node>) for details on updating worker nodes still exposed to these vulnerabilities.\n\nCustomers running IBM Cloud Kubernetes Service clusters at versions 1.11 or 1.12 must [upgrade](<https://cloud.ibm.com/docs/containers?topic=containers-update#update>) their affected clusters to version 1.13. Customers running IBM Cloud Kubernetes Service clusters at version 1.10 must upgrade first to version 1.12 and then to version 1.13. Please review the [documentation](<https://cloud.ibm.com/docs/containers?topic=containers-update#update>) before starting an upgrade since additional actions may be required.\n\nIf you are running IBM Cloud Kubernetes Service clusters at version 1.5, 1.7, 1.8 or 1.9, there is no migration path.\n\nNote: IBM Cloud Kubernetes Service versions 1.5, 1.7, 1.8, 1.9, 1.10 and 1.11 are no longer supported, and version 1.12 is deprecated. See the IBM Cloud Kubernetes Service [Version information and update actions documentation](<https://cloud.ibm.com/docs/containers?topic=containers-cs_versions#cs_versions>) for more information about Kubernetes versions and version support policies.\n\n## Monitor IBM Cloud Status for Future Security Bulletins\n\nMonitor the [security notifications](<https://cloud.ibm.com/status?selected=security>) on the IBM Cloud Status page to be advised of future security bulletins.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\nDD MMM 2019: Original version published \n\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSJTBP\",\"label\":\"IBM Cloud Kubernetes Service\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB21\",\"label\":\"Public Cloud Platform\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-10-24T16:45:55", "type": "ibm", "title": "Security Bulletin: IBM Cloud Kubernetes Service is affected by a Python security vulnerability (CVE-2019-10160)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160"], "modified": "2019-10-24T16:45:55", "id": "519ACEECE46E573E03F7FA0C1AF13E8FB0B460ACD56DD6FD91E7D025F5BC2CC6", "href": "https://www.ibm.com/support/pages/node/958893", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nPython is used by IBM Operations Analytics Predictive Insights. IBM Operations Analytics Predictive Insights has addressed the applicable CVE. Note that the usage of Python within IBM Operations Analytics Predictive Insights is limited to the REST Mediation utility. If you do not use that utility then you are not affected by this bulletin.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10160](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160>) \n** DESCRIPTION: **A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162358](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162358>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Operations Analytics Predictive Insights| 1.3.6 \n \n\n\n## Remediation/Fixes\n\nApply 1.3.6 Interim Fix 2 or later \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Predictive+Insights&amp;release=1.3.6](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Predictive+Insights&release=1.3.6>)[ \n \n](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Predictive+Insights&release=1.3.6>)\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n28 Feb 2020: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Product\":{\"code\":\"SSJQQ3\",\"label\":\"IBM Operations Analytics - Predictive Insights\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"1.3.6\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-02-28T16:57:13", "type": "ibm", "title": "Security Bulletin: A vulnerability in Python affects IBM Operations Analytics Predictive Insights (CVE-2019-10160)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2020-02-28T16:57:13", "id": "2D313E61C8DDD54F55567321F7E7638E346F11C56DF4960FF32482A9F20F2D09", "href": "https://www.ibm.com/support/pages/node/5260239", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-30T21:41:20", "description": "## Summary\n\nMultiple Security vulnerabilities have been fixed and delivered in IBM Security Access Manager Appliance.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-5407](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407>) \n**DESCRIPTION:** Multiple SMT/Hyper-Threading architectures and processors could allow a local attacker to obtain sensitive information, caused by execution engine sharing on Simultaneous Multithreading (SMT) architecture. By using the PortSmash new side-channel attack, an attacker could run a malicious process next to legitimate processes using the architectures parallel thread running capabilities to leak encrypted data from the CPU's internal processes. Note: This vulnerability is known as PortSmash. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152484> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2019-10160](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160>) \n**DESCRIPTION:** Python urllib.parse.urlsplit and urllib.parse.urlparse components could allow a remote attacker to obtain sensitive information, caused by improper unicode encoding handling. By using a specially-crafted URL, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/162358> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2019-11479](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479>) \n**DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by a flaw when processing minimum segment size (MSS). By sending specially-crafted MSS traffic, a remote attacker could exploit this vulnerability to cause excess usage of system resources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/162665> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2019-11478](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478>) \n**DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an issue with fragmenting the TCP retransmission queue when processing TCP Selective Acknowledgement (SACK) capabilities. By sending specially-crafted SACKs requests, a remote attacker could exploit this vulnerability to cause an excess of system resource usage. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/162664> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2019-11477](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477>) \n**DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an integer overflow when processing TCP Selective Acknowledgement (SACK) capabilities. By sending specially-crafted SACKs requests, a remote attacker could exploit this vulnerability to cause a kernel panic condition. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/162662> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2018-14618](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618>) \n**DESCRIPTION:** cURL libcurl is vulnerable to a buffer overflow, caused by an integer overflow flaw in the Curl_ntlm_core_mk_nt_hash internal function in the NTLM authentication code. By sending an overly long password, a remote attacker could overflow a buffer and execute arbitrary code and cause the application to crash. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149359> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2019-3862](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3862>) \n**DESCRIPTION:** libssh2 is vulnerable to a denial of service, caused by an out-of-bounds read when parsing packets with an exit status message and no payload. By sending specially crafted SSH_MSG_CHANNEL_REQUEST packets, a remote attacker could exploit this vulnerability to cause a denial of service or read data in the client memory. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158346> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n**CVEID:** [CVE-2019-1559](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to immediately close the TCP connection after the hosts encounter a zero-length record with valid padding. An attacker could exploit this vulnerability using a 0-byte record padding-oracle attack to decrypt traffic. \nCVSS Base Score: 5.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/157514> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2018-0734](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a timing side channel attack in the DSA signature algorithm. An attacker could exploit this vulnerability using variations in the signing algorithm to recover the private key. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152085> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**EID:** [CVE-2018-7485](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7485>) \n**DESCRIPTION:** unixODBC is vulnerable to a denial of service, caused by a flaw in the SQLWriteFileDSN function in odbcinst/SQLWriteFileDSN.c. A remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139553> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2018-7409](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7409>) \n**DESCRIPTION:** unixODBC is vulnerable to a buffer overflow, caused by improper bounds checking by the unicode_to_ansi_copy function in DriverManager/__info.c. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139393> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n**CVEID:** [CVE-2018-15473](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15473>) \n**DESCRIPTION:** OpenSSH could allow a remote attacker to obtain sensitive information, caused by different responses to valid and invalid authentication attempts. By sending a specially crafted request, an attacker could exploit this vulnerability to enumerate valid usernames. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148397> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Security Access Manager Appliance 9.0\n\n## Remediation/Fixes\n\nAffected Product/Version | APAR(s) | Fix availability \n---|---|--- \nIBM Security Access Manager 9.0 | \n\nIJ18764\n\nIJ18762\n\nIJ18760\n\nIJ18766\n\nIJ18765\n\nIJ18774\n\nIJ18773\n\nIJ18769\n\n| [9.0.7.0-ISS-ISAM-IF0001](<https://www-945.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=9.0.7.0-ISS-ISAM-IF0001&continue=1>) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n30 September 2019: First Publish\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Internal Use Only\n\nPSIRT Product Records - 133365, 138919, 139822, 140684, 140706, 142049, 143111, 142257\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSQRZH\",\"label\":\"IBM Security Access Manager Appliance\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF004\",\"label\":\"Appliance\"}],\"Version\":\"9.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-30T21:15:52", "type": "ibm", "title": "Security Bulletin: Multiple Security Vulnerabilities have been addressed in IBM Security Access Manager Appliance", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0734", "CVE-2018-14618", "CVE-2018-15473", "CVE-2018-5407", "CVE-2018-7409", "CVE-2018-7485", "CVE-2019-10160", "CVE-2019-11477", "CVE-2019-11478", "CVE-2019-11479", "CVE-2019-1559", "CVE-2019-3862"], "modified": "2019-09-30T21:15:52", "id": "22C6665D00A9702426CEE593F4765FD3CD4EE170F8AA7F50D0505C6B2799BC21", "href": "https://www.ibm.com/support/pages/node/1076727", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2022-04-18T12:41:49", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for python fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2019-10160: Fixed a regression in urlparse() and urlsplit()\n introduced by the fix for CVE-2019-9636 (bsc#1138459).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-1906=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-1906=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-15T00:00:00", "type": "suse", "title": "Security update for python (important)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2019-08-15T00:00:00", "id": "OPENSUSE-SU-2019:1906-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PUN2FYU6IS24OA6WO4U6AZW3MIX2AM5Y/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-04-21T22:48:41", "description": "An update that solves 26 vulnerabilities and has 30 fixes\n is now available.\n\nDescription:\n\n This update for python3 to version 3.6.10 fixes the following issues:\n\n - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk()\n (bsc#1083507).\n - CVE-2019-16056: Fixed an issue where email parsing could fail for\n multiple @ (bsc#1149955).\n - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat\n (bsc#1149429).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-86=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-21T00:00:00", "type": "suse", "title": "Security update for python3 (important)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3389", "CVE-2011-4944", "CVE-2012-0845", "CVE-2012-1150", "CVE-2013-1752", "CVE-2013-4238", "CVE-2014-2667", "CVE-2014-4650", "CVE-2016-0772", "CVE-2016-1000110", "CVE-2016-5636", "CVE-2016-5699", "CVE-2017-18207", "CVE-2018-1000802", "CVE-2018-1060", "CVE-2018-1061", "CVE-2018-14647", "CVE-2018-20406", "CVE-2018-20852", "CVE-2019-10160", "CVE-2019-15903", "CVE-2019-16056", "CVE-2019-16935", "CVE-2019-5010", "CVE-2019-9636", "CVE-2019-9947"], "modified": "2020-01-21T00:00:00", "id": "OPENSUSE-SU-2020:0086-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SRKGGFVSV7DDWCMAOSO6E3F66U2CF5XR/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2021-07-25T19:24:18", "description": "**Issue Overview:**\n\nA security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160)\n\n \n**Affected Packages:** \n\n\npython34, python35, python36\n\n \n**Issue Correction:** \nRun _yum update python34_ to update your system. \nRun _yum update python35_ to update your system. \nRun _yum update python36_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 python34-tools-3.4.10-1.47.amzn1.i686 \n \u00a0\u00a0\u00a0 python34-devel-3.4.10-1.47.amzn1.i686 \n \u00a0\u00a0\u00a0 python34-test-3.4.10-1.47.amzn1.i686 \n \u00a0\u00a0\u00a0 python34-libs-3.4.10-1.47.amzn1.i686 \n \u00a0\u00a0\u00a0 python34-debuginfo-3.4.10-1.47.amzn1.i686 \n \u00a0\u00a0\u00a0 python34-3.4.10-1.47.amzn1.i686 \n \u00a0\u00a0\u00a0 python35-debuginfo-3.5.7-1.23.amzn1.i686 \n \u00a0\u00a0\u00a0 python35-test-3.5.7-1.23.amzn1.i686 \n \u00a0\u00a0\u00a0 python35-tools-3.5.7-1.23.amzn1.i686 \n \u00a0\u00a0\u00a0 python35-3.5.7-1.23.amzn1.i686 \n \u00a0\u00a0\u00a0 python35-devel-3.5.7-1.23.amzn1.i686 \n \u00a0\u00a0\u00a0 python35-libs-3.5.7-1.23.amzn1.i686 \n \u00a0\u00a0\u00a0 python36-devel-3.6.8-1.14.amzn1.i686 \n \u00a0\u00a0\u00a0 python36-tools-3.6.8-1.14.amzn1.i686 \n \u00a0\u00a0\u00a0 python36-debuginfo-3.6.8-1.14.amzn1.i686 \n \u00a0\u00a0\u00a0 python36-debug-3.6.8-1.14.amzn1.i686 \n \u00a0\u00a0\u00a0 python36-libs-3.6.8-1.14.amzn1.i686 \n \u00a0\u00a0\u00a0 python36-3.6.8-1.14.amzn1.i686 \n \u00a0\u00a0\u00a0 python36-test-3.6.8-1.14.amzn1.i686 \n \n src: \n \u00a0\u00a0\u00a0 python34-3.4.10-1.47.amzn1.src \n \u00a0\u00a0\u00a0 python35-3.5.7-1.23.amzn1.src \n \u00a0\u00a0\u00a0 python36-3.6.8-1.14.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 python34-devel-3.4.10-1.47.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python34-test-3.4.10-1.47.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python34-debuginfo-3.4.10-1.47.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python34-tools-3.4.10-1.47.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python34-libs-3.4.10-1.47.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python34-3.4.10-1.47.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python35-libs-3.5.7-1.23.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python35-3.5.7-1.23.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python35-test-3.5.7-1.23.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python35-tools-3.5.7-1.23.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python35-debuginfo-3.5.7-1.23.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python35-devel-3.5.7-1.23.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python36-tools-3.6.8-1.14.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python36-test-3.6.8-1.14.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python36-debug-3.6.8-1.14.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python36-debuginfo-3.6.8-1.14.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python36-3.6.8-1.14.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python36-devel-3.6.8-1.14.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python36-libs-3.6.8-1.14.amzn1.x86_64 \n \n \n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-07T23:03:00", "type": "amazon", "title": "Important: python34, python35, python36", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2019-08-12T18:22:00", "id": "ALAS-2019-1259", "href": "https://alas.aws.amazon.com/ALAS-2019-1259.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-07-25T19:38:37", "description": "**Issue Overview:**\n\nA security regression of CVE-2019-9636 was discovered in python, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. (CVE-2019-10160)\n\n \n**Affected Packages:** \n\n\npython\n\n \n**Issue Correction:** \nRun _yum update python_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n aarch64: \n \u00a0\u00a0\u00a0 python-2.7.16-2.amzn2.0.1.aarch64 \n \u00a0\u00a0\u00a0 python-libs-2.7.16-2.amzn2.0.1.aarch64 \n \u00a0\u00a0\u00a0 python-devel-2.7.16-2.amzn2.0.1.aarch64 \n \u00a0\u00a0\u00a0 python-tools-2.7.16-2.amzn2.0.1.aarch64 \n \u00a0\u00a0\u00a0 tkinter-2.7.16-2.amzn2.0.1.aarch64 \n \u00a0\u00a0\u00a0 python-test-2.7.16-2.amzn2.0.1.aarch64 \n \u00a0\u00a0\u00a0 python-debug-2.7.16-2.amzn2.0.1.aarch64 \n \u00a0\u00a0\u00a0 python-debuginfo-2.7.16-2.amzn2.0.1.aarch64 \n \n i686: \n \u00a0\u00a0\u00a0 python-2.7.16-2.amzn2.0.1.i686 \n \u00a0\u00a0\u00a0 python-libs-2.7.16-2.amzn2.0.1.i686 \n \u00a0\u00a0\u00a0 python-devel-2.7.16-2.amzn2.0.1.i686 \n \u00a0\u00a0\u00a0 python-tools-2.7.16-2.amzn2.0.1.i686 \n \u00a0\u00a0\u00a0 tkinter-2.7.16-2.amzn2.0.1.i686 \n \u00a0\u00a0\u00a0 python-test-2.7.16-2.amzn2.0.1.i686 \n \u00a0\u00a0\u00a0 python-debug-2.7.16-2.amzn2.0.1.i686 \n \u00a0\u00a0\u00a0 python-debuginfo-2.7.16-2.amzn2.0.1.i686 \n \n src: \n \u00a0\u00a0\u00a0 python-2.7.16-2.amzn2.0.1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 python-2.7.16-2.amzn2.0.1.x86_64 \n \u00a0\u00a0\u00a0 python-libs-2.7.16-2.amzn2.0.1.x86_64 \n \u00a0\u00a0\u00a0 python-devel-2.7.16-2.amzn2.0.1.x86_64 \n \u00a0\u00a0\u00a0 python-tools-2.7.16-2.amzn2.0.1.x86_64 \n \u00a0\u00a0\u00a0 tkinter-2.7.16-2.amzn2.0.1.x86_64 \n \u00a0\u00a0\u00a0 python-test-2.7.16-2.amzn2.0.1.x86_64 \n \u00a0\u00a0\u00a0 python-debug-2.7.16-2.amzn2.0.1.x86_64 \n \u00a0\u00a0\u00a0 python-debuginfo-2.7.16-2.amzn2.0.1.x86_64 \n \n \n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-07T23:46:00", "type": "amazon", "title": "Important: python", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2019-08-09T13:19:00", "id": "ALAS2-2019-1258", "href": "https://alas.aws.amazon.com/AL2/ALAS-2019-1258.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-07-25T19:38:36", "description": "**Issue Overview:**\n\nA security regression of CVE-2019-9636 was discovered in python, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. (CVE-2019-10160)\n\n \n**Affected Packages:** \n\n\npython3\n\n \n**Issue Correction:** \nRun _yum update python3_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n aarch64: \n \u00a0\u00a0\u00a0 python3-3.7.4-1.amzn2.0.1.aarch64 \n \u00a0\u00a0\u00a0 python3-libs-3.7.4-1.amzn2.0.1.aarch64 \n \u00a0\u00a0\u00a0 python3-devel-3.7.4-1.amzn2.0.1.aarch64 \n \u00a0\u00a0\u00a0 python3-tools-3.7.4-1.amzn2.0.1.aarch64 \n \u00a0\u00a0\u00a0 python3-tkinter-3.7.4-1.amzn2.0.1.aarch64 \n \u00a0\u00a0\u00a0 python3-test-3.7.4-1.amzn2.0.1.aarch64 \n \u00a0\u00a0\u00a0 python3-debug-3.7.4-1.amzn2.0.1.aarch64 \n \u00a0\u00a0\u00a0 python3-debuginfo-3.7.4-1.amzn2.0.1.aarch64 \n \n i686: \n \u00a0\u00a0\u00a0 python3-3.7.4-1.amzn2.0.1.i686 \n \u00a0\u00a0\u00a0 python3-libs-3.7.4-1.amzn2.0.1.i686 \n \u00a0\u00a0\u00a0 python3-devel-3.7.4-1.amzn2.0.1.i686 \n \u00a0\u00a0\u00a0 python3-tools-3.7.4-1.amzn2.0.1.i686 \n \u00a0\u00a0\u00a0 python3-tkinter-3.7.4-1.amzn2.0.1.i686 \n \u00a0\u00a0\u00a0 python3-test-3.7.4-1.amzn2.0.1.i686 \n \u00a0\u00a0\u00a0 python3-debug-3.7.4-1.amzn2.0.1.i686 \n \u00a0\u00a0\u00a0 python3-debuginfo-3.7.4-1.amzn2.0.1.i686 \n \n src: \n \u00a0\u00a0\u00a0 python3-3.7.4-1.amzn2.0.1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 python3-3.7.4-1.amzn2.0.1.x86_64 \n \u00a0\u00a0\u00a0 python3-libs-3.7.4-1.amzn2.0.1.x86_64 \n \u00a0\u00a0\u00a0 python3-devel-3.7.4-1.amzn2.0.1.x86_64 \n \u00a0\u00a0\u00a0 python3-tools-3.7.4-1.amzn2.0.1.x86_64 \n \u00a0\u00a0\u00a0 python3-tkinter-3.7.4-1.amzn2.0.1.x86_64 \n \u00a0\u00a0\u00a0 python3-test-3.7.4-1.amzn2.0.1.x86_64 \n \u00a0\u00a0\u00a0 python3-debug-3.7.4-1.amzn2.0.1.x86_64 \n \u00a0\u00a0\u00a0 python3-debuginfo-3.7.4-1.amzn2.0.1.x86_64 \n \n \n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-07T23:48:00", "type": "amazon", "title": "Important: python3", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2019-08-09T13:30:00", "id": "ALAS2-2019-1259", "href": "https://alas.aws.amazon.com/AL2/ALAS-2019-1259.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-07-29T01:58:04", "description": "**Issue Overview:**\n\nA security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160)\n\nurllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.(CVE-2019-9948)\n\n \n**Affected Packages:** \n\n\npython27\n\n \n**Issue Correction:** \nRun _yum update python27_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 python27-2.7.16-1.129.amzn1.i686 \n \u00a0\u00a0\u00a0 python27-devel-2.7.16-1.129.amzn1.i686 \n \u00a0\u00a0\u00a0 python27-debuginfo-2.7.16-1.129.amzn1.i686 \n \u00a0\u00a0\u00a0 python27-tools-2.7.16-1.129.amzn1.i686 \n \u00a0\u00a0\u00a0 python27-libs-2.7.16-1.129.amzn1.i686 \n \u00a0\u00a0\u00a0 python27-test-2.7.16-1.129.amzn1.i686 \n \n src: \n \u00a0\u00a0\u00a0 python27-2.7.16-1.129.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 python27-2.7.16-1.129.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python27-libs-2.7.16-1.129.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python27-test-2.7.16-1.129.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python27-devel-2.7.16-1.129.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python27-tools-2.7.16-1.129.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python27-debuginfo-2.7.16-1.129.amzn1.x86_64 \n \n \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-07T23:02:00", "type": "amazon", "title": "Important: python27", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636", "CVE-2019-9948"], "modified": "2019-08-12T18:22:00", "id": "ALAS-2019-1258", "href": "https://alas.aws.amazon.com/ALAS-2019-1258.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-07-29T01:57:11", "description": "**Issue Overview:**\n\nA security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. (CVE-2019-10160)\n\nAn issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. (CVE-2019-9740)\n\nurllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. (CVE-2019-9948)\n\nAn issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. (CVE-2019-9947)\n\nAn issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally. (CVE-2019-16056)\n\nPython 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. (CVE-2019-9636)\n\n \n**Affected Packages:** \n\n\npython34\n\n \n**Issue Correction:** \nRun _yum update python34_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 python34-devel-3.4.10-1.49.amzn1.i686 \n \u00a0\u00a0\u00a0 python34-test-3.4.10-1.49.amzn1.i686 \n \u00a0\u00a0\u00a0 python34-3.4.10-1.49.amzn1.i686 \n \u00a0\u00a0\u00a0 python34-debuginfo-3.4.10-1.49.amzn1.i686 \n \u00a0\u00a0\u00a0 python34-libs-3.4.10-1.49.amzn1.i686 \n \u00a0\u00a0\u00a0 python34-tools-3.4.10-1.49.amzn1.i686 \n \n src: \n \u00a0\u00a0\u00a0 python34-3.4.10-1.49.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 python34-debuginfo-3.4.10-1.49.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python34-test-3.4.10-1.49.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python34-devel-3.4.10-1.49.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python34-libs-3.4.10-1.49.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python34-tools-3.4.10-1.49.amzn1.x86_64 \n \u00a0\u00a0\u00a0 python34-3.4.10-1.49.amzn1.x86_64 \n \n \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-11-19T17:31:00", "type": "amazon", "title": "Important: python34", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-11340", "CVE-2019-16056", "CVE-2019-9636", "CVE-2019-9740", "CVE-2019-9947", "CVE-2019-9948"], "modified": "2019-11-22T03:19:00", "id": "ALAS-2019-1324", "href": "https://alas.aws.amazon.com/ALAS-2019-1324.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "redhatcve": [{"lastseen": "2022-06-08T08:13:02", "description": "A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-30T10:37:32", "type": "redhatcve", "title": "CVE-2019-10160", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2022-06-08T06:01:20", "id": "RH:CVE-2019-10160", "href": "https://access.redhat.com/security/cve/cve-2019-10160", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "debiancve": [{"lastseen": "2022-04-03T07:41:15", "description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-07T18:29:00", "type": "debiancve", "title": "CVE-2019-10160", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2019-06-07T18:29:00", "id": "DEBIANCVE:CVE-2019-10160", "href": "https://security-tracker.debian.org/tracker/CVE-2019-10160", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "f5": [{"lastseen": "2022-04-20T15:33:07", "description": " * Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9. ([CVE-2019-9636](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636>))\n * A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. ([CVE-2019-10160](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160>))\n\nImpact\n\nA remote attacker may be able to use a specially crafted URL to locate cookies or authentication data and send that information to a different host than when parsed correctly.\n\nBIG-IP Extended Application Verification (EAV) monitors using the Python** urlsplit()** function with URLs from an untrusted source may be impacted by this vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-16T19:57:00", "type": "f5", "title": "Python vulnerabilities CVE-2019-9636 and CVE-2019-10160", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2022-04-20T14:09:00", "id": "F5:K57542514", "href": "https://support.f5.com/csp/article/K57542514", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2020-01-27T18:37:38", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for python (EulerOS-SA-2019-1934)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2019-10160"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191934", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191934", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1934\");\n script_version(\"2020-01-23T12:27:34+0000\");\n script_cve_id(\"CVE-2019-10160\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:27:34 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:27:34 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for python (EulerOS-SA-2019-1934)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.2\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1934\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1934\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'python' package(s) announced via the EulerOS-SA-2019-1934 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160)\");\n\n script_tag(name:\"affected\", value:\"'python' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.2.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.2.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python\", rpm:\"python~2.7.5~69.h22\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-devel\", rpm:\"python-devel~2.7.5~69.h22\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-libs\", rpm:\"python-libs~2.7.5~69.h22\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-tools\", rpm:\"python-tools~2.7.5~69.h22\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-31T16:54:18", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-08-16T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for python (openSUSE-SU-2019:1906-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2019-10160"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310852650", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852650", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852650\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-9636\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-16 02:00:56 +0000 (Fri, 16 Aug 2019)\");\n script_name(\"openSUSE: Security Advisory for python (openSUSE-SU-2019:1906-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:1906-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-08/msg00042.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python'\n package(s) announced via the openSUSE-SU-2019:1906-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for python fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2019-10160: Fixed a regression in urlparse() and urlsplit()\n introduced by the fix for CVE-2019-9636 (bsc#1138459).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-1906=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-1906=1\");\n\n script_tag(name:\"affected\", value:\"'python' package(s) on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python\", rpm:\"python~2.7.14~lp150.6.13.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-curses\", rpm:\"python-curses~2.7.14~lp150.6.13.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-curses-debuginfo\", rpm:\"python-curses-debuginfo~2.7.14~lp150.6.13.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-debuginfo\", rpm:\"python-debuginfo~2.7.14~lp150.6.13.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-debugsource\", rpm:\"python-debugsource~2.7.14~lp150.6.13.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-demo\", rpm:\"python-demo~2.7.14~lp150.6.13.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-gdbm\", rpm:\"python-gdbm~2.7.14~lp150.6.13.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-gdbm-debuginfo\", rpm:\"python-gdbm-debuginfo~2.7.14~lp150.6.13.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-idle\", rpm:\"python-idle~2.7.14~lp150.6.13.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-tk\", rpm:\"python-tk~2.7.14~lp150.6.13.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-tk-debuginfo\", rpm:\"python-tk-debuginfo~2.7.14~lp150.6.13.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-32bit\", rpm:\"python-32bit~2.7.14~lp150.6.13.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-32bit-debuginfo\", rpm:\"python-32bit-debuginfo~2.7.14~lp150.6.13.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-27T18:33:13", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for python3 (EulerOS-SA-2019-1778)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2019-10160"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191778", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191778", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1778\");\n script_version(\"2020-01-23T12:22:12+0000\");\n script_cve_id(\"CVE-2019-10160\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:22:12 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:22:12 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for python3 (EulerOS-SA-2019-1778)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP8\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1778\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1778\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'python3' package(s) announced via the EulerOS-SA-2019-1778 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160)\");\n\n script_tag(name:\"affected\", value:\"'python3' package(s) on Huawei EulerOS V2.0SP8.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP8\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python3\", rpm:\"python3~3.7.0~9.h7.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-libs\", rpm:\"python3-libs~3.7.0~9.h7.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-test\", rpm:\"python3-test~3.7.0~9.h7.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-06-27T14:43:50", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-06-25T00:00:00", "type": "openvas", "title": "CentOS Update for python CESA-2019:1587 centos7 ", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2019-10160"], "modified": "2019-06-27T00:00:00", "id": "OPENVAS:1361412562310883071", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310883071", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.883071\");\n script_version(\"2019-06-27T06:30:18+0000\");\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-9636\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-06-27 06:30:18 +0000 (Thu, 27 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-06-25 02:00:40 +0000 (Tue, 25 Jun 2019)\");\n script_name(\"CentOS Update for python CESA-2019:1587 centos7 \");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n\n script_xref(name:\"CESA\", value:\"2019:1587\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2019-June/023337.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python'\n package(s) announced via the CESA-2019:1587 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Python is an interpreted, interactive, object-oriented programming\nlanguage, which includes modules, classes, exceptions, very high level\ndynamic data types and dynamic typing. Python supports interfaces to many\nsystem calls and libraries, as well as to various windowing systems.\n\nSecurity Fix(es):\n\n * python: regression of CVE-2019-9636 due to functional fix to allow port\nnumbers in netloc (CVE-2019-10160)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\");\n\n script_tag(name:\"affected\", value:\"'python' package(s) on CentOS 7.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"CentOS7\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python\", rpm:\"python~2.7.5~80.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-debug\", rpm:\"python-debug~2.7.5~80.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-devel\", rpm:\"python-devel~2.7.5~80.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-libs\", rpm:\"python-libs~2.7.5~80.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-test\", rpm:\"python-test~2.7.5~80.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-tools\", rpm:\"python-tools~2.7.5~80.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tkinter\", rpm:\"tkinter~2.7.5~80.el7_6\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-27T18:32:54", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for python2 (EulerOS-SA-2019-1771)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2019-10160"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191771", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191771", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1771\");\n script_version(\"2020-01-23T12:22:00+0000\");\n script_cve_id(\"CVE-2019-10160\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:22:00 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:22:00 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for python2 (EulerOS-SA-2019-1771)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP8\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1771\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1771\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'python2' package(s) announced via the EulerOS-SA-2019-1771 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160)\");\n\n script_tag(name:\"affected\", value:\"'python2' package(s) on Huawei EulerOS V2.0SP8.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP8\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python-unversioned-command\", rpm:\"python-unversioned-command~2.7.15~10.h7.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python2\", rpm:\"python2~2.7.15~10.h7.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python2-devel\", rpm:\"python2-devel~2.7.15~10.h7.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python2-libs\", rpm:\"python2-libs~2.7.15~10.h7.eulerosv2r8\", rls:\"EULEROS-2.0SP8\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-27T18:35:38", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for python (EulerOS-SA-2019-1797)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2019-10160"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191797", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191797", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1797\");\n script_version(\"2020-01-23T12:22:52+0000\");\n script_cve_id(\"CVE-2019-10160\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:22:52 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:22:52 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for python (EulerOS-SA-2019-1797)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1797\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1797\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'python' package(s) announced via the EulerOS-SA-2019-1797 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160)\");\n\n script_tag(name:\"affected\", value:\"'python' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python\", rpm:\"python~2.7.5~69.h21.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-devel\", rpm:\"python-devel~2.7.5~69.h21.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-libs\", rpm:\"python-libs~2.7.5~69.h21.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tkinter\", rpm:\"tkinter~2.7.5~69.h21.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-14T14:48:52", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-09T00:00:00", "type": "openvas", "title": "Fedora Update for python34 FEDORA-2019-50772cf122", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2019-16056", "CVE-2019-10160"], "modified": "2020-01-13T00:00:00", "id": "OPENVAS:1361412562310877216", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877216", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877216\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-16056\", \"CVE-2019-10160\", \"CVE-2019-9636\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 07:32:43 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"Fedora Update for python34 FEDORA-2019-50772cf122\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2019-50772cf122\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python34'\n package(s) announced via the FEDORA-2019-50772cf122 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Python 3.4 package for developers.\n\nThis package exists to allow developers to test their code against an older\nversion of Python. This is not a full Python stack and if you wish to run\nyour applications with Python 3.4, see other distributions\nthat support it, such as CentOS or RHEL with Software Collections.\");\n\n script_tag(name:\"affected\", value:\"'python34' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python34\", rpm:\"python34~3.4.10~6.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-09-20T14:35:28", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-09-19T00:00:00", "type": "openvas", "title": "Fedora Update for python34 FEDORA-2019-2b1f72899a", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2019-16056", "CVE-2019-10160"], "modified": "2019-09-20T00:00:00", "id": "OPENVAS:1361412562310876817", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876817", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876817\");\n script_version(\"2019-09-20T05:25:28+0000\");\n script_cve_id(\"CVE-2019-16056\", \"CVE-2019-10160\", \"CVE-2019-9636\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-09-20 05:25:28 +0000 (Fri, 20 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-19 02:31:14 +0000 (Thu, 19 Sep 2019)\");\n script_name(\"Fedora Update for python34 FEDORA-2019-2b1f72899a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-2b1f72899a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python34'\n package(s) announced via the FEDORA-2019-2b1f72899a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Python 3.4 package for developers.\n\nThis package exists to allow developers to test their code against an older\nversion of Python. This is not a full Python stack and if you wish to run\nyour applications with Python 3.4, see other distributions\nthat support it, such as CentOS or RHEL with Software Collections.\");\n\n script_tag(name:\"affected\", value:\"'python34' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python34\", rpm:\"python34~3.4.10~3.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-07-19T21:44:18", "description": "The remote host is missing an update for the\n ", "cvss3": {}, "published": "2019-07-13T00:00:00", "type": "openvas", "title": "Fedora Update for python36 FEDORA-2019-7723d4774a", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2019-9740", "CVE-2019-10160"], "modified": "2019-07-17T00:00:00", "id": "OPENVAS:1361412562310876569", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876569", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876569\");\n script_version(\"2019-07-17T08:19:47+0000\");\n script_cve_id(\"CVE-2019-9636\", \"CVE-2019-9740\", \"CVE-2019-10160\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 08:19:47 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-13 02:14:27 +0000 (Sat, 13 Jul 2019)\");\n script_name(\"Fedora Update for python36 FEDORA-2019-7723d4774a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-7723d4774a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the\n 'python36' package(s) announced via the FEDORA-2019-7723d4774a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is\n present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Python 3.6 package for developers.\n\nThis package exists to allow developers to test their code against an older\nversion of Python. This is not a full Python stack and if you wish to run\nyour applications with Python 3.6, see other distributions\nthat support it, such as CentOS or RHEL with Software Collections\nor older Fedora releases.\");\n\n script_tag(name:\"affected\", value:\"'python36' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python36\", rpm:\"python36~3.6.9~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-07-30T13:47:41", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-07-29T00:00:00", "type": "openvas", "title": "Fedora Update for python3-docs FEDORA-2019-9bfb4a3e4b", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2019-9948", "CVE-2019-10160"], "modified": "2019-07-30T00:00:00", "id": "OPENVAS:1361412562310876619", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876619", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876619\");\n script_version(\"2019-07-30T06:12:43+0000\");\n script_cve_id(\"CVE-2019-9948\", \"CVE-2019-10160\", \"CVE-2019-9636\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-07-30 06:12:43 +0000 (Tue, 30 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-29 02:16:29 +0000 (Mon, 29 Jul 2019)\");\n script_name(\"Fedora Update for python3-docs FEDORA-2019-9bfb4a3e4b\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-9bfb4a3e4b\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HW2MKPKX4I2XFXJPRGEEDE3MA5J7UMQF\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python3-docs'\n package(s) announced via the FEDORA-2019-9bfb4a3e4b advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The python3-docs package contains documentation on the Python 3\nprogramming language and interpreter.\n\nInstall the python3-docs package if you&#39, d like to use the documentation\nfor the Python 3 language.\");\n\n script_tag(name:\"affected\", value:\"'python3-docs' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-docs\", rpm:\"python3-docs~3.7.4~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-01-27T18:39:51", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for python (EulerOS-SA-2019-1866)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2019-9948", "CVE-2019-10160"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191866", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191866", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1866\");\n script_version(\"2020-01-23T12:25:25+0000\");\n script_cve_id(\"CVE-2019-10160\", \"CVE-2019-9948\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:25:25 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:25:25 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for python (EulerOS-SA-2019-1866)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1866\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1866\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'python' package(s) announced via the EulerOS-SA-2019-1866 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160)\n\nurllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.(CVE-2019-9948)\");\n\n script_tag(name:\"affected\", value:\"'python' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python\", rpm:\"python~2.7.5~58.h15\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-devel\", rpm:\"python-devel~2.7.5~58.h15\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-libs\", rpm:\"python-libs~2.7.5~58.h15\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tkinter\", rpm:\"tkinter~2.7.5~58.h15\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-15T14:38:13", "description": "The remote host is missing an update for the\n ", "cvss3": {}, "published": "2019-08-05T00:00:00", "type": "openvas", "title": "Fedora Update for python3-docs FEDORA-2019-60a1defcd1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2019-9948", "CVE-2019-10160"], "modified": "2019-08-14T00:00:00", "id": "OPENVAS:1361412562310876633", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876633", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876633\");\n script_version(\"2019-08-14T07:16:43+0000\");\n script_cve_id(\"CVE-2019-9948\", \"CVE-2019-10160\", \"CVE-2019-9636\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-08-14 07:16:43 +0000 (Wed, 14 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-08-05 02:17:32 +0000 (Mon, 05 Aug 2019)\");\n script_name(\"Fedora Update for python3-docs FEDORA-2019-60a1defcd1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-60a1defcd1\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FCB46WOHLWXCQDJAEWHTKP7WTUY3NZ6P\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the\n 'python3-docs' package(s) announced via the FEDORA-2019-60a1defcd1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is\n present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The python3-docs package contains\n documentation on the Python 3 programming language and interpreter.\n\nInstall the python3-docs package if you&#39, d like to use the documentation\nfor the Python 3 language.\");\n\n script_tag(name:\"affected\", value:\"'python3-docs' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-docs\", rpm:\"python3-docs~3.7.4~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-07-30T13:48:07", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-07-29T00:00:00", "type": "openvas", "title": "Fedora Update for python3 FEDORA-2019-9bfb4a3e4b", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2019-9948", "CVE-2019-10160"], "modified": "2019-07-30T00:00:00", "id": "OPENVAS:1361412562310876616", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876616", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876616\");\n script_version(\"2019-07-30T06:12:43+0000\");\n script_cve_id(\"CVE-2019-9948\", \"CVE-2019-10160\", \"CVE-2019-9636\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-07-30 06:12:43 +0000 (Tue, 30 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-29 02:16:19 +0000 (Mon, 29 Jul 2019)\");\n script_name(\"Fedora Update for python3 FEDORA-2019-9bfb4a3e4b\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-9bfb4a3e4b\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python3'\n package(s) announced via the FEDORA-2019-9bfb4a3e4b advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Python is an accessible, high-level, dynamically typed, interpreted programming\nlanguage, designed with an emphasis on code readability.\nIt includes an extensive standard library, and has a vast ecosystem of\nthird-party libraries.\n\nThe python3 package provides the 'python3' executable: the reference\ninterpreter for the Python language, version 3.\nThe majority of its standard library is provided in the python3-libs package,\nwhich should be installed automatically along with python3.\nThe remaining parts of the Python standard library are broken out into the\npython3-tkinter and python3-test packages, which may need to be installed\nseparately.\n\nDocumentation for Python is provided in the python3-docs package.\n\nPackages containing additional libraries for Python are generally named with\nthe 'python3-' prefix.\");\n\n script_tag(name:\"affected\", value:\"'python3' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python3\", rpm:\"python3~3.7.4~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-08-15T14:35:44", "description": "The remote host is missing an update for the\n ", "cvss3": {}, "published": "2019-08-05T00:00:00", "type": "openvas", "title": "Fedora Update for python3 FEDORA-2019-60a1defcd1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2019-9948", "CVE-2019-5010", "CVE-2019-10160"], "modified": "2019-08-14T00:00:00", "id": "OPENVAS:1361412562310876635", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876635", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876635\");\n script_version(\"2019-08-14T07:16:43+0000\");\n script_cve_id(\"CVE-2019-9948\", \"CVE-2019-10160\", \"CVE-2019-9636\", \"CVE-2019-5010\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-08-14 07:16:43 +0000 (Wed, 14 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-08-05 02:17:45 +0000 (Mon, 05 Aug 2019)\");\n script_name(\"Fedora Update for python3 FEDORA-2019-60a1defcd1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-60a1defcd1\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the\n 'python3' package(s) announced via the FEDORA-2019-60a1defcd1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is\n present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Python is an accessible, high-level,\n dynamically typed, interpreted programming language, designed with an emphasis\n on code readability. It includes an extensive standard library, and has a vast\n ecosystem of third-party libraries.\n\nThe python3 package provides the 'python3' executable: the reference\ninterpreter for the Python language, version 3.\nThe majority of its standard library is provided in the python3-libs package,\nwhich should be installed automatically along with python3.\nThe remaining parts of the Python standard library are broken out into the\npython3-tkinter and python3-test packages, which may need to be installed\nseparately.\n\nDocumentation for Python is provided in the python3-docs package.\n\nPackages containing additional libraries for Python are generally named with\nthe 'python3-' prefix.\");\n\n script_tag(name:\"affected\", value:\"'python3' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python3\", rpm:\"python3~3.7.4~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-09-24T14:35:08", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-09-20T00:00:00", "type": "openvas", "title": "Fedora Update for python34 FEDORA-2019-5dc275c9f2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2019-16056", "CVE-2018-14647", "CVE-2019-10160"], "modified": "2019-09-23T00:00:00", "id": "OPENVAS:1361412562310876820", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876820", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876820\");\n script_version(\"2019-09-23T11:41:07+0000\");\n script_cve_id(\"CVE-2019-16056\", \"CVE-2019-10160\", \"CVE-2018-14647\", \"CVE-2019-9636\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-09-23 11:41:07 +0000 (Mon, 23 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-20 05:34:57 +0000 (Fri, 20 Sep 2019)\");\n script_name(\"Fedora Update for python34 FEDORA-2019-5dc275c9f2\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-5dc275c9f2\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python34'\n package(s) announced via the FEDORA-2019-5dc275c9f2 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Python 3.4 package for developers.\n\nThis package exists to allow developers to test their code against an older\nversion of Python. This is not a full Python stack and if you wish to run\nyour applications with Python 3.4, see other distributions\nthat support it, such as CentOS or RHEL with Software Collections.\");\n\n script_tag(name:\"affected\", value:\"'python34' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python34\", rpm:\"python34~3.4.10~3.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-07-19T21:44:18", "description": "The remote host is missing an update for the\n ", "cvss3": {}, "published": "2019-07-13T00:00:00", "type": "openvas", "title": "Fedora Update for python36 FEDORA-2019-7df59302e0", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2019-9740", "CVE-2018-14647", "CVE-2019-5010", "CVE-2019-10160"], "modified": "2019-07-17T00:00:00", "id": "OPENVAS:1361412562310876576", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876576", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876576\");\n script_version(\"2019-07-17T08:19:47+0000\");\n script_cve_id(\"CVE-2019-9636\", \"CVE-2019-9740\", \"CVE-2019-10160\", \"CVE-2019-5010\", \"CVE-2018-14647\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 08:19:47 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-13 02:14:38 +0000 (Sat, 13 Jul 2019)\");\n script_name(\"Fedora Update for python36 FEDORA-2019-7df59302e0\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-7df59302e0\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the\n 'python36' package(s) announced via the FEDORA-2019-7df59302e0 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is\n present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Python 3.6 package for developers.\n\nThis package exists to allow developers to test their code against an older\nversion of Python. This is not a full Python stack and if you wish to run\nyour applications with Python 3.6, see other distributions\nthat support it, such as CentOS or RHEL with Software Collections\nor older Fedora releases.\");\n\n script_tag(name:\"affected\", value:\"'python36' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python36\", rpm:\"python36~3.6.9~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-03-11T16:49:25", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for python (EulerOS-SA-2019-2019)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2018-1000030", "CVE-2019-9948", "CVE-2018-14647", "CVE-2019-10160"], "modified": "2020-03-10T00:00:00", "id": "OPENVAS:1361412562311220192019", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192019", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2019\");\n script_version(\"2020-03-10T08:49:29+0000\");\n script_cve_id(\"CVE-2018-1000030\", \"CVE-2018-14647\", \"CVE-2019-10160\", \"CVE-2019-9948\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-03-10 08:49:29 +0000 (Tue, 10 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:31:02 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for python (EulerOS-SA-2019-2019)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2019\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2019\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'python' package(s) announced via the EulerOS-SA-2019-2019 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.(CVE-2019-10160)\n\nurllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.(CVE-2019-9948)\n\nPython's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM.(CVE-2018-14647)\n\npython 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3-Malloc-Thread1-Free's-Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.(CVE-2018-1000030)\");\n\n script_tag(name:\"affected\", value:\"'python' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python\", rpm:\"python~2.7.5~58.h18\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-devel\", rpm:\"python-devel~2.7.5~58.h18\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-libs\", rpm:\"python-libs~2.7.5~58.h18\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tkinter\", rpm:\"tkinter~2.7.5~58.h18\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-01-14T14:48:53", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-09T00:00:00", "type": "openvas", "title": "Fedora Update for python35 FEDORA-2019-57462fa10d", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16935", "CVE-2019-18348", "CVE-2019-9636", "CVE-2019-16056", "CVE-2019-9740", "CVE-2019-10160"], "modified": "2020-01-13T00:00:00", "id": "OPENVAS:1361412562310877282", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310877282", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.877282\");\n script_version(\"2020-01-13T11:49:13+0000\");\n script_cve_id(\"CVE-2019-9740\", \"CVE-2019-10160\", \"CVE-2019-16935\", \"CVE-2019-18348\", \"CVE-2019-16056\", \"CVE-2019-9636\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-13 11:49:13 +0000 (Mon, 13 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-09 07:35:52 +0000 (Thu, 09 Jan 2020)\");\n script_name(\"Fedora Update for python35 FEDORA-2019-57462fa10d\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC31\");\n\n script_xref(name:\"FEDORA\", value:\"2019-57462fa10d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python35'\n package(s) announced via the FEDORA-2019-57462fa10d advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Python 3.5 package for developers.\n\nThis package exists to allow developers to test their code against an older\nversion of Python. This is not a full Python stack and if you wish to run\nyour applications with Python 3.5, see other distributions\nthat support it, such as CentOS or RHEL with Software Collections\nor older Fedora releases.\");\n\n script_tag(name:\"affected\", value:\"'python35' package(s) on Fedora 31.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC31\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python35\", rpm:\"python35~3.5.8~2.fc31\", rls:\"FC31\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-11-13T19:28:50", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-11-10T00:00:00", "type": "openvas", "title": "Fedora Update for python35 FEDORA-2019-b06ec6159b", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16935", "CVE-2019-18348", "CVE-2019-9636", "CVE-2019-16056", "CVE-2019-9740", "CVE-2019-10160"], "modified": "2019-11-12T00:00:00", "id": "OPENVAS:1361412562310876974", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876974", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876974\");\n script_version(\"2019-11-12T09:30:57+0000\");\n script_cve_id(\"CVE-2019-9740\", \"CVE-2019-10160\", \"CVE-2019-16935\", \"CVE-2019-18348\", \"CVE-2019-16056\", \"CVE-2019-9636\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-11-12 09:30:57 +0000 (Tue, 12 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-10 03:24:17 +0000 (Sun, 10 Nov 2019)\");\n script_name(\"Fedora Update for python35 FEDORA-2019-b06ec6159b\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-b06ec6159b\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python35'\n package(s) announced via the FEDORA-2019-b06ec6159b advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Python 3.5 package for developers.\n\nThis package exists to allow developers to test their code against an older\nversion of Python. This is not a full Python stack and if you wish to run\nyour applications with Python 3.5, see other distributions\nthat support it, such as CentOS or RHEL with Software Collections\nor older Fedora releases.\");\n\n script_tag(name:\"affected\", value:\"'python35' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python35\", rpm:\"python35~3.5.8~2.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-11-13T19:28:51", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-11-10T00:00:00", "type": "openvas", "title": "Fedora Update for python35 FEDORA-2019-d202cda4f8", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16935", "CVE-2019-18348", "CVE-2019-9636", "CVE-2019-16056", "CVE-2019-9740", "CVE-2018-14647", "CVE-2019-10160"], "modified": "2019-11-12T00:00:00", "id": "OPENVAS:1361412562310876976", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876976", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876976\");\n script_version(\"2019-11-12T09:30:57+0000\");\n script_cve_id(\"CVE-2019-9740\", \"CVE-2019-10160\", \"CVE-2019-16935\", \"CVE-2019-18348\", \"CVE-2019-16056\", \"CVE-2018-14647\", \"CVE-2019-9636\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-11-12 09:30:57 +0000 (Tue, 12 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-10 03:24:25 +0000 (Sun, 10 Nov 2019)\");\n script_name(\"Fedora Update for python35 FEDORA-2019-d202cda4f8\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-d202cda4f8\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python35'\n package(s) announced via the FEDORA-2019-d202cda4f8 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Python 3.5 package for developers.\n\nThis package exists to allow developers to test their code against an older\nversion of Python. This is not a full Python stack and if you wish to run\nyour applications with Python 3.5, see other distributions\nthat support it, such as CentOS or RHEL with Software Collections\nor older Fedora releases.\");\n\n script_tag(name:\"affected\", value:\"'python35' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python35\", rpm:\"python35~3.5.8~2.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-29T19:29:49", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-06-26T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for python2.7 (DLA-1834-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2019-9740", "CVE-2019-9948", "CVE-2019-9947", "CVE-2018-14647", "CVE-2019-5010", "CVE-2019-10160"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891834", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891834", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891834\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2018-14647\", \"CVE-2019-10160\", \"CVE-2019-5010\", \"CVE-2019-9636\", \"CVE-2019-9740\", \"CVE-2019-9947\", \"CVE-2019-9948\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-06-26 02:00:15 +0000 (Wed, 26 Jun 2019)\");\n script_name(\"Debian LTS: Security Advisory for python2.7 (DLA-1834-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1834-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/921039\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/921040\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/924073\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python2.7'\n package(s) announced via the DLA-1834-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities were discovered in Python, an interactive\nhigh-level object-oriented language, including\n\nCVE-2018-14647\n\nPython's elementtree C accelerator failed to initialise Expat's hash\nsalt during initialization. This could make it easy to conduct\ndenial of service attacks against Expat by constructing an XML\ndocument that would cause pathological hash collisions in Expat's\ninternal data structures, consuming large amounts CPU and RAM.\n\nCVE-2019-5010\n\nNULL pointer dereference using a specially crafted X509 certificate.\n\nCVE-2019-9636\n\nImproper Handling of Unicode Encoding (with an incorrect netloc)\nduring NFKC normalization resulting in information disclosure\n(credentials, cookies, etc. that are cached against a given\nhostname). A specially crafted URL could be incorrectly parsed to\nlocate cookies or authentication data and send that information to\na different host than when parsed correctly.\n\nCVE-2019-9740\n\nAn issue was discovered in urllib2 where CRLF injection is possible\nif the attacker controls a url parameter, as demonstrated by the\nfirst argument to urllib.request.urlopen with \\r\\n (specifically in\nthe query string after a ? character) followed by an HTTP header or\na Redis command.\n\nCVE-2019-9947\n\nAn issue was discovered in urllib2 where CRLF injection is possible\nif the attacker controls a url parameter, as demonstrated by the\nfirst argument to urllib.request.urlopen with \\r\\n (specifically in\nthe path component of a URL that lacks a ? character) followed by an\nHTTP header or a Redis command. This is similar to the CVE-2019-9740\nquery string issue.\n\nCVE-2019-9948\n\nurllib supports the local_file: scheme, which makes it easier for\nremote attackers to bypass protection mechanisms that blacklist\nfile: URIs, as demonstrated by triggering a\nurllib.urlopen('local_file:///etc/passwd') call.\n\nCVE-2019-10160\n\nA security regression of CVE-2019-9636 was discovered which still\nallows an attacker to exploit CVE-2019-9636 by abusing the user and\npassword parts of a URL. When an application parses user-supplied\nURLs to store cookies, authentication credentials, or other kind of\ninformation, it is possible for an attacker to provide specially\ncrafted URLs to make the application locate host-related information\n(e.g. cookies, authentication data) and send them to a different\nhost than where it should, unlike if the URLs had been correctly\nparsed. The result of an attack may vary based on the application.\");\n\n script_tag(name:\"affected\", value:\"'python2.7' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n2.7.9-2+deb8u3.\n\nWe recommend that you upgrade your python2.7 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"idle-python2.7\", ver:\"2.7.9-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpython2.7\", ver:\"2.7.9-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpython2.7-dbg\", ver:\"2.7.9-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpython2.7-dev\", ver:\"2.7.9-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpython2.7-minimal\", ver:\"2.7.9-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpython2.7-stdlib\", ver:\"2.7.9-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpython2.7-testsuite\", ver:\"2.7.9-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python2.7\", ver:\"2.7.9-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python2.7-dbg\", ver:\"2.7.9-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python2.7-dev\", ver:\"2.7.9-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python2.7-doc\", ver:\"2.7.9-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python2.7-examples\", ver:\"2.7.9-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python2.7-minimal\", ver:\"2.7.9-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-09-10T14:52:30", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-09-10T00:00:00", "type": "openvas", "title": "Ubuntu Update for python2.7 USN-4127-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9636", "CVE-2018-20406", "CVE-2018-20852", "CVE-2019-9740", "CVE-2019-9948", "CVE-2019-9947", "CVE-2019-5010", "CVE-2019-10160"], "modified": "2019-09-10T00:00:00", "id": "OPENVAS:1361412562310844168", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844168", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844168\");\n script_version(\"2019-09-10T08:05:24+0000\");\n script_cve_id(\"CVE-2018-20406\", \"CVE-2018-20852\", \"CVE-2019-9636\", \"CVE-2019-10160\", \"CVE-2019-5010\", \"CVE-2019-9740\", \"CVE-2019-9947\", \"CVE-2019-9948\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-09-10 08:05:24 +0000 (Tue, 10 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-10 02:00:47 +0000 (Tue, 10 Sep 2019)\");\n script_name(\"Ubuntu Update for python2.7 USN-4127-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU18\\.04 LTS|UBUNTU19\\.04|UBUNTU16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"4127-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-September/005105.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python2.7'\n package(s) announced via the USN-4127-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that Python incorrectly handled certain pickle files. An\nattacker could possibly use this issue to consume memory, leading to a\ndenial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu\n18.04 LTS. (CVE-2018-20406)\n\nIt was discovered that Python incorrectly validated the domain when\nhandling cookies. An attacker could possibly trick Python into sending\ncookies to the wrong domain. (CVE-2018-20852)\n\nJonathan Birch and Panayiotis Panayiotou discovered that Python incorrectly\nhandled Unicode encoding during NFKC normalization. An attacker could\npossibly use this issue to obtain sensitive information. (CVE-2019-9636,\nCVE-2019-10160)\n\nColin Read and Nicolas Edet discovered that Python incorrectly handled\nparsing certain X509 certificates. An attacker could possibly use this\nissue to cause Python to crash, resulting in a denial of service. This\nissue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-5010)\n\nIt was discovered that Python incorrectly handled certain urls. A remote\nattacker could possibly use this issue to perform CRLF injection attacks.\n(CVE-2019-9740, CVE-2019-9947)\n\nSihoon Lee discovered that Python incorrectly handled the local_file:\nscheme. A remote attacker could possibly use this issue to bypass blacklist\nmeschanisms. (CVE-2019-9948)\");\n\n script_tag(name:\"affected\", value:\"'python2.7' package(s) on Ubuntu 19.04, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"python2.7\", ver:\"2.7.15-4ubuntu4~18.04.1\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python2.7-minimal\", ver:\"2.7.15-4ubuntu4~18.04.1\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3.6\", ver:\"3.6.8-1~18.04.2\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3.6-minimal\", ver:\"3.6.8-1~18.04.2\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU19.04\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"python2.7\", ver:\"2.7.16-2ubuntu0.1\", rls:\"UBUNTU19.04\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python2.7-minimal\", ver:\"2.7.16-2ubuntu0.1\", rls:\"UBUNTU19.04\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3.7\", ver:\"3.7.3-2ubuntu0.1\", rls:\"UBUNTU19.04\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3.7-minimal\", ver:\"3.7.3-2ubuntu0.1\", rls:\"UBUNTU19.04\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"python2.7\", ver:\"2.7.12-1ubuntu0~16.04.8\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python2.7-minimal\", ver:\"2.7.12-1ubuntu0~16.04.8\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3.5\", ver:\"3.5.2-2ubuntu0~16.04.8\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"python3.5-minimal\", ver:\"3.5.2-2ubuntu0~16.04.8\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-07-21T20:07:02", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-07-17T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for python3.5 (DLA-2280-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16935", "CVE-2019-18348", "CVE-2019-9636", "CVE-2018-20406", "CVE-2019-16056", "CVE-2020-14422", "CVE-2018-20852", "CVE-2019-9740", "CVE-2019-9948", "CVE-2019-9947", "CVE-2019-5010", "CVE-2019-10160", "CVE-2020-8492", "CVE-2019-11340"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310892280", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892280", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892280\");\n script_version(\"2020-07-17T12:33:55+0000\");\n script_cve_id(\"CVE-2018-20406\", \"CVE-2018-20852\", \"CVE-2019-10160\", \"CVE-2019-11340\", \"CVE-2019-16056\", \"CVE-2019-16935\", \"CVE-2019-18348\", \"CVE-2019-5010\", \"CVE-2019-9636\", \"CVE-2019-9740\", \"CVE-2019-9947\", \"CVE-2019-9948\", \"CVE-2020-14422\", \"CVE-2020-8492\");\n script_tag(name:\"cvss_base\", value:\"7.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 12:33:55 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-17 12:33:55 +0000 (Fri, 17 Jul 2020)\");\n script_name(\"Debian LTS: Security Advisory for python3.5 (DLA-2280-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2280-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/924072\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/921064\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/940901\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python3.5'\n package(s) announced via the DLA-2280-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple security issues were discovered in Python, an interactive\nhigh-level object-oriented language.\n\nCVE-2018-20406\n\nModules/_pickle.c has an integer overflow via a large LONG_BINPUT\nvalue that is mishandled during a 'resize to twice the size'\nattempt. This issue might cause memory exhaustion, but is only\nrelevant if the pickle format is used for serializing tens or\nhundreds of gigabytes of data.\n\nCVE-2018-20852\n\nhttp.cookiejar.DefaultPolicy.domain_return_ok in\nLib/http/cookiejar.py does not correctly validate the domain: it\ncan be tricked into sending existing cookies to the wrong\nserver. An attacker may abuse this flaw by using a server with a\nhostname that has another valid hostname as a suffix (e.g.,\npythonicexample.com to steal cookies for example.com). When a\nprogram uses http.cookiejar.DefaultPolicy and tries to do an HTTP\nconnection to an attacker-controlled server, existing cookies can\nbe leaked to the attacker.\n\nCVE-2019-5010\n\nAn exploitable denial-of-service vulnerability exists in the X509\ncertificate parser. A specially crafted X509 certificate can cause\na NULL pointer dereference, resulting in a denial of service. An\nattacker can initiate or accept TLS connections using crafted\ncertificates to trigger this vulnerability.\n\nCVE-2019-9636\n\nImproper Handling of Unicode Encoding (with an incorrect netloc)\nduring NFKC normalization. The impact is: Information disclosure\n(credentials, cookies, etc. that are cached against a given\nhostname). The components are: urllib.parse.urlsplit,\nurllib.parse.urlparse. The attack vector is: A specially crafted\nURL could be incorrectly parsed to locate cookies or\nauthentication data and send that information to a different host\nthan when parsed correctly.\n\nCVE-2019-9740\n\nAn issue was discovered in urllib2. CRLF injection is possible if\nthe attacker controls a url parameter, as demonstrated by the\nfirst argument to urllib.request.urlopen with \\r\\n (specifically\nin the query string after a ? character) followed by an HTTP\nheader or a Redis command.\n\nCVE-2019-9947\n\nAn issue was discovered in urllib2. CRLF injection is possible if\nthe attacker controls a url parameter, as demonstrated by the\nfirst argument to urllib.request.urlopen with \\r\\n (specifically\nin the path component of a URL that lacks a ? character) followed\nby an HTTP header or a Redis command. This is similar to the\nCVE-2019-9740 quer ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'python3.5' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 9 stretch, these problems have been fixed in version\n3.5.3-1+deb9u2.\n\nWe recommend that you upgrade your python3.5 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"idle-python3.5\", ver:\"3.5.3-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpython3.5\", ver:\"3.5.3-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpython3.5-dbg\", ver:\"3.5.3-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpython3.5-dev\", ver:\"3.5.3-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpython3.5-minimal\", ver:\"3.5.3-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpython3.5-stdlib\", ver:\"3.5.3-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpython3.5-testsuite\", ver:\"3.5.3-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python3.5\", ver:\"3.5.3-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python3.5-dbg\", ver:\"3.5.3-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python3.5-dev\", ver:\"3.5.3-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python3.5-doc\", ver:\"3.5.3-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python3.5-examples\", ver:\"3.5.3-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python3.5-minimal\", ver:\"3.5.3-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python3.5-venv\", ver:\"3.5.3-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-01-31T16:28:58", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-27T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for python3 (openSUSE-SU-2020:0086_1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16935", "CVE-2019-9636", "CVE-2016-0772", "CVE-2013-4238", "CVE-2014-2667", "CVE-2018-1000802", "CVE-2011-4944", "CVE-2018-20406", "CVE-2019-16056", "CVE-2012-1150", "CVE-2011-3389", "CVE-2018-1060", "CVE-2012-0845", "CVE-2016-5636", "CVE-2018-20852", "CVE-2018-1061", "CVE-2016-1000110", "CVE-2019-9947", "CVE-2018-14647", "CVE-2013-1752", "CVE-2017-18207", "CVE-2019-5010", "CVE-2019-10160", "CVE-2019-15903", "CVE-2014-4650", "CVE-2016-5699"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310853008", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310853008", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.853008\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2011-3389\", \"CVE-2011-4944\", \"CVE-2012-0845\", \"CVE-2012-1150\", \"CVE-2013-1752\", \"CVE-2013-4238\", \"CVE-2014-2667\", \"CVE-2014-4650\", \"CVE-2016-0772\", \"CVE-2016-1000110\", \"CVE-2016-5636\", \"CVE-2016-5699\", \"CVE-2017-18207\", \"CVE-2018-1000802\", \"CVE-2018-1060\", \"CVE-2018-1061\", \"CVE-2018-14647\", \"CVE-2018-20406\", \"CVE-2018-20852\", \"CVE-2019-10160\", \"CVE-2019-15903\", \"CVE-2019-16056\", \"CVE-2019-16935\", \"CVE-2019-5010\", \"CVE-2019-9636\", \"CVE-2019-9947\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-27 09:18:18 +0000 (Mon, 27 Jan 2020)\");\n script_name(\"openSUSE: Security Advisory for python3 (openSUSE-SU-2020:0086_1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.1\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2020:0086-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python3'\n package(s) announced via the openSUSE-SU-2020:0086-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for python3 to version 3.6.10 fixes the following issues:\n\n - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk()\n (bsc#1083507).\n\n - CVE-2019-16056: Fixed an issue where email parsing could fail for\n multiple @ (bsc#1149955).\n\n - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat\n (bsc#1149429).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-86=1\");\n\n script_tag(name:\"affected\", value:\"'python3' package(s) on openSUSE Leap 15.1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"libpython3_6m1_0\", rpm:\"libpython3_6m1_0~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libpython3_6m1_0-debuginfo\", rpm:\"libpython3_6m1_0-debuginfo~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3\", rpm:\"python3~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-base\", rpm:\"python3-base~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-base-debuginfo\", rpm:\"python3-base-debuginfo~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-base-debugsource\", rpm:\"python3-base-debugsource~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-curses\", rpm:\"python3-curses~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-curses-debuginfo\", rpm:\"python3-curses-debuginfo~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-dbm\", rpm:\"python3-dbm~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-dbm-debuginfo\", rpm:\"python3-dbm-debuginfo~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-debuginfo\", rpm:\"python3-debuginfo~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-debugsource\", rpm:\"python3-debugsource~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-devel\", rpm:\"python3-devel~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-devel-debuginfo\", rpm:\"python3-devel-debuginfo~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-idle\", rpm:\"python3-idle~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-testsuite\", rpm:\"python3-testsuite~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-testsuite-debuginfo\", rpm:\"python3-testsuite-debuginfo~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-tk\", rpm:\"python3-tk~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-tk-debuginfo\", rpm:\"python3-tk-debuginfo~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-tools\", rpm:\"python3-tools~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libpython3_6m1_0-32bit\", rpm:\"libpython3_6m1_0-32bit~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libpython3_6m1_0-32bit-debuginfo\", rpm:\"libpython3_6m1_0-32bit-debuginfo~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-32bit\", rpm:\"python3-32bit~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-32bit-debuginfo\", rpm:\"python3-32bit-debuginfo~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-base-32bit\", rpm:\"python3-base-32bit~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-base-32bit-debuginfo\", rpm:\"python3-base-32bit-debuginfo~3.6.10~lp151.6.7.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2022-02-27T11:50:35", "description": "**CentOS Errata and Security Advisory** CESA-2019:1587\n\n\nPython is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.\n\nSecurity Fix(es):\n\n* python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttps://lists.centos.org/pipermail/centos-announce/2019-June/060256.html\n\n**Affected packages:**\npython\npython-debug\npython-devel\npython-libs\npython-test\npython-tools\ntkinter\n\n**Upstream details at:**\nhttps://access.redhat.com/errata/RHSA-2019:1587", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-24T17:07:31", "type": "centos", "title": "python, tkinter security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2019-06-24T17:07:31", "id": "CESA-2019:1587", "href": "https://lists.centos.org/pipermail/centos-announce/2019-June/060256.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "fedora": [{"lastseen": "2021-07-28T14:46:51", "description": "Python 3.4 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.4, see other distributions that support it, such as CentOS or RHEL with Software Collections. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-19T01:08:29", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: python34-3.4.10-6.fc31", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-16056"], "modified": "2019-09-19T01:08:29", "id": "FEDORA:88C4462CD8F9", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Python 3.4 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.4, see other distributions that support it, such as CentOS or RHEL with Software Collections. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-19T01:33:08", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: python34-3.4.10-3.fc30", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-16056"], "modified": "2019-09-19T01:33:08", "id": "FEDORA:C291D604A73C", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Python 3.6 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.6, see other distributions that support it, such as CentOS or RHEL with Software Collections or older Fedora releases. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-07-12T00:59:43", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: python36-3.6.9-1.fc30", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636", "CVE-2019-9740"], "modified": "2019-07-12T00:59:43", "id": "FEDORA:EA23E62567AD", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-07-28T18:41:38", "description": "Python is an accessible, high-level, dynamically typed, interpreted program ming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. The python3 package provides the \"python3\" executable: the reference interpreter for the Python language, version 3. The majority of its standard library is provided in the python3-libs packag e, which should be installed automatically along with python3. The remaining parts of the Python standard library are broken out into the python3-tkinter and python3-test packages, which may need to be installed separately. Documentation for Python is provided in the python3-docs package. Packages containing additional libraries for Python are generally named with the \"python3-\" prefix. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-07-29T01:08:31", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: python3-3.7.4-1.fc30", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636", "CVE-2019-9948"], "modified": "2019-07-29T01:08:31", "id": "FEDORA:7A99560A8F88", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-07-28T18:41:38", "description": "The python3-docs package contains documentation on the Python 3 programming language and interpreter. Install the python3-docs package if you'd like to use the documentation for the Python 3 language. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-07-29T01:08:32", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: python3-docs-3.7.4-1.fc30", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636", "CVE-2019-9948"], "modified": "2019-07-29T01:08:32", "id": "FEDORA:B52EF60A8F8C", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HW2MKPKX4I2XFXJPRGEEDE3MA5J7UMQF/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-07-28T18:41:38", "description": "The python3-docs package contains documentation on the Python 3 programming language and interpreter. Install the python3-docs package if you'd like to use the documentation for the Python 3 language. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-05T01:41:24", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: python3-docs-3.7.4-1.fc29", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636", "CVE-2019-9948"], "modified": "2019-08-05T01:41:24", "id": "FEDORA:7D6AB6133B32", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FCB46WOHLWXCQDJAEWHTKP7WTUY3NZ6P/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-07-28T18:41:38", "description": "Python 3.4 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.4, see other distributions that support it, such as CentOS or RHEL with Software Collections. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-09-19T01:54:19", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: python34-3.4.10-3.fc29", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14647", "CVE-2019-10160", "CVE-2019-16056"], "modified": "2019-09-19T01:54:19", "id": "FEDORA:504CC6389DFC", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-07-28T18:41:38", "description": "Python is an accessible, high-level, dynamically typed, interpreted program ming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. The python3 package provides the \"python3\" executable: the reference interpreter for the Python language, version 3. The majority of its standard library is provided in the python3-libs packag e, which should be installed automatically along with python3. The remaining parts of the Python standard library are broken out into the python3-tkinter and python3-test packages, which may need to be installed separately. Documentation for Python is provided in the python3-docs package. Packages containing additional libraries for Python are generally named with the \"python3-\" prefix. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-05T01:41:23", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: python3-3.7.4-1.fc29", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-5010", "CVE-2019-9636", "CVE-2019-9948"], "modified": "2019-08-05T01:41:23", "id": "FEDORA:E51866176380", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-07-28T18:41:38", "description": "Python 3.6 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.6, see other distributions that support it, such as CentOS or RHEL with Software Collections or older Fedora releases. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-07-12T06:18:09", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: python36-3.6.9-1.fc29", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14647", "CVE-2019-10160", "CVE-2019-5010", "CVE-2019-9636", "CVE-2019-9740"], "modified": "2019-07-12T06:18:09", "id": "FEDORA:DBDE4606041A", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Python 3.5 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.5, see other distributions that support it, such as CentOS or RHEL with Software Collections or older Fedora releases. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-11-09T22:40:00", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: python35-3.5.8-2.fc30", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-16056", "CVE-2019-16935", "CVE-2019-18348", "CVE-2019-9636", "CVE-2019-9740"], "modified": "2019-11-09T22:40:00", "id": "FEDORA:BF65760525B8", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Python 3.5 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.5, see other distributions that support it, such as CentOS or RHEL with Software Collections or older Fedora releases. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-11-11T01:06:32", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: python35-3.5.8-2.fc31", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-16056", "CVE-2019-16935", "CVE-2019-18348", "CVE-2019-9636", "CVE-2019-9740"], "modified": "2019-11-11T01:06:32", "id": "FEDORA:9848360648DC", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-07-28T18:41:38", "description": "Python 3.5 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.5, see other distributions that support it, such as CentOS or RHEL with Software Collections or older Fedora releases. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-11-10T01:07:36", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: python35-3.5.8-2.fc29", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14647", "CVE-2019-10160", "CVE-2019-16056", "CVE-2019-16935", "CVE-2019-18348", "CVE-2019-9636", "CVE-2019-9740"], "modified": "2019-11-10T01:07:36", "id": "FEDORA:9F764605D68D", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "oraclelinux": [{"lastseen": "2021-07-28T14:24:24", "description": "[2.6.6-68.0.1]\n- Add Oracle Linux distribution in platform.py [orabug 21288328] (Keshav Sharma)\n[2.6.6-68]\n- Security fix for CVE-2019-10160\nResolves: rhbz#1716744\n[2.6.6-67]\n- Security fix for CVE-2019-9636\nResolves: rhbz#1716744", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-13T00:00:00", "type": "oraclelinux", "title": "python security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2019-06-13T00:00:00", "id": "ELSA-2019-1467", "href": "http://linux.oracle.com/errata/ELSA-2019-1467.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-07-30T06:24:59", "description": "[3.6.8-15.1.0.1]\n- Add Oracle Linux distribution in platform.py [Orabug: 20812544]\n[3.6.8-15.1]\n- Patch 329 (FIPS) modified: Added workaround for mod_ssl:\n Skip error checking in _Py_hashlib_fips_error\nResolves: rhbz#1760106\n[3.6.8-15]\n- Patch 329 that adds support for OpenSSL FIPS mode has been improved and\n bugfixed\nResolves: rhbz#1744670 rhbz#1745499 rhbz#1745685\n[3.6.8-14]\n- Adding a new patch 329 that adds support for OpenSSL FIPS mode\n- Explicitly listing man pages in files section to fix an RPM warning\nResolves: rhbz#1731424\n[3.6.8-13]\n- Do not set PHA verify flag on client side (rhbz#1725721)\n- Enable TLS 1.3 post-handshake authentication in http.client (rhbz#1671353)\n[3.6.8-12]\n- Use RPM built wheels of pip and setuptools in ensurepip instead of our rewheel patch\n- Require platform-python-setuptools from platform-python-devel to prevent packaging errors\nResolves: rhbz#1701286\n[3.6.8-11]\n- Fix for CVE-2019-10160\nResolves: rhbz#1689318\n[3.6.8-10]\n- Security fix for CVE-2019-9948\nResolves: rhbz#1714643\n[3.6.8-9]\n- Reduced default build flags used to build extension modules\n https://fedoraproject.org/wiki/Changes/Python_Extension_Flags\nResolves: rhbz#1634784\n[3.6.8-8]\n- gzip the unversioned-python man page\nResolves: rhbz#1665514\n[3.6.8-7]\n- Disallow control chars in http URLs\n- Fixes CVE-2019-9740 and CVE-2019-9947\nResolves: rhbz#1704365 and rhbz#1703531\n[3.6.8-6]\n- Updated fix for CVE-2019-9636 (rhbz#1689318)\n[3.6.8-5]\n- Security fix for CVE-2019-9636 (rhbz#1689318)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-11-14T00:00:00", "type": "oraclelinux", "title": "python3 security and bug fix update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-5010", "CVE-2019-9636", "CVE-2019-9740", "CVE-2019-9947", "CVE-2019-9948"], "modified": "2019-11-14T00:00:00", "id": "ELSA-2019-3520", "href": "http://linux.oracle.com/errata/ELSA-2019-3520.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-07-30T06:24:21", "description": "[2.7.5-86.0.1]\n- Add Oracle Linux distribution in platform.py [orabug 20812544]\n[2.7.5-86]\n- Security fix for CVE-2019-10160\nResolves: rhbz#1718388\n[2.7.5-85]\n- Security fix for CVE-2019-9948\nResolves: rhbz#1704174\n[2.7.5-84]\n- Disallow control chars in http URLs\n- Fixes CVE-2019-9740 and CVE-2019-9947\nResolves: rhbz#1704362 and rhbz#1703530\n[2.7.5-83]\n- Remove unversioned obsoletes\nResolves: rhbz#1703600\n[2.7.5-82]\n- Updated fix for CVE-2019-9636\nResolves: rhbz#1689317\n[2.7.5-81]\n- Security fix for CVE-2019-9636\nResolves: rhbz#1689317", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-13T00:00:00", "type": "oraclelinux", "title": "python security and bug fix update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14647", "CVE-2019-10160", "CVE-2019-5010", "CVE-2019-9636", "CVE-2019-9740", "CVE-2019-9947", "CVE-2019-9948"], "modified": "2019-08-13T00:00:00", "id": "ELSA-2019-2030", "href": "http://linux.oracle.com/errata/ELSA-2019-2030.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "redhat": [{"lastseen": "2021-10-19T20:37:34", "description": "Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.\n\nSecurity Fix(es):\n\n* python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-20T19:51:08", "type": "redhat", "title": "(RHSA-2019:1587) Important: python security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2019-06-20T20:07:58", "id": "RHSA-2019:1587", "href": "https://access.redhat.com/errata/RHSA-2019:1587", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-10-19T20:40:48", "description": "Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.\n\nSecurity Fix(es):\n\n* python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)\n\n* python: undocumented local_file protocol allows remote attackers to bypass protection mechanisms (CVE-2019-9948)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-07-08T10:38:49", "type": "redhat", "title": "(RHSA-2019:1700) Important: python27-python security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636", "CVE-2019-9948"], "modified": "2019-07-08T14:00:57", "id": "RHSA-2019:1700", "href": "https://access.redhat.com/errata/RHSA-2019:1700", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-10-19T20:36:15", "description": "The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.\n\nThe following packages have been upgraded to a later upstream version: imgbased (1.1.9), ovirt-node-ng (4.3.5), redhat-release-virtualization-host (4.3.5), redhat-virtualization-host (4.3.5). (BZ#1669357, BZ#1669365, BZ#1684986, BZ#1711193, BZ#1717250, BZ#1726917)\n\nSecurity Fix(es):\n\n* python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc (CVE-2019-10160)\n\n* rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled (CVE-2018-16881)\n\n* edk2: stack overflow in XHCI causing denial of service (CVE-2019-0161)\n\n* openssl: 0-byte record padding oracle (CVE-2019-1559)\n\n* cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment (CVE-2019-10139)\n\n* sssd: improper implementation of GPOs due to too restrictive permissions (CVE-2018-16838)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-12T10:51:59", "type": "redhat", "title": "(RHSA-2019:2437) Important: Red Hat Virtualization security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-16838", "CVE-2018-16881", "CVE-2019-0161", "CVE-2019-10139", "CVE-2019-10160", "CVE-2019-1559", "CVE-2019-9636"], "modified": "2019-08-12T11:44:35", "id": "RHSA-2019:2437", "href": "https://access.redhat.com/errata/RHSA-2019:2437", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T19:05:42", "description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-07T18:29:00", "type": "cve", "title": "CVE-2019-10160", "cwe": ["CWE-255"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-9636"], "modified": "2021-01-06T16:11:00", "cpe": ["cpe:/a:python:python:3.7", "cpe:/a:python:python:3.5.0", "cpe:/a:python:python:3.6.0", "cpe:/o:redhat:enterprise_linux:7.0", "cpe:/a:python:python:3.8.0b1"], "id": "CVE-2019-10160", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10160", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:python:python:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.8.0b1:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*"]}], "mageia": [{"lastseen": "2022-04-18T11:19:34", "description": "Updated python and python3 packages fix security vulnerabilities: An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n followed by an HTTP header or a Redis command (CVE-2019-9740). An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL) followed by an HTTP header or a Redis command. This is similar to CVE-2019-9740 query string issue (CVE-2019-9947). urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call (CVE-2019-9948). A security regression of CVE-2019-9636 was discovered in python, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application (CVE-2019-10160). It was discovered that Python incorrectly parsed certain email addresses. A remote attacker could possibly use this issue to trick Python applications into accepting email addresses that should be denied (CVE-2019-16056). It was discovered that the Python documentation XML-RPC server incorrectly handled certain fields. A remote attacker could use this issue to execute a cross-site scripting (XSS) attack (CVE-2019-16935). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-11-07T23:36:48", "type": "mageia", "title": "Updated python packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10160", "CVE-2019-16056", "CVE-2019-16935", "CVE-2019-9636", "CVE-2019-9740", "CVE-2019-9947", "CVE-2019-9948"], "modified": "2019-11-07T23:36:48", "id": "MGASA-2019-0318", "href": "https://advisories.mageia.org/MGASA-2019-0318.html", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "debian": [{"lastseen": "2021-10-22T12:11:31", "description": "Package : python2.7\nVersion : 2.7.9-2+deb8u3\nCVE ID : CVE-2018-14647 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740 \n CVE-2019-9947 CVE-2019-9948 CVE-2019-10160\nDebian Bug : 921039 921040 924073\n\n\nMultiple vulnerabilities were discovered in Python, an interactive\nhigh-level object-oriented language, including \n\nCVE-2018-14647\n\n Python&#x27;s elementtree C accelerator failed to initialise Expat&#x27;s hash\n salt during initialization. This could make it easy to conduct\n denial of service attacks against Expat by constructing an XML\n document that would cause pathological hash collisions in Expat&#x27;s\n internal data structures, consuming large amounts CPU and RAM.\n\nCVE-2019-5010\n\n NULL pointer dereference using a specially crafted X509 certificate.\n\nCVE-2019-9636\n\n Improper