Executive Summary
Summary | |
---|---|
Title | python33-python-jinja2 and python27-python-jinja2 security update |
Informations | |||
---|---|---|---|
Name | RHSA-2014:0748 | First vendor Publication | 2014-06-11 |
Vendor | RedHat | Last vendor Modification | 2014-06-11 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 4.4 | Attack Range | Local |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 3.4 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated python33-python-jinja2 and python27-python-jinja2 packages that fix one security issue are now available for Red Hat Software Collections 1. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Software Collections 1 for Red Hat Enterprise Linux Server (v. 6) - noarch Red Hat Software Collections 1 for Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Software Collections 1 for Red Hat Enterprise Linux Server EUS (v. 6.3) - noarch Red Hat Software Collections 1 for Red Hat Enterprise Linux Server EUS (v. 6.4) - noarch Red Hat Software Collections 1 for Red Hat Enterprise Linux Workstation (v. 6) - noarch Red Hat Software Collections 1 for Red Hat Enterprise Linux Workstation (v. 7) - noarch 3. Description: Jinja2 is a template engine written in pure Python. It provides a Django-inspired, non-XML syntax but supports inline expressions and an optional sandboxed environment. It was discovered that Jinja2 did not properly handle bytecode cache files stored in the system's temporary directory. A local attacker could use this flaw to alter the output of an application using Jinja2 and FileSystemBytecodeCache, and potentially execute arbitrary code with the privileges of that application. (CVE-2014-1402) All Jinja2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all applications using Jinja2 must be restarted. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1051421 - CVE-2014-1402 python-jinja2: FileSystemBytecodeCache insecure cache temporary file use |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2014-0748.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:24790 | |||
Oval ID: | oval:org.mitre.oval:def:24790 | ||
Title: | RHSA-2014:0747: python-jinja2 security update (Moderate) | ||
Description: | Jinja2 is a template engine written in pure Python. It provides a Django-inspired, non-XML syntax but supports inline expressions and an optional sandboxed environment. It was discovered that Jinja2 did not properly handle bytecode cache files stored in the system's temporary directory. A local attacker could use this flaw to alter the output of an application using Jinja2 and FileSystemBytecodeCache, and potentially execute arbitrary code with the privileges of that application. (CVE-2014-1402) All python-jinja2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all applications using python-jinja2 must be restarted. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:0747-00 CESA-2014:0747 CVE-2014-1402 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | python-jinja2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:24851 | |||
Oval ID: | oval:org.mitre.oval:def:24851 | ||
Title: | ELSA-2014:0747: python-jinja2 security update (Moderate) | ||
Description: | Jinja2 is a template engine written in pure Python. It provides a Django-inspired, non-XML syntax but supports inline expressions and an optional sandboxed environment. It was discovered that Jinja2 did not properly handle bytecode cache files stored in the system's temporary directory. A local attacker could use this flaw to alter the output of an application using Jinja2 and FileSystemBytecodeCache, and potentially execute arbitrary code with the privileges of that application. (CVE-2014-1402) All python-jinja2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all applications using python-jinja2 must be restarted. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014:0747-00 CVE-2014-1402 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | python-jinja2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26103 | |||
Oval ID: | oval:org.mitre.oval:def:26103 | ||
Title: | USN-2301-1 -- jinja2 vulnerabilities | ||
Description: | A security issue was fixed in Jinja2. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2301-1 CVE-2014-0012 CVE-2014-1402 | Version: | 3 |
Platform(s): | Ubuntu 12.04 | Product(s): | jinja2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27287 | |||
Oval ID: | oval:org.mitre.oval:def:27287 | ||
Title: | DEPRECATED: ELSA-2014-0747 -- python-jinja2 security update (moderate) | ||
Description: | [2.2.1-2] - Fix CVE-2014-1402 Resolves: rhbz#1102889 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-0747 CVE-2014-1402 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | python-jinja2 |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_jinja2_20141216.nasl - Type : ACT_GATHER_INFO |
2014-10-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-371.nasl - Type : ACT_GATHER_INFO |
2014-08-30 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201408-13.nasl - Type : ACT_GATHER_INFO |
2014-07-25 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2301-1.nasl - Type : ACT_GATHER_INFO |
2014-06-23 | Name : The remote Fedora host is missing a security update. File : fedora_2014-7166.nasl - Type : ACT_GATHER_INFO |
2014-06-23 | Name : The remote Fedora host is missing a security update. File : fedora_2014-7399.nasl - Type : ACT_GATHER_INFO |
2014-06-12 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2014-0747.nasl - Type : ACT_GATHER_INFO |
2014-06-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2014-0747.nasl - Type : ACT_GATHER_INFO |
2014-06-12 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0747.nasl - Type : ACT_GATHER_INFO |
2014-06-12 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140611_python_jinja2_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2014-05-19 | Name : The remote Mandriva Linux host is missing a security update. File : mandriva_MDVSA-2014-096.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-06-11 21:22:05 |
|