[Important] [Security] Vulnerability Fixes in urllib3, PyYAML, and Pillow (CVE-2018-20060, CVE-2020-1747, CVE-2020-14343, CVE-2023-50447, and CVE-2023-44271) for VzLinux 7.9¶

1. Overview¶

This update fixes the vulnerabilities in urllib3, PyYAML, and Pillow, which are registered as CVE-2018-20060, CVE-2020-1747, CVE-2020-14343, CVE-2023-50447, and CVE-2023-44271.

2. Security Fixes¶

• [Important] [urllib3] urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow credentials in the Authorization header to be exposed to unintended hosts or transmitted in clear text. (CVE-2018-20060)

• [Important] [PyYAML] A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when processing untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the Python/object/new constructor. (CVE-2020-1747)

• [Important] [PyYAML] A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when processing untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the Python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747. (CVE-2020-14343)

• [Important] [Pillow] A vulnerability was found in Pillow, a popular Python imaging library. The flaw identified in the PIL.ImageMath.eval function enables arbitrary code execution by manipulating the environment parameter. (CVE-2023-50447)

• [Important] [Pillow] A flaw was found in Pillow. A service denial issue allocates memory uncontrollably to process a given task, potentially causing a service to crash by running out of memory. This occurs for TrueType in ImageFont when the text length in an ImageDraw instance operates on a long text argument. (CVE-2023-44271)

3. Installing the Update¶

Install the update with yum update.

4. References¶

• https://access.redhat.com/security/cve/cve-2018-20060/

• https://access.redhat.com/security/cve/cve-2020-1747/

• https://access.redhat.com/security/cve/cve-2020-14343/

• https://access.redhat.com/security/cve/cve-2023-50447/

• https://access.redhat.com/security/cve/cve-2023-44271/

The new and updated packages are listed in the JSON file.