Summary: | <dev-python/jinja-2.7.3: arbitrary code execution vulnerability (CVE-2014-{0012,1402}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1051421 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-01-10 09:41:41 UTC
jinja-2.7.2 has been released to address this issue. *** Bug 517570 has been marked as a duplicate of this bug. *** CVE-2014-1402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1402): The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp. CVE-2014-0012 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0012): FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402. Version in Tree now: *jinja-2.7.3 (26 Jun 2014) 6 7 26 Jun 2014; Patrick McLean <chutzpah@gentoo.org> +jinja-2.7.3.ebuild: 8 Version bump, fix for CVE-2014-0012. Maintainer(s): please let us know when the ebuild is ready for stabilization. Arches, please stabilize =dev-python/jinja-2.7.3. (In reply to Dirkjan Ochtman from comment #6) Again and again, please do it like this: Arch teams, please test and mark stable: =dev-python/jinja-2.7.3 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 RepoMan scours the neighborhood...
>>> Creating Manifest for /newaches/gentoo/cvs/gentoo-x86/dev-python/jinja
metadata.warning 1
dev-python/jinja/metadata.xml: unused local USE-description: 'i18n'
Stable for HPPA.
Stable on alpha. arm stable ia64 stable amd64 stable x86 stable sparc stable ppc stable ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). New GLSA Request filed. Cleanup done. (In reply to Dirkjan Ochtman from comment #18) > Cleanup done. Thank you for the cleanup This issue was resolved and addressed in GLSA 201408-13 at http://security.gentoo.org/glsa/glsa-201408-13.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |