Operating System:

[RedHat]

Published:

17 December 2020

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2020.4452 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.4452
                   python-XStatic-jQuery security update
                             17 December 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           python-XStatic-jQuery
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-11358  

Reference:         ESB-2020.1220

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:5581

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: python-XStatic-jQuery security update
Advisory ID:       RHSA-2020:5581-01
Product:           Red Hat OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:5581
Issue date:        2020-12-16
CVE Names:         CVE-2019-11358 
=====================================================================

1. Summary:

An update for python-XStatic-jQuery is now available for Red Hat OpenStack
Platform 13 (Queens).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 13.0 - noarch
Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server - noarch

3. Description:

python-XStatic-jQuery is the jQuery javascript library packaged for
Python's setuptools

Security Fix(es):

* Prototype pollution in object's prototype leading to denial of service
remote code execution or property injection (CVE-2019-11358)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection

6. Package List:

Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server:

Source:
python-XStatic-jQuery-2.2.4.1-3.el7ost.src.rpm

noarch:
python-XStatic-jQuery-2.2.4.1-3.el7ost.noarch.rpm

Red Hat OpenStack Platform 13.0:

Source:
python-XStatic-jQuery-2.2.4.1-3.el7ost.src.rpm

noarch:
python-XStatic-jQuery-2.2.4.1-3.el7ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-11358
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX9oTttzjgjWX9erEAQhJKA/+IM1MfizBmuNB1+Q4A+TwGc885pr33N7L
FAcHzUP2LfiZoivYrPbjZDKsChX+2dtDB4KLqQOrDPExuaryGkhgUVusOOsObGKx
jqT1keRcC3TRKdfyALIb4uTIvkQNUF1BeKv5T0bQ1SFlEdM8/IJSHm+INDiT83Wi
bv+jDt+3hyUvdDpexPLPJ2eZmrXFcXxh2AMpVyXO70EqM7vm/sa/CQJZmFYRG0xJ
Sw2FRLrWlKd6eA9xBpsiui9+mVVBM/1c2xnPjgT1yO3MlSMGbSzJ/kv4HL//mbWF
d9y/zqYUi7Sks6Ih5fjinCvHP6xPhXaM7J/NgiuIRpli3+PXYrSYrqp8Q3JBu/21
6x9juoLWGWn9QLirqUHmgVPuLZwd9V8xx9XDbkYIFoxW4zaAofoQozG8iVrMYQq+
DdjkPDVPKrVsLQqd5j9S3S3I4xJx4x/TY3/fdw6A8YrYzNupKf4C2bZ+XvXpxg3l
2mtmYgvuRp1h54oLtLatF48VLP0t7TGVgkwGW+/xsTnUshEv90vK6Ah+yXQeyYsY
nsgynKBMy9xLe6QHT4G7tSCa6IA3KV++ZVkdswj9Wes6efmWfp7DnNuFtCLsMK+U
BHoZu1Nl3jmiocdDgDDL2VnLqhyN5fDDSrTbqd6PFc1ZVtHk4D5MWJi0ia9lkb6z
HXUuq2t9qpM=
=DdGk
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX9qaduNLKJtyKPYoAQgLNA/+POv37Jd4Ufmlbvox/J5CjqwK9O9ym1X5
zS4ZG074CkQPNjVMHQEV5c9tNWYqwkmoAEQpQRpKNqLGT9o/sOEQ89J88UfeRFGB
8Ynzx9NWWOX6pJVrUwsyJPWDVQA9UQ6G+UnfE6xziw4ymJ7YP7w0wp0ZsAi9pNK9
igke6RXQFnuM+BpHqrmlVL2dEQQ5+Ts5O5P2iTEVaEX5QJOrQdvbV8aYjDEj0kAC
PGf2TR+97xIoWEvZQkN4dRnREU7BIFZ4X2sFXwUWwwHB9uKyRfSAk07ZMEc2uZfD
aVf50w6/OTsLPXFeDFbMug/3C0/zUorFbnKjNkt9Q2ICex59+5cgVAHl/YVjCuLC
g//FCnC4SZKcKzwpfQSK3ym1gph7uiU1jVXxdsCQroptg07xlXG6kBigFoa+Nko/
psI34Q95Zo0ufO7DE3Nuhevx4eZ47dZkWHlN0W6qH7iEfwF4lo6Rg2BM9dmlykWC
vT+L71BC3VDrGIeeYL8CXKp1V216tkbHxUsPZf6HkUJvH78jsK/Z2T9BVaZUQirX
uup7odIpDuQoeLQOG8McBZpTbZ5sxrsWVMPNrTc7US3Pr9Wqpgx9SqnyA9W0ZqCz
hT3is9I889BEZ7GgTCtNTV295PQS3tr4Syx5Sxr/W9NF4GCYBsqnj8yl+wOrf1p+
ZS7HI5jDpjU=
=E73u
-----END PGP SIGNATURE-----