Updated python33-python-jinja2 and python27-python-jinja2 packages that fixone security issue are now available for Red Hat Software Collections 1.The Red Hat Security Response Team has rated this update as having Moderatesecurity impact. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available from the CVE link inthe References section.

Jinja2 is a template engine written in pure Python. It provides aDjango-inspired, non-XML syntax but supports inline expressions and anoptional sandboxed environment.It was discovered that Jinja2 did not properly handle bytecode cache filesstored in the system’s temporary directory. A local attacker could use thisflaw to alter the output of an application using Jinja2 andFileSystemBytecodeCache, and potentially execute arbitrary code with theprivileges of that application. (CVE-2014-1402)All Jinja2 users are advised to upgrade to these updated packages, whichcontain a backported patch to correct this issue. For the update to takeeffect, all applications using Jinja2 must be restarted.
Before applying this update, make sure all previously released erratarelevant to your system have been applied.This update is available via the Red Hat Network. Details on how to use theRed Hat Network to apply this update are available athttps://access.redhat.com/site/articles/11258Red Hat Software Collections 1 for RHEL 6

    MD5: 1aac3040735989ccdeae76f5ce91694fSHA-256: 82245c550bbfb140cac53fa3c453283420f14e37a8bda1800a48a62b842c6ea7
    MD5: 5f9f25d42b87941d96d238288a562fddSHA-256: a7a1314678e6baf7f01d8b607979ccc9d6f69668be0be2851c8ff5f253f14db0
    MD5: bb5e50924760ad0a9d7f4e949014e617SHA-256: b67e399238ca6ce89a88cf8d930de265a602cf2d3a347de5878c7c8d4908dfc7
    MD5: 5454bdd419346a8b4fb5278bdfdc51cfSHA-256: c2e21ace748779a3c8f1c9114f00cb75edb00afe0211bbdc371c668db11d10e7
(The unlinked packages above are only available from the Red Hat Network)
1051421 – CVE-2014-1402 python-jinja2: FileSystemBytecodeCache insecure cache temporary file use

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from:

Leave a Reply