Updated python-jinja2 package fixes two security vulnerabilities
Publication date: 24 Jan 2014Modification date: 24 Jan 2014
Type: security
Affected Mageia releases : 3
CVE: CVE-2014-1402
Description
Updated python-jinja2 packages fix security vulnerability:
Jinja2, a template engine written in pure python, was found to use /tmp
as a default directory for jinja2.bccache.FileSystemBytecodeCache, which
is insecure because the /tmp directory is world-writable and the
filenames used like 'FileSystemBytecodeCache' are often predictable. A
malicious user could exploit this bug to execute arbitrary code as
another user. (CVE-2014-1402)
References
- http://openwall.com/lists/oss-security/2014/01/10/2
- http://openwall.com/lists/oss-security/2014/01/10/3
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747
- https://bugzilla.redhat.com/show_bug.cgi?id=1051421
- https://bugs.mageia.org/show_bug.cgi?id=12265
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1402
SRPMS
3/core
- python-jinja2-2.5.5-8.2.mga3