Security update for python-Jinja2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1395-1 Final 1 1 2019-05-13T13:01:56Z current 2019-05-13T13:01:56Z 2019-05-13T13:01:56Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-Jinja2 This update for python-Jinja2 to version 2.10.1 fixes the following issues: Security issues fixed: - CVE-2019-8341: Fixed a command injection in from_string() (bsc#1125815). - CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1395 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KPV2O2QPXQEQ5BKRBRQ2RKA7RHVLTZ7E/#KPV2O2QPXQEQ5BKRBRQ2RKA7RHVLTZ7E E-Mail link for openSUSE-SU-2019:1395-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1125815 SUSE Bug 1125815 https://bugzilla.suse.com/1132174 SUSE Bug 1132174 https://bugzilla.suse.com/1132323 SUSE Bug 1132323 https://www.suse.com/security/cve/CVE-2016-10745/ SUSE CVE CVE-2016-10745 page https://www.suse.com/security/cve/CVE-2019-10906/ SUSE CVE CVE-2019-10906 page https://www.suse.com/security/cve/CVE-2019-8341/ SUSE CVE CVE-2019-8341 page openSUSE Leap 15.0 python-Jinja2-emacs-2.10.1-lp150.2.3.1 python-Jinja2-vim-2.10.1-lp150.2.3.1 python2-Jinja2-2.10.1-lp150.2.3.1 python3-Jinja2-2.10.1-lp150.2.3.1 python-Jinja2-emacs-2.10.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 python-Jinja2-vim-2.10.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 python2-Jinja2-2.10.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 python3-Jinja2-2.10.1-lp150.2.3.1 as a component of openSUSE Leap 15.0 In Pallets Jinja before 2.8.1, str.format allows a sandbox escape. CVE-2016-10745 openSUSE Leap 15.0:python-Jinja2-emacs-2.10.1-lp150.2.3.1 openSUSE Leap 15.0:python-Jinja2-vim-2.10.1-lp150.2.3.1 openSUSE Leap 15.0:python2-Jinja2-2.10.1-lp150.2.3.1 openSUSE Leap 15.0:python3-Jinja2-2.10.1-lp150.2.3.1 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KPV2O2QPXQEQ5BKRBRQ2RKA7RHVLTZ7E/#KPV2O2QPXQEQ5BKRBRQ2RKA7RHVLTZ7E https://www.suse.com/security/cve/CVE-2016-10745.html CVE-2016-10745 https://bugzilla.suse.com/1132174 SUSE Bug 1132174 In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape. CVE-2019-10906 openSUSE Leap 15.0:python-Jinja2-emacs-2.10.1-lp150.2.3.1 openSUSE Leap 15.0:python-Jinja2-vim-2.10.1-lp150.2.3.1 openSUSE Leap 15.0:python2-Jinja2-2.10.1-lp150.2.3.1 openSUSE Leap 15.0:python3-Jinja2-2.10.1-lp150.2.3.1 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KPV2O2QPXQEQ5BKRBRQ2RKA7RHVLTZ7E/#KPV2O2QPXQEQ5BKRBRQ2RKA7RHVLTZ7E https://www.suse.com/security/cve/CVE-2019-10906.html CVE-2019-10906 https://bugzilla.suse.com/1132323 SUSE Bug 1132323 ** DISPUTED ** An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing. CVE-2019-8341 openSUSE Leap 15.0:python-Jinja2-emacs-2.10.1-lp150.2.3.1 openSUSE Leap 15.0:python-Jinja2-vim-2.10.1-lp150.2.3.1 openSUSE Leap 15.0:python2-Jinja2-2.10.1-lp150.2.3.1 openSUSE Leap 15.0:python3-Jinja2-2.10.1-lp150.2.3.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KPV2O2QPXQEQ5BKRBRQ2RKA7RHVLTZ7E/#KPV2O2QPXQEQ5BKRBRQ2RKA7RHVLTZ7E https://www.suse.com/security/cve/CVE-2019-8341.html CVE-2019-8341 https://bugzilla.suse.com/1125815 SUSE Bug 1125815