Bug 1827852

Summary:	yum impacted by CVE-2020-8492 with no identified path to mitigation
Product:	Red Hat Enterprise Linux 7	Reporter:	Jason Pyeron <jpyeron>
Component:	python	Assignee:	Python Maintainers <python-maint>
Status:	CLOSED WONTFIX	QA Contact:	RHEL CS Apps Subsystem QE <rhel-cs-apps-subsystem-qe>
Severity:	unspecified	Docs Contact:
Priority:	low
Version:	7.8	CC:	dchong, hhorak, james.antill, jblazek, kwalker, mmezynsk, mvanderw, pviktori, torsava
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-07-01 12:27:26 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1809065
Bug Blocks:

Description Jason Pyeron 2020-04-24 23:29:58 UTC

Description of problem:

root@XXXXXXXXXXX ~
# rpm -q yum --requires
/usr/bin/python
config(yum) = 3.4.3-167.el7
cpio
diffutils
pygpgme
pyliblzma
python >= 2.4
python(abi) = 2.7
python-iniparse
python-sqlite
python-urlgrabber >= 3.10-8
pyxattr
rpm >= 0:4.11.3-22
rpm-python
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
yum-metadata-parser >= 1.1.0
rpmlib(PayloadIsXz) <= 5.2-1

root@XXXXXXXXXXX ~
# yum install python3.x86_64
Loaded plugins: product-id, rhui-lb, search-disabled-repos, subscription-manager

This system is not registered with an entitlement server. You can use subscription-manager to register.

Resolving Dependencies
--> Running transaction check
---> Package python3.x86_64 0:3.6.8-13.el7 will be installed
--> Processing Dependency: python3-libs(x86-64) = 3.6.8-13.el7 for package: python3-3.6.8-13.el7.x86_64
--> Processing Dependency: python3-setuptools for package: python3-3.6.8-13.el7.x86_64
--> Processing Dependency: python3-pip for package: python3-3.6.8-13.el7.x86_64
--> Processing Dependency: libpython3.6m.so.1.0()(64bit) for package: python3-3.6.8-13.el7.x86_64
--> Running transaction check
---> Package python3-libs.x86_64 0:3.6.8-13.el7 will be installed
---> Package python3-pip.noarch 0:9.0.3-7.el7_7 will be installed
---> Package python3-setuptools.noarch 0:39.2.0-10.el7 will be installed
--> Finished Dependency Resolution
--> Finding unneeded leftover dependencies
Found and removing 0 unneeded dependencies

Dependencies Resolved

============================================================================================================================================================================================================================
 Package                                                    Arch                                           Version                                                 Repository                                          Size
============================================================================================================================================================================================================================
Installing:
 python3                                                    x86_64                                         3.6.8-13.el7                                            rhel7_base                                          69 k
Installing for dependencies:
 python3-libs                                               x86_64                                         3.6.8-13.el7                                            rhel7_base                                         7.0 M
 python3-pip                                                noarch                                         9.0.3-7.el7_7                                           rhel7_base                                         1.8 M
 python3-setuptools                                         noarch                                         39.2.0-10.el7                                           rhel7_base                                         629 k

Transaction Summary
============================================================================================================================================================================================================================
Install  1 Package (+3 Dependent packages)

Total download size: 9.4 M
Installed size: 48 M
Is this ok [y/d/N]: y
Downloading packages:
(1/4): python3-3.6.8-13.el7.x86_64.rpm                                                                                                                                                               |  69 kB  00:00:01
(2/4): python3-pip-9.0.3-7.el7_7.noarch.rpm                                                                                                                                                          | 1.8 MB  00:00:00
(3/4): python3-libs-3.6.8-13.el7.x86_64.rpm                                                                                                                                                          | 7.0 MB  00:00:01
(4/4): python3-setuptools-39.2.0-10.el7.noarch.rpm                                                                                                                                                   | 629 kB  00:00:00
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                       4.8 MB/s | 9.4 MB  00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : python3-setuptools-39.2.0-10.el7.noarch                                                                                                                                                                  1/4
  Installing : python3-libs-3.6.8-13.el7.x86_64                                                                                                                                                                         2/4
  Installing : python3-3.6.8-13.el7.x86_64                                                                                                                                                                              3/4
  Installing : python3-pip-9.0.3-7.el7_7.noarch                                                                                                                                                                         4/4
  Verifying  : python3-pip-9.0.3-7.el7_7.noarch                                                                                                                                                                         1/4
  Verifying  : python3-3.6.8-13.el7.x86_64                                                                                                                                                                              2/4
  Verifying  : python3-setuptools-39.2.0-10.el7.noarch                                                                                                                                                                  3/4
  Verifying  : python3-libs-3.6.8-13.el7.x86_64                                                                                                                                                                         4/4

Installed:
  python3.x86_64 0:3.6.8-13.el7

Dependency Installed:
  python3-libs.x86_64 0:3.6.8-13.el7                                    python3-pip.noarch 0:9.0.3-7.el7_7                                    python3-setuptools.noarch 0:39.2.0-10.el7

Complete!

root@XXXXXXXXXXX ~
# yum erase python-2.7.5
Loaded plugins: product-id, rhui-lb, search-disabled-repos, subscription-manager

This system is not registered with an entitlement server. You can use subscription-manager to register.

Resolving Dependencies
--> Running transaction check
---> Package python.x86_64 0:2.7.5-88.el7 will be erased
--> Processing Dependency: python >= 2.2 for package: pyxattr-0.5.1-5.el7.x86_64
--> Processing Dependency: python for package: yum-updateonboot-1.1.31-53.el7.noarch
--> Processing Dependency: python for package: javapackages-tools-3.4.1-11.el7.noarch
--> Processing Dependency: python for package: authconfig-6.2.8-30.el7.x86_64
--> Processing Dependency: python for package: redhat-support-tool-0.12.2-1.el7.noarch
--> Processing Dependency: python >= 2.4 for package: yum-3.4.3-167.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-urllib3-1.16-1.el7ost.noarch
--> Processing Dependency: python(abi) = 2.7 for package: m2crypto-0.21.1-17.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-boto-2.34.0-5.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-inotify-0.9.4-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: audit-libs-python-2.8.5-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-dmidecode-3.12.2-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-six-1.9.0-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: dbus-python-1.1.1-9.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-slip-dbus-0.4.0-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: newt-python-0.52.15-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: rpm-python-4.11.3-43.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-perf-3.10.0-1127.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pytz-2016.10-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-slip-0.4.0-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: cloud-init-18.5-6.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-markupsafe-0.11-10.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-jsonpatch-1.2-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: redhat-support-tool-0.12.2-1.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-setuptools-0.9.8-7.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-prettytable-0.7.2-3.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-kitchen-1.1.1-5.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: libxml2-python-2.9.1-6.el7.4.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pyserial-2.6-6.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: policycoreutils-python-2.5-34.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-firewall-0.6.3-8.el7_8.1.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-gobject-base-3.22.0-1.el7_4.1.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: heat-cfntools-1.2.6-5.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pyOpenSSL-0.13.1-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: rhnlib-2.5.65-8.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: redhat-support-lib-python-0.12.1-1.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pygtk2-2.24.0-9.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-psutil-1.2.1-1.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-gudev-147.2-7.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-ipaddress-1.0.16-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: authconfig-6.2.8-30.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-pyudev-0.15-9.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: yum-utils-1.1.31-53.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-dateutil-1.5-7.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: yum-metadata-parser-1.1.4-10.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: subscription-manager-1.24.26-1.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: libsemanage-python-2.5-14.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-pycurl-7.19.0-19.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pyxattr-0.5.1-5.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: subscription-manager-rhsm-1.24.26-1.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-jinja2-2.7.2-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-syspurpose-1.24.26-1.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pygtk2-libglade-2.24.0-9.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-hwdata-1.7.3-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-backports-1.0-8.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-chardet-2.2.1-3.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pygpgme-0.3-9.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-magic-5.11-36.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pyliblzma-0.5.3-11.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pygobject2-2.28.6-11.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: libselinux-python-2.5-15.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-backports-ssl_match_hostname-3.5.0.1-1.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-decorator-3.4.0-3.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-schedutils-0.4-6.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-javapackages-3.4.1-11.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-configobj-4.7.2-7.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-lxml-3.2.1-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-requests-2.11.1-1.el7ost.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-urlgrabber-3.10-10.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: tuned-2.11.0-8.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-jsonpointer-1.9-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pycairo-1.8.10-8.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-ipaddr-2.1.11-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-iniparse-0.4-9.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-ethtool-0.8-8.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: PyYAML-3.10-11.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-pysocks-1.5.6-3.el7ost.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-babel-2.3.4-1.el7ost.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-IPy-0.75-6.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-linux-procfs-0.4.11-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: yum-3.4.3-167.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-urllib3-1.16-1.el7ost.noarch
--> Processing Dependency: python(abi) = 2.7 for package: m2crypto-0.21.1-17.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-boto-2.34.0-5.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-inotify-0.9.4-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: audit-libs-python-2.8.5-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-dmidecode-3.12.2-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-six-1.9.0-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: dbus-python-1.1.1-9.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-slip-dbus-0.4.0-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: newt-python-0.52.15-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: rpm-python-4.11.3-43.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-perf-3.10.0-1127.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pytz-2016.10-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-slip-0.4.0-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: cloud-init-18.5-6.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-markupsafe-0.11-10.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-jsonpatch-1.2-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: redhat-support-tool-0.12.2-1.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-setuptools-0.9.8-7.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-prettytable-0.7.2-3.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-kitchen-1.1.1-5.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: libxml2-python-2.9.1-6.el7.4.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pyserial-2.6-6.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: policycoreutils-python-2.5-34.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-firewall-0.6.3-8.el7_8.1.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-gobject-base-3.22.0-1.el7_4.1.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: heat-cfntools-1.2.6-5.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pyOpenSSL-0.13.1-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: rhnlib-2.5.65-8.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: redhat-support-lib-python-0.12.1-1.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pygtk2-2.24.0-9.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-psutil-1.2.1-1.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-gudev-147.2-7.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-ipaddress-1.0.16-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: authconfig-6.2.8-30.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-pyudev-0.15-9.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: yum-utils-1.1.31-53.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-dateutil-1.5-7.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: yum-metadata-parser-1.1.4-10.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: subscription-manager-1.24.26-1.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: libsemanage-python-2.5-14.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-pycurl-7.19.0-19.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pyxattr-0.5.1-5.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: subscription-manager-rhsm-1.24.26-1.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-jinja2-2.7.2-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-syspurpose-1.24.26-1.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pygtk2-libglade-2.24.0-9.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-hwdata-1.7.3-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-backports-1.0-8.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-chardet-2.2.1-3.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pygpgme-0.3-9.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-magic-5.11-36.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pyliblzma-0.5.3-11.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pygobject2-2.28.6-11.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: libselinux-python-2.5-15.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-backports-ssl_match_hostname-3.5.0.1-1.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-decorator-3.4.0-3.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-schedutils-0.4-6.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-javapackages-3.4.1-11.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-configobj-4.7.2-7.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-lxml-3.2.1-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-requests-2.11.1-1.el7ost.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-urlgrabber-3.10-10.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: tuned-2.11.0-8.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-jsonpointer-1.9-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pycairo-1.8.10-8.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-ipaddr-2.1.11-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-iniparse-0.4-9.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-ethtool-0.8-8.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: PyYAML-3.10-11.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-pysocks-1.5.6-3.el7ost.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-babel-2.3.4-1.el7ost.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-IPy-0.75-6.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-linux-procfs-0.4.11-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: yum-3.4.3-167.el7.noarch
--> Processing Dependency: python-argparse for package: heat-cfntools-1.2.6-5.el7.noarch
--> Processing Dependency: python-sqlite for package: yum-3.4.3-167.el7.noarch
--> Running transaction check
---> Package PyYAML.x86_64 0:3.10-11.el7 will be erased
---> Package audit-libs-python.x86_64 0:2.8.5-4.el7 will be erased
---> Package authconfig.x86_64 0:6.2.8-30.el7 will be erased
--> Processing Dependency: authconfig = 6.2.8-30.el7 for package: authconfig-gtk-6.2.8-30.el7.x86_64
---> Package cloud-init.x86_64 0:18.5-6.el7 will be erased
---> Package dbus-python.x86_64 0:1.1.1-9.el7 will be erased
--> Processing Dependency: dbus-python for package: rhn-client-tools-2.0.2-24.el7.x86_64
---> Package heat-cfntools.noarch 0:1.2.6-5.el7 will be erased
---> Package javapackages-tools.noarch 0:3.4.1-11.el7 will be erased
--> Processing Dependency: jpackage-utils for package: 1:java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.x86_64
---> Package libselinux-python.x86_64 0:2.5-15.el7 will be erased
---> Package libsemanage-python.x86_64 0:2.5-14.el7 will be erased
---> Package libxml2-python.x86_64 0:2.9.1-6.el7.4 will be erased
---> Package m2crypto.x86_64 0:0.21.1-17.el7 will be erased
---> Package newt-python.x86_64 0:0.52.15-4.el7 will be erased
---> Package policycoreutils-python.x86_64 0:2.5-34.el7 will be erased
---> Package pyOpenSSL.x86_64 0:0.13.1-4.el7 will be erased
---> Package pycairo.x86_64 0:1.8.10-8.el7 will be erased
---> Package pygobject2.x86_64 0:2.28.6-11.el7 will be erased
---> Package pygpgme.x86_64 0:0.3-9.el7 will be erased
---> Package pygtk2.x86_64 0:2.24.0-9.el7 will be erased
---> Package pygtk2-libglade.x86_64 0:2.24.0-9.el7 will be erased
---> Package pyliblzma.x86_64 0:0.5.3-11.el7 will be erased
---> Package pyserial.noarch 0:2.6-6.el7 will be erased
---> Package python-IPy.noarch 0:0.75-6.el7 will be erased
---> Package python-babel.noarch 0:2.3.4-1.el7ost will be erased
---> Package python-backports.x86_64 0:1.0-8.el7 will be erased
---> Package python-backports-ssl_match_hostname.noarch 0:3.5.0.1-1.el7 will be erased
---> Package python-boto.noarch 0:2.34.0-5.el7 will be erased
---> Package python-chardet.noarch 0:2.2.1-3.el7 will be erased
---> Package python-configobj.noarch 0:4.7.2-7.el7 will be erased
---> Package python-dateutil.noarch 0:1.5-7.el7 will be erased
---> Package python-decorator.noarch 0:3.4.0-3.el7 will be erased
---> Package python-dmidecode.x86_64 0:3.12.2-4.el7 will be erased
---> Package python-ethtool.x86_64 0:0.8-8.el7 will be erased
---> Package python-firewall.noarch 0:0.6.3-8.el7_8.1 will be erased
--> Processing Dependency: python-firewall = 0.6.3-8.el7_8.1 for package: firewalld-0.6.3-8.el7_8.1.noarch
---> Package python-gobject-base.x86_64 0:3.22.0-1.el7_4.1 will be erased
---> Package python-gudev.x86_64 0:147.2-7.el7 will be erased
---> Package python-hwdata.noarch 0:1.7.3-4.el7 will be erased
---> Package python-iniparse.noarch 0:0.4-9.el7 will be erased
---> Package python-inotify.noarch 0:0.9.4-4.el7 will be erased
---> Package python-ipaddr.noarch 0:2.1.11-2.el7 will be erased
---> Package python-ipaddress.noarch 0:1.0.16-2.el7 will be erased
---> Package python-javapackages.noarch 0:3.4.1-11.el7 will be erased
---> Package python-jinja2.noarch 0:2.7.2-4.el7 will be erased
---> Package python-jsonpatch.noarch 0:1.2-4.el7 will be erased
---> Package python-jsonpointer.noarch 0:1.9-2.el7 will be erased
---> Package python-kitchen.noarch 0:1.1.1-5.el7 will be erased
---> Package python-linux-procfs.noarch 0:0.4.11-4.el7 will be erased
---> Package python-lxml.x86_64 0:3.2.1-4.el7 will be erased
---> Package python-magic.noarch 0:5.11-36.el7 will be erased
---> Package python-markupsafe.x86_64 0:0.11-10.el7 will be erased
---> Package python-perf.x86_64 0:3.10.0-1127.el7 will be erased
---> Package python-prettytable.noarch 0:0.7.2-3.el7 will be erased
---> Package python-psutil.x86_64 0:1.2.1-1.el7 will be erased
---> Package python-pycurl.x86_64 0:7.19.0-19.el7 will be erased
---> Package python-pysocks.noarch 0:1.5.6-3.el7ost will be erased
---> Package python-pyudev.noarch 0:0.15-9.el7 will be erased
---> Package python-requests.noarch 0:2.11.1-1.el7ost will be erased
---> Package python-schedutils.x86_64 0:0.4-6.el7 will be erased
---> Package python-setuptools.noarch 0:0.9.8-7.el7 will be erased
---> Package python-six.noarch 0:1.9.0-2.el7 will be erased
---> Package python-slip.noarch 0:0.4.0-4.el7 will be erased
---> Package python-slip-dbus.noarch 0:0.4.0-4.el7 will be erased
---> Package python-syspurpose.x86_64 0:1.24.26-1.el7 will be erased
---> Package python-urlgrabber.noarch 0:3.10-10.el7 will be erased
---> Package python-urllib3.noarch 0:1.16-1.el7ost will be erased
---> Package pytz.noarch 0:2016.10-2.el7 will be erased
---> Package pyxattr.x86_64 0:0.5.1-5.el7 will be erased
---> Package redhat-support-lib-python.noarch 0:0.12.1-1.el7 will be erased
---> Package redhat-support-tool.noarch 0:0.12.2-1.el7 will be erased
---> Package rhnlib.noarch 0:2.5.65-8.el7 will be erased
---> Package rpm-python.x86_64 0:4.11.3-43.el7 will be erased
---> Package subscription-manager.x86_64 0:1.24.26-1.el7 will be erased
---> Package subscription-manager-rhsm.x86_64 0:1.24.26-1.el7 will be erased
---> Package tuned.noarch 0:2.11.0-8.el7 will be erased
---> Package yum.noarch 0:3.4.3-167.el7 will be erased
--> Processing Dependency: yum >= 3.4.3-84 for package: yum-cron-3.4.3-167.el7.noarch
--> Processing Dependency: yum for package: arcp-client-rhel7-generic-3.2-1.noarch
---> Package yum-metadata-parser.x86_64 0:1.1.4-10.el7 will be erased
---> Package yum-updateonboot.noarch 0:1.1.31-53.el7 will be erased
---> Package yum-utils.noarch 0:1.1.31-53.el7 will be erased
--> Running transaction check
---> Package arcp-client-rhel7-generic.noarch 0:3.2-1 will be erased
---> Package authconfig-gtk.x86_64 0:6.2.8-30.el7 will be erased
---> Package firewalld.noarch 0:0.6.3-8.el7_8.1 will be erased
---> Package java-1.8.0-openjdk-headless.x86_64 1:1.8.0.252.b09-2.el7_8 will be erased
--> Processing Dependency: java-1.8.0-openjdk-headless(x86-64) = 1:1.8.0.252.b09-2.el7_8 for package: 1:java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64
--> Processing Dependency: libjava.so()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64
--> Processing Dependency: libjava.so(SUNWprivate_1.1)(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64
--> Processing Dependency: libjvm.so()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64
--> Processing Dependency: libjvm.so(SUNWprivate_1.1)(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64
---> Package rhn-client-tools.x86_64 0:2.0.2-24.el7 will be erased
---> Package yum-cron.noarch 0:3.4.3-167.el7 will be erased
--> Running transaction check
---> Package java-1.8.0-openjdk.x86_64 1:1.8.0.252.b09-2.el7_8 will be erased
--> Processing Dependency: /usr/bin/python for package: gettext-0.19.8.1-3.el7.x86_64
--> Processing Dependency: /usr/bin/python for package: 1:nfs-utils-1.3.0-0.66.el7.x86_64
--> Processing Dependency: /usr/bin/python for package: systemd-sysv-219-73.el7_8.5.x86_64
--> Processing Dependency: /usr/bin/python for package: git-1.8.3.1-22.el7_8.x86_64
--> Restarting Dependency Resolution with new changes.
--> Running transaction check
---> Package gettext.x86_64 0:0.19.8.1-3.el7 will be erased
--> Processing Dependency: gettext for package: 1:grub2-tools-2.02-0.81.el7.x86_64
--> Processing Dependency: gettext for package: 1:grub2-pc-2.02-0.81.el7.x86_64
--> Processing Dependency: gettext for package: 1:grub2-tools-minimal-2.02-0.81.el7.x86_64
--> Processing Dependency: gettext for package: 1:grub2-tools-extra-2.02-0.81.el7.x86_64
---> Package git.x86_64 0:1.8.3.1-22.el7_8 will be erased
--> Processing Dependency: git = 1.8.3.1-22.el7_8 for package: perl-Git-1.8.3.1-22.el7_8.noarch
---> Package nfs-utils.x86_64 1:1.3.0-0.66.el7 will be erased
---> Package systemd-sysv.x86_64 0:219-73.el7_8.5 will be erased
--> Running transaction check
---> Package grub2-pc.x86_64 1:2.02-0.81.el7 will be erased
--> Processing Dependency: grub2-pc = 1:2.02-0.81.el7 for package: 1:grub2-2.02-0.81.el7.x86_64
---> Package grub2-tools.x86_64 1:2.02-0.81.el7 will be erased
---> Package grub2-tools-extra.x86_64 1:2.02-0.81.el7 will be erased
---> Package grub2-tools-minimal.x86_64 1:2.02-0.81.el7 will be erased
---> Package perl-Git.noarch 0:1.8.3.1-22.el7_8 will be erased
--> Running transaction check
---> Package grub2.x86_64 1:2.02-0.81.el7 will be erased
--> Finished Dependency Resolution
--> Finding unneeded leftover dependencies
---> Marking perl-Error to be removed - no longer needed by git
---> Marking perl-TermReadKey to be removed - no longer needed by git
---> Marking lksctp-tools to be removed - no longer needed by java-1.8.0-openjdk-headless
---> Marking copy-jdk-configs to be removed - no longer needed by java-1.8.0-openjdk-headless
---> Marking tzdata-java to be removed - no longer needed by java-1.8.0-openjdk-headless
---> Marking ebtables to be removed - no longer needed by firewalld
---> Marking firewalld-filesystem to be removed - no longer needed by firewalld
---> Marking ipset to be removed - no longer needed by firewalld
---> Marking usermode-gtk to be removed - no longer needed by authconfig-gtk
---> Marking giflib to be removed - no longer needed by java-1.8.0-openjdk
---> Marking xorg-x11-fonts-Type1 to be removed - no longer needed by java-1.8.0-openjdk
---> Marking libXtst to be removed - no longer needed by java-1.8.0-openjdk
---> Marking libglade2 to be removed - no longer needed by pygtk2-libglade
---> Marking ipset-libs to be removed - no longer needed by ipset
---> Marking ttmkfdir to be removed - no longer needed by xorg-x11-fonts-Type1
---> Marking xorg-x11-font-utils to be removed - no longer needed by xorg-x11-fonts-Type1
---> Marking xml-common to be removed - no longer needed by libglade2
---> Marking libfontenc to be removed - no longer needed by xorg-x11-font-utils
Found and removing 18 unneeded dependencies
--> Running transaction check
---> Package copy-jdk-configs.noarch 0:3.3-10.el7_5 will be erased
---> Package ebtables.x86_64 0:2.0.10-16.el7 will be erased
---> Package firewalld-filesystem.noarch 0:0.6.3-8.el7_8.1 will be erased
---> Package giflib.x86_64 0:4.1.6-9.el7 will be erased
---> Package ipset.x86_64 0:7.1-1.el7 will be erased
---> Package ipset-libs.x86_64 0:7.1-1.el7 will be erased
---> Package libXtst.x86_64 0:1.2.3-1.el7 will be erased
---> Package libfontenc.x86_64 0:1.1.3-3.el7 will be erased
---> Package libglade2.x86_64 0:2.6.4-11.el7 will be erased
---> Package lksctp-tools.x86_64 0:1.0.17-2.el7 will be erased
---> Package perl-Error.noarch 1:0.17020-2.el7 will be erased
---> Package perl-TermReadKey.x86_64 0:2.30-20.el7 will be erased
---> Package ttmkfdir.x86_64 0:3.0.9-42.el7 will be erased
---> Package tzdata-java.noarch 0:2019c-1.el7 will be erased
---> Package usermode-gtk.x86_64 0:1.111-6.el7 will be erased
---> Package xml-common.noarch 0:0.6.3-39.el7 will be erased
---> Package xorg-x11-font-utils.x86_64 1:7.5-21.el7 will be erased
---> Package xorg-x11-fonts-Type1.noarch 0:7.5-9.el7 will be erased
--> Finished Dependency Resolution
Error: Trying to remove "yum", which is protected


Version-Release number of selected component (if applicable):

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.8 (Maipo)

$ uname -a
Linux XXXXXXXXXXX 3.10.0-1062.12.1.el7.x86_64 #1 SMP Thu Dec 12 06:44:49 EST 2019 x86_64 x86_64 x86_64 GNU/Linux


How reproducible:

always

Steps to Reproduce:

see above

Actual results:

see above
Expected results:

yum erase python-2.7.5
succeeds

or https://access.redhat.com/security/cve/CVE-2020-8492 updated from Red Hat Enterprise Linux 7	python	Will not fix to Affected

Additional info:

impacts all RHEL7 systems, including US Government systems

Comment 3 Honza Horak 2020-04-30 13:23:53 UTC

Hello Jason, thank you for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution. I see a customer ticket assigned to the CVE tracker itself, but it is not easy to tell from the engineering view whether it is coming from you or somebody else.

If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels (if not done yet) to ensure it receives the proper attention and prioritization to assure a timely resolution.

For information on how to contact the Red Hat production support team, please visit:
https://access.redhat.com/support

Comment 5 Petr Viktorin (pviktori) 2020-05-20 12:19:14 UTC

Setting Priority to Low until we see some business justification.

Comment 6 Petr Viktorin (pviktori) 2020-07-01 12:27:26 UTC

There is still no business justification or customer case to make the change, so I'm closing the bug.
Please reopen if you disagree.