Hide Forgot
The documentation XML-RPC server in various Python versions has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. Upstream bug: https://bugs.python.org/issue38243 Upstream pull request and commits: https://github.com/python/cpython/pull/16373 master: https://github.com/python/cpython/commit/e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa 3.6: https://github.com/python/cpython/commit/1698cacfb924d1df452e78d11a4bf81ae7777389 2.7: https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89
Created python2 tracking bugs for this issue: Affects: fedora-all [bug 1763232] Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1763233] Created python34 tracking bugs for this issue: Affects: epel-all [bug 1763231] Affects: fedora-all [bug 1763234] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1763235] Created python36 tracking bugs for this issue: Affects: epel-7 [bug 1763230] Affects: fedora-all [bug 1763236] Created python38 tracking bugs for this issue: Affects: fedora-all [bug 1763237]
Statement: This flaw does not affect the versions of python27-python as shipped with Red Hat Software Collections 3 as they already include the fix. This flaw does not affect the versions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 as they are "symlinks" to the main python3 component, which provides the actual interpreter of the Python programming language.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3888 https://access.redhat.com/errata/RHSA-2020:3888
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3911 https://access.redhat.com/errata/RHSA-2020:3911
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16935
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4433 https://access.redhat.com/errata/RHSA-2020:4433