RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1827852 - yum impacted by CVE-2020-8492 with no identified path to mitigation
Summary: yum impacted by CVE-2020-8492 with no identified path to mitigation
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: python
Version: 7.8
Hardware: Unspecified
OS: Unspecified
low
unspecified
Target Milestone: rc
: ---
Assignee: Python Maintainers
QA Contact: RHEL CS Apps Subsystem QE
URL:
Whiteboard:
Depends On: CVE-2020-8492
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-24 23:29 UTC by Jason Pyeron
Modified: 2021-05-19 17:31 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-01 12:27:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1809065 0 medium CLOSED CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS 2023-12-15 17:26:01 UTC

Description Jason Pyeron 2020-04-24 23:29:58 UTC 
Description of problem:

root@XXXXXXXXXXX ~
# rpm -q yum --requires
/usr/bin/python
config(yum) = 3.4.3-167.el7
cpio
diffutils
pygpgme
pyliblzma
python >= 2.4
python(abi) = 2.7
python-iniparse
python-sqlite
python-urlgrabber >= 3.10-8
pyxattr
rpm >= 0:4.11.3-22
rpm-python
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
yum-metadata-parser >= 1.1.0
rpmlib(PayloadIsXz) <= 5.2-1

root@XXXXXXXXXXX ~
# yum install python3.x86_64
Loaded plugins: product-id, rhui-lb, search-disabled-repos, subscription-manager

This system is not registered with an entitlement server. You can use subscription-manager to register.

Resolving Dependencies
--> Running transaction check
---> Package python3.x86_64 0:3.6.8-13.el7 will be installed
--> Processing Dependency: python3-libs(x86-64) = 3.6.8-13.el7 for package: python3-3.6.8-13.el7.x86_64
--> Processing Dependency: python3-setuptools for package: python3-3.6.8-13.el7.x86_64
--> Processing Dependency: python3-pip for package: python3-3.6.8-13.el7.x86_64
--> Processing Dependency: libpython3.6m.so.1.0()(64bit) for package: python3-3.6.8-13.el7.x86_64
--> Running transaction check
---> Package python3-libs.x86_64 0:3.6.8-13.el7 will be installed
---> Package python3-pip.noarch 0:9.0.3-7.el7_7 will be installed
---> Package python3-setuptools.noarch 0:39.2.0-10.el7 will be installed
--> Finished Dependency Resolution
--> Finding unneeded leftover dependencies
Found and removing 0 unneeded dependencies

Dependencies Resolved

============================================================================================================================================================================================================================
 Package                                                    Arch                                           Version                                                 Repository                                          Size
============================================================================================================================================================================================================================
Installing:
 python3                                                    x86_64                                         3.6.8-13.el7                                            rhel7_base                                          69 k
Installing for dependencies:
 python3-libs                                               x86_64                                         3.6.8-13.el7                                            rhel7_base                                         7.0 M
 python3-pip                                                noarch                                         9.0.3-7.el7_7                                           rhel7_base                                         1.8 M
 python3-setuptools                                         noarch                                         39.2.0-10.el7                                           rhel7_base                                         629 k

Transaction Summary
============================================================================================================================================================================================================================
Install  1 Package (+3 Dependent packages)

Total download size: 9.4 M
Installed size: 48 M
Is this ok [y/d/N]: y
Downloading packages:
(1/4): python3-3.6.8-13.el7.x86_64.rpm                                                                                                                                                               |  69 kB  00:00:01
(2/4): python3-pip-9.0.3-7.el7_7.noarch.rpm                                                                                                                                                          | 1.8 MB  00:00:00
(3/4): python3-libs-3.6.8-13.el7.x86_64.rpm                                                                                                                                                          | 7.0 MB  00:00:01
(4/4): python3-setuptools-39.2.0-10.el7.noarch.rpm                                                                                                                                                   | 629 kB  00:00:00
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                       4.8 MB/s | 9.4 MB  00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : python3-setuptools-39.2.0-10.el7.noarch                                                                                                                                                                  1/4
  Installing : python3-libs-3.6.8-13.el7.x86_64                                                                                                                                                                         2/4
  Installing : python3-3.6.8-13.el7.x86_64                                                                                                                                                                              3/4
  Installing : python3-pip-9.0.3-7.el7_7.noarch                                                                                                                                                                         4/4
  Verifying  : python3-pip-9.0.3-7.el7_7.noarch                                                                                                                                                                         1/4
  Verifying  : python3-3.6.8-13.el7.x86_64                                                                                                                                                                              2/4
  Verifying  : python3-setuptools-39.2.0-10.el7.noarch                                                                                                                                                                  3/4
  Verifying  : python3-libs-3.6.8-13.el7.x86_64                                                                                                                                                                         4/4

Installed:
  python3.x86_64 0:3.6.8-13.el7

Dependency Installed:
  python3-libs.x86_64 0:3.6.8-13.el7                                    python3-pip.noarch 0:9.0.3-7.el7_7                                    python3-setuptools.noarch 0:39.2.0-10.el7

Complete!

root@XXXXXXXXXXX ~
# yum erase python-2.7.5
Loaded plugins: product-id, rhui-lb, search-disabled-repos, subscription-manager

This system is not registered with an entitlement server. You can use subscription-manager to register.

Resolving Dependencies
--> Running transaction check
---> Package python.x86_64 0:2.7.5-88.el7 will be erased
--> Processing Dependency: python >= 2.2 for package: pyxattr-0.5.1-5.el7.x86_64
--> Processing Dependency: python for package: yum-updateonboot-1.1.31-53.el7.noarch
--> Processing Dependency: python for package: javapackages-tools-3.4.1-11.el7.noarch
--> Processing Dependency: python for package: authconfig-6.2.8-30.el7.x86_64
--> Processing Dependency: python for package: redhat-support-tool-0.12.2-1.el7.noarch
--> Processing Dependency: python >= 2.4 for package: yum-3.4.3-167.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-urllib3-1.16-1.el7ost.noarch
--> Processing Dependency: python(abi) = 2.7 for package: m2crypto-0.21.1-17.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-boto-2.34.0-5.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-inotify-0.9.4-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: audit-libs-python-2.8.5-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-dmidecode-3.12.2-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-six-1.9.0-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: dbus-python-1.1.1-9.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-slip-dbus-0.4.0-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: newt-python-0.52.15-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: rpm-python-4.11.3-43.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-perf-3.10.0-1127.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pytz-2016.10-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-slip-0.4.0-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: cloud-init-18.5-6.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-markupsafe-0.11-10.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-jsonpatch-1.2-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: redhat-support-tool-0.12.2-1.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-setuptools-0.9.8-7.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-prettytable-0.7.2-3.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-kitchen-1.1.1-5.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: libxml2-python-2.9.1-6.el7.4.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pyserial-2.6-6.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: policycoreutils-python-2.5-34.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-firewall-0.6.3-8.el7_8.1.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-gobject-base-3.22.0-1.el7_4.1.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: heat-cfntools-1.2.6-5.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pyOpenSSL-0.13.1-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: rhnlib-2.5.65-8.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: redhat-support-lib-python-0.12.1-1.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pygtk2-2.24.0-9.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-psutil-1.2.1-1.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-gudev-147.2-7.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-ipaddress-1.0.16-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: authconfig-6.2.8-30.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-pyudev-0.15-9.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: yum-utils-1.1.31-53.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-dateutil-1.5-7.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: yum-metadata-parser-1.1.4-10.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: subscription-manager-1.24.26-1.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: libsemanage-python-2.5-14.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-pycurl-7.19.0-19.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pyxattr-0.5.1-5.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: subscription-manager-rhsm-1.24.26-1.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-jinja2-2.7.2-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-syspurpose-1.24.26-1.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pygtk2-libglade-2.24.0-9.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-hwdata-1.7.3-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-backports-1.0-8.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-chardet-2.2.1-3.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pygpgme-0.3-9.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-magic-5.11-36.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pyliblzma-0.5.3-11.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pygobject2-2.28.6-11.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: libselinux-python-2.5-15.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-backports-ssl_match_hostname-3.5.0.1-1.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-decorator-3.4.0-3.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-schedutils-0.4-6.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-javapackages-3.4.1-11.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-configobj-4.7.2-7.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-lxml-3.2.1-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-requests-2.11.1-1.el7ost.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-urlgrabber-3.10-10.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: tuned-2.11.0-8.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-jsonpointer-1.9-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pycairo-1.8.10-8.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-ipaddr-2.1.11-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-iniparse-0.4-9.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-ethtool-0.8-8.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: PyYAML-3.10-11.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-pysocks-1.5.6-3.el7ost.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-babel-2.3.4-1.el7ost.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-IPy-0.75-6.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-linux-procfs-0.4.11-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: yum-3.4.3-167.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-urllib3-1.16-1.el7ost.noarch
--> Processing Dependency: python(abi) = 2.7 for package: m2crypto-0.21.1-17.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-boto-2.34.0-5.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-inotify-0.9.4-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: audit-libs-python-2.8.5-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-dmidecode-3.12.2-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-six-1.9.0-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: dbus-python-1.1.1-9.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-slip-dbus-0.4.0-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: newt-python-0.52.15-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: rpm-python-4.11.3-43.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-perf-3.10.0-1127.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pytz-2016.10-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-slip-0.4.0-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: cloud-init-18.5-6.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-markupsafe-0.11-10.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-jsonpatch-1.2-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: redhat-support-tool-0.12.2-1.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-setuptools-0.9.8-7.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-prettytable-0.7.2-3.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-kitchen-1.1.1-5.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: libxml2-python-2.9.1-6.el7.4.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pyserial-2.6-6.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: policycoreutils-python-2.5-34.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-firewall-0.6.3-8.el7_8.1.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-gobject-base-3.22.0-1.el7_4.1.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: heat-cfntools-1.2.6-5.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pyOpenSSL-0.13.1-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: rhnlib-2.5.65-8.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: redhat-support-lib-python-0.12.1-1.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pygtk2-2.24.0-9.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-psutil-1.2.1-1.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-gudev-147.2-7.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-ipaddress-1.0.16-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: authconfig-6.2.8-30.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-pyudev-0.15-9.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: yum-utils-1.1.31-53.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-dateutil-1.5-7.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: yum-metadata-parser-1.1.4-10.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: subscription-manager-1.24.26-1.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: libsemanage-python-2.5-14.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-pycurl-7.19.0-19.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pyxattr-0.5.1-5.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: subscription-manager-rhsm-1.24.26-1.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-jinja2-2.7.2-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-syspurpose-1.24.26-1.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pygtk2-libglade-2.24.0-9.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-hwdata-1.7.3-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-backports-1.0-8.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-chardet-2.2.1-3.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pygpgme-0.3-9.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-magic-5.11-36.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pyliblzma-0.5.3-11.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: pygobject2-2.28.6-11.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: libselinux-python-2.5-15.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-backports-ssl_match_hostname-3.5.0.1-1.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-decorator-3.4.0-3.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-schedutils-0.4-6.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-javapackages-3.4.1-11.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-configobj-4.7.2-7.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-lxml-3.2.1-4.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-requests-2.11.1-1.el7ost.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-urlgrabber-3.10-10.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: tuned-2.11.0-8.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-jsonpointer-1.9-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: pycairo-1.8.10-8.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-ipaddr-2.1.11-2.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-iniparse-0.4-9.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-ethtool-0.8-8.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: PyYAML-3.10-11.el7.x86_64
--> Processing Dependency: python(abi) = 2.7 for package: python-pysocks-1.5.6-3.el7ost.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-babel-2.3.4-1.el7ost.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-IPy-0.75-6.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: python-linux-procfs-0.4.11-4.el7.noarch
--> Processing Dependency: python(abi) = 2.7 for package: yum-3.4.3-167.el7.noarch
--> Processing Dependency: python-argparse for package: heat-cfntools-1.2.6-5.el7.noarch
--> Processing Dependency: python-sqlite for package: yum-3.4.3-167.el7.noarch
--> Running transaction check
---> Package PyYAML.x86_64 0:3.10-11.el7 will be erased
---> Package audit-libs-python.x86_64 0:2.8.5-4.el7 will be erased
---> Package authconfig.x86_64 0:6.2.8-30.el7 will be erased
--> Processing Dependency: authconfig = 6.2.8-30.el7 for package: authconfig-gtk-6.2.8-30.el7.x86_64
---> Package cloud-init.x86_64 0:18.5-6.el7 will be erased
---> Package dbus-python.x86_64 0:1.1.1-9.el7 will be erased
--> Processing Dependency: dbus-python for package: rhn-client-tools-2.0.2-24.el7.x86_64
---> Package heat-cfntools.noarch 0:1.2.6-5.el7 will be erased
---> Package javapackages-tools.noarch 0:3.4.1-11.el7 will be erased
--> Processing Dependency: jpackage-utils for package: 1:java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.x86_64
---> Package libselinux-python.x86_64 0:2.5-15.el7 will be erased
---> Package libsemanage-python.x86_64 0:2.5-14.el7 will be erased
---> Package libxml2-python.x86_64 0:2.9.1-6.el7.4 will be erased
---> Package m2crypto.x86_64 0:0.21.1-17.el7 will be erased
---> Package newt-python.x86_64 0:0.52.15-4.el7 will be erased
---> Package policycoreutils-python.x86_64 0:2.5-34.el7 will be erased
---> Package pyOpenSSL.x86_64 0:0.13.1-4.el7 will be erased
---> Package pycairo.x86_64 0:1.8.10-8.el7 will be erased
---> Package pygobject2.x86_64 0:2.28.6-11.el7 will be erased
---> Package pygpgme.x86_64 0:0.3-9.el7 will be erased
---> Package pygtk2.x86_64 0:2.24.0-9.el7 will be erased
---> Package pygtk2-libglade.x86_64 0:2.24.0-9.el7 will be erased
---> Package pyliblzma.x86_64 0:0.5.3-11.el7 will be erased
---> Package pyserial.noarch 0:2.6-6.el7 will be erased
---> Package python-IPy.noarch 0:0.75-6.el7 will be erased
---> Package python-babel.noarch 0:2.3.4-1.el7ost will be erased
---> Package python-backports.x86_64 0:1.0-8.el7 will be erased
---> Package python-backports-ssl_match_hostname.noarch 0:3.5.0.1-1.el7 will be erased
---> Package python-boto.noarch 0:2.34.0-5.el7 will be erased
---> Package python-chardet.noarch 0:2.2.1-3.el7 will be erased
---> Package python-configobj.noarch 0:4.7.2-7.el7 will be erased
---> Package python-dateutil.noarch 0:1.5-7.el7 will be erased
---> Package python-decorator.noarch 0:3.4.0-3.el7 will be erased
---> Package python-dmidecode.x86_64 0:3.12.2-4.el7 will be erased
---> Package python-ethtool.x86_64 0:0.8-8.el7 will be erased
---> Package python-firewall.noarch 0:0.6.3-8.el7_8.1 will be erased
--> Processing Dependency: python-firewall = 0.6.3-8.el7_8.1 for package: firewalld-0.6.3-8.el7_8.1.noarch
---> Package python-gobject-base.x86_64 0:3.22.0-1.el7_4.1 will be erased
---> Package python-gudev.x86_64 0:147.2-7.el7 will be erased
---> Package python-hwdata.noarch 0:1.7.3-4.el7 will be erased
---> Package python-iniparse.noarch 0:0.4-9.el7 will be erased
---> Package python-inotify.noarch 0:0.9.4-4.el7 will be erased
---> Package python-ipaddr.noarch 0:2.1.11-2.el7 will be erased
---> Package python-ipaddress.noarch 0:1.0.16-2.el7 will be erased
---> Package python-javapackages.noarch 0:3.4.1-11.el7 will be erased
---> Package python-jinja2.noarch 0:2.7.2-4.el7 will be erased
---> Package python-jsonpatch.noarch 0:1.2-4.el7 will be erased
---> Package python-jsonpointer.noarch 0:1.9-2.el7 will be erased
---> Package python-kitchen.noarch 0:1.1.1-5.el7 will be erased
---> Package python-linux-procfs.noarch 0:0.4.11-4.el7 will be erased
---> Package python-lxml.x86_64 0:3.2.1-4.el7 will be erased
---> Package python-magic.noarch 0:5.11-36.el7 will be erased
---> Package python-markupsafe.x86_64 0:0.11-10.el7 will be erased
---> Package python-perf.x86_64 0:3.10.0-1127.el7 will be erased
---> Package python-prettytable.noarch 0:0.7.2-3.el7 will be erased
---> Package python-psutil.x86_64 0:1.2.1-1.el7 will be erased
---> Package python-pycurl.x86_64 0:7.19.0-19.el7 will be erased
---> Package python-pysocks.noarch 0:1.5.6-3.el7ost will be erased
---> Package python-pyudev.noarch 0:0.15-9.el7 will be erased
---> Package python-requests.noarch 0:2.11.1-1.el7ost will be erased
---> Package python-schedutils.x86_64 0:0.4-6.el7 will be erased
---> Package python-setuptools.noarch 0:0.9.8-7.el7 will be erased
---> Package python-six.noarch 0:1.9.0-2.el7 will be erased
---> Package python-slip.noarch 0:0.4.0-4.el7 will be erased
---> Package python-slip-dbus.noarch 0:0.4.0-4.el7 will be erased
---> Package python-syspurpose.x86_64 0:1.24.26-1.el7 will be erased
---> Package python-urlgrabber.noarch 0:3.10-10.el7 will be erased
---> Package python-urllib3.noarch 0:1.16-1.el7ost will be erased
---> Package pytz.noarch 0:2016.10-2.el7 will be erased
---> Package pyxattr.x86_64 0:0.5.1-5.el7 will be erased
---> Package redhat-support-lib-python.noarch 0:0.12.1-1.el7 will be erased
---> Package redhat-support-tool.noarch 0:0.12.2-1.el7 will be erased
---> Package rhnlib.noarch 0:2.5.65-8.el7 will be erased
---> Package rpm-python.x86_64 0:4.11.3-43.el7 will be erased
---> Package subscription-manager.x86_64 0:1.24.26-1.el7 will be erased
---> Package subscription-manager-rhsm.x86_64 0:1.24.26-1.el7 will be erased
---> Package tuned.noarch 0:2.11.0-8.el7 will be erased
---> Package yum.noarch 0:3.4.3-167.el7 will be erased
--> Processing Dependency: yum >= 3.4.3-84 for package: yum-cron-3.4.3-167.el7.noarch
--> Processing Dependency: yum for package: arcp-client-rhel7-generic-3.2-1.noarch
---> Package yum-metadata-parser.x86_64 0:1.1.4-10.el7 will be erased
---> Package yum-updateonboot.noarch 0:1.1.31-53.el7 will be erased
---> Package yum-utils.noarch 0:1.1.31-53.el7 will be erased
--> Running transaction check
---> Package arcp-client-rhel7-generic.noarch 0:3.2-1 will be erased
---> Package authconfig-gtk.x86_64 0:6.2.8-30.el7 will be erased
---> Package firewalld.noarch 0:0.6.3-8.el7_8.1 will be erased
---> Package java-1.8.0-openjdk-headless.x86_64 1:1.8.0.252.b09-2.el7_8 will be erased
--> Processing Dependency: java-1.8.0-openjdk-headless(x86-64) = 1:1.8.0.252.b09-2.el7_8 for package: 1:java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64
--> Processing Dependency: libjava.so()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64
--> Processing Dependency: libjava.so(SUNWprivate_1.1)(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64
--> Processing Dependency: libjvm.so()(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64
--> Processing Dependency: libjvm.so(SUNWprivate_1.1)(64bit) for package: 1:java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64
---> Package rhn-client-tools.x86_64 0:2.0.2-24.el7 will be erased
---> Package yum-cron.noarch 0:3.4.3-167.el7 will be erased
--> Running transaction check
---> Package java-1.8.0-openjdk.x86_64 1:1.8.0.252.b09-2.el7_8 will be erased
--> Processing Dependency: /usr/bin/python for package: gettext-0.19.8.1-3.el7.x86_64
--> Processing Dependency: /usr/bin/python for package: 1:nfs-utils-1.3.0-0.66.el7.x86_64
--> Processing Dependency: /usr/bin/python for package: systemd-sysv-219-73.el7_8.5.x86_64
--> Processing Dependency: /usr/bin/python for package: git-1.8.3.1-22.el7_8.x86_64
--> Restarting Dependency Resolution with new changes.
--> Running transaction check
---> Package gettext.x86_64 0:0.19.8.1-3.el7 will be erased
--> Processing Dependency: gettext for package: 1:grub2-tools-2.02-0.81.el7.x86_64
--> Processing Dependency: gettext for package: 1:grub2-pc-2.02-0.81.el7.x86_64
--> Processing Dependency: gettext for package: 1:grub2-tools-minimal-2.02-0.81.el7.x86_64
--> Processing Dependency: gettext for package: 1:grub2-tools-extra-2.02-0.81.el7.x86_64
---> Package git.x86_64 0:1.8.3.1-22.el7_8 will be erased
--> Processing Dependency: git = 1.8.3.1-22.el7_8 for package: perl-Git-1.8.3.1-22.el7_8.noarch
---> Package nfs-utils.x86_64 1:1.3.0-0.66.el7 will be erased
---> Package systemd-sysv.x86_64 0:219-73.el7_8.5 will be erased
--> Running transaction check
---> Package grub2-pc.x86_64 1:2.02-0.81.el7 will be erased
--> Processing Dependency: grub2-pc = 1:2.02-0.81.el7 for package: 1:grub2-2.02-0.81.el7.x86_64
---> Package grub2-tools.x86_64 1:2.02-0.81.el7 will be erased
---> Package grub2-tools-extra.x86_64 1:2.02-0.81.el7 will be erased
---> Package grub2-tools-minimal.x86_64 1:2.02-0.81.el7 will be erased
---> Package perl-Git.noarch 0:1.8.3.1-22.el7_8 will be erased
--> Running transaction check
---> Package grub2.x86_64 1:2.02-0.81.el7 will be erased
--> Finished Dependency Resolution
--> Finding unneeded leftover dependencies
---> Marking perl-Error to be removed - no longer needed by git
---> Marking perl-TermReadKey to be removed - no longer needed by git
---> Marking lksctp-tools to be removed - no longer needed by java-1.8.0-openjdk-headless
---> Marking copy-jdk-configs to be removed - no longer needed by java-1.8.0-openjdk-headless
---> Marking tzdata-java to be removed - no longer needed by java-1.8.0-openjdk-headless
---> Marking ebtables to be removed - no longer needed by firewalld
---> Marking firewalld-filesystem to be removed - no longer needed by firewalld
---> Marking ipset to be removed - no longer needed by firewalld
---> Marking usermode-gtk to be removed - no longer needed by authconfig-gtk
---> Marking giflib to be removed - no longer needed by java-1.8.0-openjdk
---> Marking xorg-x11-fonts-Type1 to be removed - no longer needed by java-1.8.0-openjdk
---> Marking libXtst to be removed - no longer needed by java-1.8.0-openjdk
---> Marking libglade2 to be removed - no longer needed by pygtk2-libglade
---> Marking ipset-libs to be removed - no longer needed by ipset
---> Marking ttmkfdir to be removed - no longer needed by xorg-x11-fonts-Type1
---> Marking xorg-x11-font-utils to be removed - no longer needed by xorg-x11-fonts-Type1
---> Marking xml-common to be removed - no longer needed by libglade2
---> Marking libfontenc to be removed - no longer needed by xorg-x11-font-utils
Found and removing 18 unneeded dependencies
--> Running transaction check
---> Package copy-jdk-configs.noarch 0:3.3-10.el7_5 will be erased
---> Package ebtables.x86_64 0:2.0.10-16.el7 will be erased
---> Package firewalld-filesystem.noarch 0:0.6.3-8.el7_8.1 will be erased
---> Package giflib.x86_64 0:4.1.6-9.el7 will be erased
---> Package ipset.x86_64 0:7.1-1.el7 will be erased
---> Package ipset-libs.x86_64 0:7.1-1.el7 will be erased
---> Package libXtst.x86_64 0:1.2.3-1.el7 will be erased
---> Package libfontenc.x86_64 0:1.1.3-3.el7 will be erased
---> Package libglade2.x86_64 0:2.6.4-11.el7 will be erased
---> Package lksctp-tools.x86_64 0:1.0.17-2.el7 will be erased
---> Package perl-Error.noarch 1:0.17020-2.el7 will be erased
---> Package perl-TermReadKey.x86_64 0:2.30-20.el7 will be erased
---> Package ttmkfdir.x86_64 0:3.0.9-42.el7 will be erased
---> Package tzdata-java.noarch 0:2019c-1.el7 will be erased
---> Package usermode-gtk.x86_64 0:1.111-6.el7 will be erased
---> Package xml-common.noarch 0:0.6.3-39.el7 will be erased
---> Package xorg-x11-font-utils.x86_64 1:7.5-21.el7 will be erased
---> Package xorg-x11-fonts-Type1.noarch 0:7.5-9.el7 will be erased
--> Finished Dependency Resolution
Error: Trying to remove "yum", which is protected


Version-Release number of selected component (if applicable):

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.8 (Maipo)

$ uname -a
Linux XXXXXXXXXXX 3.10.0-1062.12.1.el7.x86_64 #1 SMP Thu Dec 12 06:44:49 EST 2019 x86_64 x86_64 x86_64 GNU/Linux


How reproducible:

always

Steps to Reproduce:

see above

Actual results:

see above
Expected results:

yum erase python-2.7.5
succeeds

or https://access.redhat.com/security/cve/CVE-2020-8492 updated from Red Hat Enterprise Linux 7	python	Will not fix to Affected

Additional info:

impacts all RHEL7 systems, including US Government systems
Comment 3 Honza Horak 2020-04-30 13:23:53 UTC 
Hello Jason, thank you for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution. I see a customer ticket assigned to the CVE tracker itself, but it is not easy to tell from the engineering view whether it is coming from you or somebody else.

If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels (if not done yet) to ensure it receives the proper attention and prioritization to assure a timely resolution.

For information on how to contact the Red Hat production support team, please visit:
https://access.redhat.com/support
Comment 5 Petr Viktorin (pviktori) 2020-05-20 12:19:14 UTC 
Setting Priority to Low until we see some business justification.
Comment 6 Petr Viktorin (pviktori) 2020-07-01 12:27:26 UTC 
There is still no business justification or customer case to make the change, so I'm closing the bug.
Please reopen if you disagree.
Note You need to log in before you can comment on or make changes to this bug.