In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape. Reference: https://palletsprojects.com/blog/jinja-2-10-1-released/ Upstream commit: https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26
Created python-jinja2 tracking bugs for this issue: Affects: epel-6 [bug 1698840]
Created python-jinja2 tracking bugs for this issue: Affects: fedora-all [bug 1699111] Created python3-jinja2 tracking bugs for this issue: Affects: epel-6 [bug 1699113] Affects: epel-7 [bug 1699114]
External References: https://palletsprojects.com/blog/jinja-2-10-1-released/
Mitigation: If you cannot upgrade python-Jinja2, you can override the `is_safe_attribute` method on the sandbox and explicitly disallow the `format_map` method on string objects.
Statement: Red Hat Virtualization Management Appliance includes python-jinja2 as a dependency of ovirt-engine-backend, which only uses it with controlled format strings that are not exploitable. Red Hat Satellite 6 will receive fixes through the underlying Red Hat Enterprise Linux, so it won't issue updates to its own affected package. This issue does not affect versions of python-jinja2 as shipped with: * Red Hat Enterprise Linux 6, and 7 as python2 does not support str.format_map. * Red Hat Update Infrastructure as it does not use the Sandbox feature, nor does it allow untrusted jinja2 templates. * Red Hat Ceph Storage 2, 3 and Red Hat Gluster Storage 3 as python2 does not support str.format_map. * Red Hat OpenStack Platform 13 or 14 as python2 does not support str.format_map.
Why there are no bugs created for python27:2.7 module where python-jinja2 is available? Should I create them as a copy of bugs for rhel 8.0.0 and 8.1.0?
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1152 https://access.redhat.com/errata/RHSA-2019:1152
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1237 https://access.redhat.com/errata/RHSA-2019:1237
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1329 https://access.redhat.com/errata/RHSA-2019:1329