Issued:
2014-06-11
Updated:
2014-06-11

RHSA-2014:0748 - Security Advisory

Synopsis

Moderate: python33-python-jinja2 and python27-python-jinja2 security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated python33-python-jinja2 and python27-python-jinja2 packages that fix
one security issue are now available for Red Hat Software Collections 1.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Description

Jinja2 is a template engine written in pure Python. It provides a
Django-inspired, non-XML syntax but supports inline expressions and an
optional sandboxed environment.

It was discovered that Jinja2 did not properly handle bytecode cache files
stored in the system's temporary directory. A local attacker could use this
flaw to alter the output of an application using Jinja2 and
FileSystemBytecodeCache, and potentially execute arbitrary code with the
privileges of that application. (CVE-2014-1402)

All Jinja2 users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. For the update to take
effect, all applications using Jinja2 must be restarted.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.6 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.5 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.4 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.3 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 6 x86_64
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6 x86_64
  • Red Hat Software Collections (for RHEL Server) from RHUI 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Server) from RHUI 1 for RHEL 6 x86_64

Fixes

  • BZ - 1051421 - CVE-2014-1402 python-jinja2: FileSystemBytecodeCache insecure cache temporary file use

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7

SRPM
python27-python-jinja2-2.6-11.el7.src.rpm SHA-256: 3d41acb78128fa6cd836695d224fb7f21c6d1c2b8e3dd8bf6e5a81f79f929873
python33-python-jinja2-2.6-12.el7.src.rpm SHA-256: 2003eff0bc12df481d2e973f26cf21e475fcffc815568dc45651415fe8a3e71b
x86_64
python27-python-jinja2-2.6-11.el7.noarch.rpm SHA-256: b3e627a6e2f53e087a1d423adee99e3a8b851dd68a3c85ab9371b8c4fdf933d2
python33-python-jinja2-2.6-12.el7.noarch.rpm SHA-256: 5f8a9af87495e3c8ea0bbcd67ac6e9c2b104c6a172d0dbf67096dd1ff2aae21b

Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.6

SRPM
python27-python-jinja2-2.6-10.el6.src.rpm SHA-256: 82245c550bbfb140cac53fa3c453283420f14e37a8bda1800a48a62b842c6ea7
python33-python-jinja2-2.6-11.el6.src.rpm SHA-256: a7a1314678e6baf7f01d8b607979ccc9d6f69668be0be2851c8ff5f253f14db0
x86_64
python27-python-jinja2-2.6-10.el6.noarch.rpm SHA-256: b67e399238ca6ce89a88cf8d930de265a602cf2d3a347de5878c7c8d4908dfc7
python33-python-jinja2-2.6-11.el6.noarch.rpm SHA-256: c2e21ace748779a3c8f1c9114f00cb75edb00afe0211bbdc371c668db11d10e7

Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.5

SRPM
python27-python-jinja2-2.6-10.el6.src.rpm SHA-256: 82245c550bbfb140cac53fa3c453283420f14e37a8bda1800a48a62b842c6ea7
python33-python-jinja2-2.6-11.el6.src.rpm SHA-256: a7a1314678e6baf7f01d8b607979ccc9d6f69668be0be2851c8ff5f253f14db0
x86_64
python27-python-jinja2-2.6-10.el6.noarch.rpm SHA-256: b67e399238ca6ce89a88cf8d930de265a602cf2d3a347de5878c7c8d4908dfc7
python33-python-jinja2-2.6-11.el6.noarch.rpm SHA-256: c2e21ace748779a3c8f1c9114f00cb75edb00afe0211bbdc371c668db11d10e7

Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.4

SRPM
python27-python-jinja2-2.6-10.el6.src.rpm SHA-256: 82245c550bbfb140cac53fa3c453283420f14e37a8bda1800a48a62b842c6ea7
python33-python-jinja2-2.6-11.el6.src.rpm SHA-256: a7a1314678e6baf7f01d8b607979ccc9d6f69668be0be2851c8ff5f253f14db0
x86_64
python27-python-jinja2-2.6-10.el6.noarch.rpm SHA-256: b67e399238ca6ce89a88cf8d930de265a602cf2d3a347de5878c7c8d4908dfc7
python33-python-jinja2-2.6-11.el6.noarch.rpm SHA-256: c2e21ace748779a3c8f1c9114f00cb75edb00afe0211bbdc371c668db11d10e7

Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.3

SRPM
python27-python-jinja2-2.6-10.el6.src.rpm SHA-256: 82245c550bbfb140cac53fa3c453283420f14e37a8bda1800a48a62b842c6ea7
python33-python-jinja2-2.6-11.el6.src.rpm SHA-256: a7a1314678e6baf7f01d8b607979ccc9d6f69668be0be2851c8ff5f253f14db0
x86_64
python27-python-jinja2-2.6-10.el6.noarch.rpm SHA-256: b67e399238ca6ce89a88cf8d930de265a602cf2d3a347de5878c7c8d4908dfc7
python33-python-jinja2-2.6-11.el6.noarch.rpm SHA-256: c2e21ace748779a3c8f1c9114f00cb75edb00afe0211bbdc371c668db11d10e7

Red Hat Software Collections (for RHEL Server) 1 for RHEL 6

SRPM
python27-python-jinja2-2.6-10.el6.src.rpm SHA-256: 82245c550bbfb140cac53fa3c453283420f14e37a8bda1800a48a62b842c6ea7
python33-python-jinja2-2.6-11.el6.src.rpm SHA-256: a7a1314678e6baf7f01d8b607979ccc9d6f69668be0be2851c8ff5f253f14db0
x86_64
python27-python-jinja2-2.6-10.el6.noarch.rpm SHA-256: b67e399238ca6ce89a88cf8d930de265a602cf2d3a347de5878c7c8d4908dfc7
python33-python-jinja2-2.6-11.el6.noarch.rpm SHA-256: c2e21ace748779a3c8f1c9114f00cb75edb00afe0211bbdc371c668db11d10e7

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7

SRPM
python27-python-jinja2-2.6-11.el7.src.rpm SHA-256: 3d41acb78128fa6cd836695d224fb7f21c6d1c2b8e3dd8bf6e5a81f79f929873
python33-python-jinja2-2.6-12.el7.src.rpm SHA-256: 2003eff0bc12df481d2e973f26cf21e475fcffc815568dc45651415fe8a3e71b
x86_64
python27-python-jinja2-2.6-11.el7.noarch.rpm SHA-256: b3e627a6e2f53e087a1d423adee99e3a8b851dd68a3c85ab9371b8c4fdf933d2
python33-python-jinja2-2.6-12.el7.noarch.rpm SHA-256: 5f8a9af87495e3c8ea0bbcd67ac6e9c2b104c6a172d0dbf67096dd1ff2aae21b

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6

SRPM
python27-python-jinja2-2.6-10.el6.src.rpm SHA-256: 82245c550bbfb140cac53fa3c453283420f14e37a8bda1800a48a62b842c6ea7
python33-python-jinja2-2.6-11.el6.src.rpm SHA-256: a7a1314678e6baf7f01d8b607979ccc9d6f69668be0be2851c8ff5f253f14db0
x86_64
python27-python-jinja2-2.6-10.el6.noarch.rpm SHA-256: b67e399238ca6ce89a88cf8d930de265a602cf2d3a347de5878c7c8d4908dfc7
python33-python-jinja2-2.6-11.el6.noarch.rpm SHA-256: c2e21ace748779a3c8f1c9114f00cb75edb00afe0211bbdc371c668db11d10e7

Red Hat Software Collections (for RHEL Server) from RHUI 1 for RHEL 7

SRPM
python27-python-jinja2-2.6-11.el7.src.rpm SHA-256: 3d41acb78128fa6cd836695d224fb7f21c6d1c2b8e3dd8bf6e5a81f79f929873
python33-python-jinja2-2.6-12.el7.src.rpm SHA-256: 2003eff0bc12df481d2e973f26cf21e475fcffc815568dc45651415fe8a3e71b
x86_64
python27-python-jinja2-2.6-11.el7.noarch.rpm SHA-256: b3e627a6e2f53e087a1d423adee99e3a8b851dd68a3c85ab9371b8c4fdf933d2
python33-python-jinja2-2.6-12.el7.noarch.rpm SHA-256: 5f8a9af87495e3c8ea0bbcd67ac6e9c2b104c6a172d0dbf67096dd1ff2aae21b

Red Hat Software Collections (for RHEL Server) from RHUI 1 for RHEL 6

SRPM
python27-python-jinja2-2.6-10.el6.src.rpm SHA-256: 82245c550bbfb140cac53fa3c453283420f14e37a8bda1800a48a62b842c6ea7
python33-python-jinja2-2.6-11.el6.src.rpm SHA-256: a7a1314678e6baf7f01d8b607979ccc9d6f69668be0be2851c8ff5f253f14db0
x86_64
python27-python-jinja2-2.6-10.el6.noarch.rpm SHA-256: b67e399238ca6ce89a88cf8d930de265a602cf2d3a347de5878c7c8d4908dfc7
python33-python-jinja2-2.6-11.el6.noarch.rpm SHA-256: c2e21ace748779a3c8f1c9114f00cb75edb00afe0211bbdc371c668db11d10e7

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.