lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 30 Oct 2010 15:42:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:215 ] python

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:215
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : python
 Date    : October 30, 2010
 Affected: 2009.0, Corporate 4.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities was discovered and corrected in python:
 
 Buffer underflow in the rgbimg module in Python 2.5 allows remote
 attackers to cause a denial of service (application crash) via a large
 ZSIZE value in a black-and-white (aka B/W) RGB image that triggers
 an invalid pointer dereference (CVE-2009-4134).
 
 Integer overflow in rgbimgmodule.c in the rgbimg module in Python
 2.5 allows remote attackers to have an unspecified impact via a large
 image that triggers a buffer overflow.  NOTE: this vulnerability exists
 because of an incomplete fix for CVE-2008-3143.12 (CVE-2010-1449).
 
 Multiple buffer overflows in the RLE decoder in the rgbimg module in
 Python 2.5 allow remote attackers to have an unspecified impact via an
 image file containing crafted data that triggers improper processing
 within the (1) longimagedata or (2) expandrow function (CVE-2010-1450).
 
 The asyncore module in Python before 3.2 does not properly handle
 unsuccessful calls to the accept function, and does not have
 accompanying documentation describing how daemon applications should
 handle unsuccessful calls to the accept function, which makes it
 easier for remote attackers to conduct denial of service attacks that
 terminate these applications via network connections (CVE-2010-3492).
 
 Multiple race conditions in smtpd.py in the smtpd module in Python 2.6,
 2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of
 service (daemon outage) by establishing and then immediately closing
 a TCP connection, leading to the accept function having an unexpected
 return value of None, an unexpected value of None for the address,
 or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername
 function having an ENOTCONN error, a related issue to CVE-2010-3492
 (CVE-2010-3493).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4134
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1449
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1450
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3492
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3493
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 7a00126d581458ad3e1f9195cfe44b56  2009.0/i586/libpython2.5-2.5.2-5.9mdv2009.0.i586.rpm
 821b23366eb5a1f2fe486b8b4876a17b  2009.0/i586/libpython2.5-devel-2.5.2-5.9mdv2009.0.i586.rpm
 7cc4e06ec1539e65b18788216f5cfec2  2009.0/i586/python-2.5.2-5.9mdv2009.0.i586.rpm
 0e2922c24b13b8428201d65dd3a5e69f  2009.0/i586/python-base-2.5.2-5.9mdv2009.0.i586.rpm
 6aac8e518cf4fdcf5d11e41869b7cc23  2009.0/i586/python-docs-2.5.2-5.9mdv2009.0.i586.rpm
 42f1cb02ad93c2871b7ef26d91dd084c  2009.0/i586/tkinter-2.5.2-5.9mdv2009.0.i586.rpm
 89dd31e1bd79bfdcb773ae27b9a23eae  2009.0/i586/tkinter-apps-2.5.2-5.9mdv2009.0.i586.rpm 
 36eabc2f36f1fc3fee03beea40c5b3ff  2009.0/SRPMS/python-2.5.2-5.9mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 ab11f5dbfd4220284f65591a5e627a2f  2009.0/x86_64/lib64python2.5-2.5.2-5.9mdv2009.0.x86_64.rpm
 b7bf0eb696e77af9a6f833a810cd691c  2009.0/x86_64/lib64python2.5-devel-2.5.2-5.9mdv2009.0.x86_64.rpm
 f0fa937935849fa7b8ccfe9d0ad23a22  2009.0/x86_64/python-2.5.2-5.9mdv2009.0.x86_64.rpm
 9b6094c0d9b8d7305c4dd6d1e9957793  2009.0/x86_64/python-base-2.5.2-5.9mdv2009.0.x86_64.rpm
 4d29dc9f22c17f4ee5587aed6082d54f  2009.0/x86_64/python-docs-2.5.2-5.9mdv2009.0.x86_64.rpm
 846f140203bc61160c8e9be21bec8caf  2009.0/x86_64/tkinter-2.5.2-5.9mdv2009.0.x86_64.rpm
 d83f1ca9fb74bb6bc19f27bfca4565a2  2009.0/x86_64/tkinter-apps-2.5.2-5.9mdv2009.0.x86_64.rpm 
 36eabc2f36f1fc3fee03beea40c5b3ff  2009.0/SRPMS/python-2.5.2-5.9mdv2009.0.src.rpm

 Corporate 4.0:
 e3525726eb8b420b631c1e7293200f76  corporate/4.0/i586/libpython2.4-2.4.5-0.7.20060mlcs4.i586.rpm
 62a30354a30738ee1d9c8e09fa781931  corporate/4.0/i586/libpython2.4-devel-2.4.5-0.7.20060mlcs4.i586.rpm
 c12e4aee6ec61df748905ea3fbc683b1  corporate/4.0/i586/python-2.4.5-0.7.20060mlcs4.i586.rpm
 cfa6231f5bd6d42b92e06be405979532  corporate/4.0/i586/python-base-2.4.5-0.7.20060mlcs4.i586.rpm
 89bb605645f87975ea06cd0d0adb1242  corporate/4.0/i586/python-docs-2.4.5-0.7.20060mlcs4.i586.rpm
 7112a9c89287d80edac65a2c9543de58  corporate/4.0/i586/tkinter-2.4.5-0.7.20060mlcs4.i586.rpm 
 af061ddc3fe400553ce48a986f1413c8  corporate/4.0/SRPMS/python-2.4.5-0.7.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 d4e789862c00c01d154cb676c958fc66  corporate/4.0/x86_64/lib64python2.4-2.4.5-0.7.20060mlcs4.x86_64.rpm
 cc0e0a6797fadbce21133a706be2585e  corporate/4.0/x86_64/lib64python2.4-devel-2.4.5-0.7.20060mlcs4.x86_64.rpm
 63b408e0f3aa7324eda422232f57bbf8  corporate/4.0/x86_64/python-2.4.5-0.7.20060mlcs4.x86_64.rpm
 0023db0a34e646a1fdd8803852ac6f1f  corporate/4.0/x86_64/python-base-2.4.5-0.7.20060mlcs4.x86_64.rpm
 0e78fed213618878e55f3aee5e83b8df  corporate/4.0/x86_64/python-docs-2.4.5-0.7.20060mlcs4.x86_64.rpm
 7ca482e628699e8d588fe64bdfd91257  corporate/4.0/x86_64/tkinter-2.4.5-0.7.20060mlcs4.x86_64.rpm 
 af061ddc3fe400553ce48a986f1413c8  corporate/4.0/SRPMS/python-2.4.5-0.7.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 0ec5bf2d929c006c683c9e8323655198  mes5/i586/libpython2.5-2.5.2-5.9mdvmes5.1.i586.rpm
 2ce1526827f9a6b2cb6f1767b05fb468  mes5/i586/libpython2.5-devel-2.5.2-5.9mdvmes5.1.i586.rpm
 0d8d0f8a937fbd2b29de19dd558aa9a3  mes5/i586/python-2.5.2-5.9mdvmes5.1.i586.rpm
 0d5632de99d6f3a73a1d0f5b9c09fe60  mes5/i586/python-base-2.5.2-5.9mdvmes5.1.i586.rpm
 ae17f9d8dd571e3867709fd2b3225de5  mes5/i586/python-docs-2.5.2-5.9mdvmes5.1.i586.rpm
 03d2415da7afb9c4c0f7ac06ac76a5d2  mes5/i586/tkinter-2.5.2-5.9mdvmes5.1.i586.rpm
 6a474c44ad872f18e61eb73c988f8c05  mes5/i586/tkinter-apps-2.5.2-5.9mdvmes5.1.i586.rpm 
 75ba289267fc9c02315cb2bb18d62aed  mes5/SRPMS/python-2.5.2-5.9mdvmes5.1.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 d94d195ee2597a8cc65cbd156045da16  mes5/x86_64/lib64python2.5-2.5.2-5.9mdvmes5.1.x86_64.rpm
 99b5668212ff8e4dd5d6798e8b96f5d6  mes5/x86_64/lib64python2.5-devel-2.5.2-5.9mdvmes5.1.x86_64.rpm
 de021441be5c405a36ef2f9222afc186  mes5/x86_64/python-2.5.2-5.9mdvmes5.1.x86_64.rpm
 1478b55d09d14e419afb4d15ae37958d  mes5/x86_64/python-base-2.5.2-5.9mdvmes5.1.x86_64.rpm
 e479b97543e149706200d580bc76048c  mes5/x86_64/python-docs-2.5.2-5.9mdvmes5.1.x86_64.rpm
 af465bc5f398ad142a32d4412e940ee9  mes5/x86_64/tkinter-2.5.2-5.9mdvmes5.1.x86_64.rpm
 7839e25fcad9d3c55329b61c86a0cead  mes5/x86_64/tkinter-apps-2.5.2-5.9mdvmes5.1.x86_64.rpm 
 75ba289267fc9c02315cb2bb18d62aed  mes5/SRPMS/python-2.5.2-5.9mdvmes5.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFMy/LFmqjQ0CJFipgRAtxgAKCdMyuiPoFxjBEatV6KMLD/h7lF0gCfUdcP
GbmwC3tS9AGI9Pgd0KD5jjE=
=SLNl
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists