lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040310050712.14036.qmail@updates.mandrakesoft.com> From: security at linux-mandrake.com (Mandrake Linux Security Team) Subject: MDKSA-2004:019 - Updated python packages fix buffer overflow vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: python Advisory ID: MDKSA-2004:019 Date: March 9th, 2004 Affected versions: 9.0, Corporate Server 2.1 ______________________________________________________________________ Problem Description: A buffer overflow in python 2.2's getaddrinfo() function was discovered by Sebastian Schmidt. If python 2.2 is built without IPv6 support, an attacker could configure their name server to let a hostname resolve to a special IPv6 address, which could contain a memory address where shellcode is placed. This problem does not affect python versions prior to 2.2 or versions 2.2.2+, and it also doesn't exist if IPv6 support is enabled. The updated packages have been patched to correct the problem. Thanks to Sebastian for both the discovery and patch. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0150 ______________________________________________________________________ Updated Packages: Corporate Server 2.1: 879da513052f8a7f22f46b32c8edd064 corporate/2.1/RPMS/libpython2.2-2.2.1-14.4.C21mdk.i586.rpm 41aabf6642342583667e7f7614b2b1af corporate/2.1/RPMS/libpython2.2-devel-2.2.1-14.4.C21mdk.i586.rpm 79afd48bc89cf1dd3580f9b9d210ab08 corporate/2.1/RPMS/python-2.2.1-14.4.C21mdk.i586.rpm 0e6280b152a9f65677da9ce35bbfc987 corporate/2.1/RPMS/python-base-2.2.1-14.4.C21mdk.i586.rpm 9e0eaadd3d9e3a15b95acb17fbde064d corporate/2.1/RPMS/python-docs-2.2.1-14.4.C21mdk.i586.rpm f241bc6291f1d5a46e95a2e5fa7e7791 corporate/2.1/RPMS/tkinter-2.2.1-14.4.C21mdk.i586.rpm 84625a172626fe08ff13bce7b2030641 corporate/2.1/SRPMS/python-2.2.1-14.4.C21mdk.src.rpm Corporate Server 2.1/x86_64: 5b523008885552a89c17197f1091c850 x86_64/corporate/2.1/RPMS/libpython2.2-2.2.1-14.4.C21mdk.x86_64.rpm 44befc507f68059d14f46c758ed57380 x86_64/corporate/2.1/RPMS/libpython2.2-devel-2.2.1-14.4.C21mdk.x86_64.rpm 0dfefaf01bb9ac8a5cecc444900be1b2 x86_64/corporate/2.1/RPMS/python-2.2.1-14.4.C21mdk.x86_64.rpm cd79821fb454279049337f3bd0885479 x86_64/corporate/2.1/RPMS/python-base-2.2.1-14.4.C21mdk.x86_64.rpm 955bd9c56f666e19e146feb9da0087b7 x86_64/corporate/2.1/RPMS/python-docs-2.2.1-14.4.C21mdk.x86_64.rpm 651c007f402400e18c51ac97ae3da84e x86_64/corporate/2.1/RPMS/tkinter-2.2.1-14.4.C21mdk.x86_64.rpm 84625a172626fe08ff13bce7b2030641 x86_64/corporate/2.1/SRPMS/python-2.2.1-14.4.C21mdk.src.rpm Mandrakelinux 9.0: 9e8ecf81acdf6e00066b020bead51c4a 9.0/RPMS/libpython2.2-2.2.1-14.4.90mdk.i586.rpm 990622b91606efd81f8fe2b40c8576f3 9.0/RPMS/libpython2.2-devel-2.2.1-14.4.90mdk.i586.rpm b91abc21fad8020cbee047ad1bbf0da8 9.0/RPMS/python-2.2.1-14.4.90mdk.i586.rpm a08fb0bad8dafca71f0e08a343c95412 9.0/RPMS/python-base-2.2.1-14.4.90mdk.i586.rpm 3d2be84aab4e0fab2cb86c9e6bacc25f 9.0/RPMS/python-docs-2.2.1-14.4.90mdk.i586.rpm a765ef4de6610a6ea880dc17aeab7636 9.0/RPMS/tkinter-2.2.1-14.4.90mdk.i586.rpm 1ad8d764521ada5597da5f5083dfd1f6 9.0/SRPMS/python-2.2.1-14.4.90mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98 Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrakelinux at: http://www.mandrakesecure.net/en/advisories/ Mandrakesoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFATqJ/mqjQ0CJFipgRAtEtAJkB8w2/Qf1eXYE/eGMBh55sKX/MpwCeI+No P3uOOAxXMBCVPT+J3QDN41E= =8F0Z -----END PGP SIGNATURE-----
Powered by blists - more mailing lists