lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1QO9tt-0006uk-Ex@titan.mandriva.com>
Date: Sun, 22 May 2011 16:45:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2011:096 ] python

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:096
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : python
 Date    : May 22, 2011
 Affected: 2009.0, 2010.1, Corporate 4.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities have been identified and fixed in python:
 
 The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module
 in Python 2.5, 2.6, and 3.0 allows remote attackers to read script
 source code via an HTTP GET request that lacks a / (slash) character
 at the beginning of the URI (CVE-2011-1015).
 
 A flaw was found in the Python urllib and urllib2 libraries where
 they would not differentiate between different target URLs when
 handling automatic redirects. This caused Python applications using
 these modules to follow any new URL that they understood, including
 the file:// URL type. This could allow a remote server to force a
 local Python application to read a local file instead of the remote
 one, possibly exposing local files that were not meant to be exposed
 (CVE-2011-1521).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1015
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1521
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 71a60b6ca82c16cfa81779f586aa2c0a  2009.0/i586/libpython2.5-2.5.2-5.10mdv2009.0.i586.rpm
 2138c57ad81a8beaf0c1eb999fd08818  2009.0/i586/libpython2.5-devel-2.5.2-5.10mdv2009.0.i586.rpm
 6c9a3ffe4bc52ed61e77a77c374ad2c4  2009.0/i586/python-2.5.2-5.10mdv2009.0.i586.rpm
 0d31faceacbae7dc06f844d1214e2d16  2009.0/i586/python-base-2.5.2-5.10mdv2009.0.i586.rpm
 49b78565dcb28d01e5c691b0f2bcd3af  2009.0/i586/python-docs-2.5.2-5.10mdv2009.0.i586.rpm
 1ffd2e9dd42735800a7f6ad7d941a5ac  2009.0/i586/tkinter-2.5.2-5.10mdv2009.0.i586.rpm
 cdafb079c8e76379949c49c3cb1ef4b2  2009.0/i586/tkinter-apps-2.5.2-5.10mdv2009.0.i586.rpm 
 5cb94b684ff22b2eda7e04753bdce16d  2009.0/SRPMS/python-2.5.2-5.10mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 e04c68e9eb21516ce89484751ded4332  2009.0/x86_64/lib64python2.5-2.5.2-5.10mdv2009.0.x86_64.rpm
 92622926645273db1a646a736ea2a432  2009.0/x86_64/lib64python2.5-devel-2.5.2-5.10mdv2009.0.x86_64.rpm
 c427548e0873e70318b9c945a09bba83  2009.0/x86_64/python-2.5.2-5.10mdv2009.0.x86_64.rpm
 03f147cad7afa130c07920fe93426bc3  2009.0/x86_64/python-base-2.5.2-5.10mdv2009.0.x86_64.rpm
 70162d5fe5b7808212243660f9e54241  2009.0/x86_64/python-docs-2.5.2-5.10mdv2009.0.x86_64.rpm
 a86197e50c1c75c0256f7e40cab56a34  2009.0/x86_64/tkinter-2.5.2-5.10mdv2009.0.x86_64.rpm
 926914ec91cb07fc4e796dc9f9245f3f  2009.0/x86_64/tkinter-apps-2.5.2-5.10mdv2009.0.x86_64.rpm 
 5cb94b684ff22b2eda7e04753bdce16d  2009.0/SRPMS/python-2.5.2-5.10mdv2009.0.src.rpm

 Mandriva Linux 2010.1:
 53d5109e8564c4532d5dedef2ac043f4  2010.1/i586/libpython2.6-2.6.5-2.3mdv2010.2.i586.rpm
 023b47ab6db33ddcd14b69a3b7d9b6f8  2010.1/i586/libpython2.6-devel-2.6.5-2.3mdv2010.2.i586.rpm
 ca24b1ba72889504816ff01f8296dad7  2010.1/i586/python-2.6.5-2.3mdv2010.2.i586.rpm
 9f951c32522a8d4a20dc6218d7f5b977  2010.1/i586/python-docs-2.6.5-2.3mdv2010.2.i586.rpm
 17194376e65542d2a94c650ac3b4d895  2010.1/i586/tkinter-2.6.5-2.3mdv2010.2.i586.rpm
 7cbc356feff956567b2f5ab6d64f3600  2010.1/i586/tkinter-apps-2.6.5-2.3mdv2010.2.i586.rpm 
 31ecbe18b9a10119e03ef380a913db1e  2010.1/SRPMS/python-2.6.5-2.3mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 81b99d093052e70a8a53085917e4afb3  2010.1/x86_64/lib64python2.6-2.6.5-2.3mdv2010.2.x86_64.rpm
 fcc80b83b1fdce270e712f2657fbb8ca  2010.1/x86_64/lib64python2.6-devel-2.6.5-2.3mdv2010.2.x86_64.rpm
 f3c02fbd937c6100b4a65e334055e7fa  2010.1/x86_64/python-2.6.5-2.3mdv2010.2.x86_64.rpm
 1043662e88b55abe675a263082ce82c2  2010.1/x86_64/python-docs-2.6.5-2.3mdv2010.2.x86_64.rpm
 93ba6c063614368421de9e4b4bdbbb6a  2010.1/x86_64/tkinter-2.6.5-2.3mdv2010.2.x86_64.rpm
 cf0decdce784a86d5307dd19b6914a8e  2010.1/x86_64/tkinter-apps-2.6.5-2.3mdv2010.2.x86_64.rpm 
 31ecbe18b9a10119e03ef380a913db1e  2010.1/SRPMS/python-2.6.5-2.3mdv2010.2.src.rpm

 Corporate 4.0:
 198c6a033fc80b0355e065a14f644696  corporate/4.0/i586/libpython2.4-2.4.5-0.8.20060mlcs4.i586.rpm
 c0616f9351989ea9d7033d958a5eafd8  corporate/4.0/i586/libpython2.4-devel-2.4.5-0.8.20060mlcs4.i586.rpm
 e1becc70b0a76ca8ae6ceb1697705171  corporate/4.0/i586/python-2.4.5-0.8.20060mlcs4.i586.rpm
 1e43557301ab20d6ef1deaee5095987f  corporate/4.0/i586/python-base-2.4.5-0.8.20060mlcs4.i586.rpm
 ad1797a8ded8c1ef1eaa4ff94f0a090e  corporate/4.0/i586/python-docs-2.4.5-0.8.20060mlcs4.i586.rpm
 1e086c1a3d1074363f2d5e8d9c396e4e  corporate/4.0/i586/tkinter-2.4.5-0.8.20060mlcs4.i586.rpm 
 cc3e848102354412fe99da194af47f39  corporate/4.0/SRPMS/python-2.4.5-0.8.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 da20c277e2ff0776b7499287096702ac  corporate/4.0/x86_64/lib64python2.4-2.4.5-0.8.20060mlcs4.x86_64.rpm
 d0075eb6df5b520c04eb936f10a73c32  corporate/4.0/x86_64/lib64python2.4-devel-2.4.5-0.8.20060mlcs4.x86_64.rpm
 b491194cce5942ad249ba283c52954b0  corporate/4.0/x86_64/python-2.4.5-0.8.20060mlcs4.x86_64.rpm
 13d75957e66ce76d338e9326cad6cdff  corporate/4.0/x86_64/python-base-2.4.5-0.8.20060mlcs4.x86_64.rpm
 f7896e57d5b843f3f7ff7dd4b3eebe03  corporate/4.0/x86_64/python-docs-2.4.5-0.8.20060mlcs4.x86_64.rpm
 70586950943cc3dafce38ac09a0ff83d  corporate/4.0/x86_64/tkinter-2.4.5-0.8.20060mlcs4.x86_64.rpm 
 cc3e848102354412fe99da194af47f39  corporate/4.0/SRPMS/python-2.4.5-0.8.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 d28940e4700e46457096fcc2a13307cc  mes5/i586/libpython2.5-2.5.2-5.10mdvmes5.2.i586.rpm
 bcf1487a2fae5458d9ab0ac34a5a307a  mes5/i586/libpython2.5-devel-2.5.2-5.10mdvmes5.2.i586.rpm
 38c26a661f8858439a1cc2df1bd41df5  mes5/i586/python-2.5.2-5.10mdvmes5.2.i586.rpm
 9b13e52c7ef8e8d0795d7fdc6808b2b8  mes5/i586/python-base-2.5.2-5.10mdvmes5.2.i586.rpm
 5002cd05dd26292cb2cee766a6555865  mes5/i586/python-docs-2.5.2-5.10mdvmes5.2.i586.rpm
 36426ccd627743116fad029322e53dd3  mes5/i586/tkinter-2.5.2-5.10mdvmes5.2.i586.rpm
 fa420530fd85947a87b3f45eeff156f3  mes5/i586/tkinter-apps-2.5.2-5.10mdvmes5.2.i586.rpm 
 95e5e9d7cf268894a9d520de0ce560d0  mes5/SRPMS/python-2.5.2-5.10mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 23d67a8f9b6d8815dca9b8bd4664f40a  mes5/x86_64/lib64python2.5-2.5.2-5.10mdvmes5.2.x86_64.rpm
 d64356213d58f79800d4948880c5eeb6  mes5/x86_64/lib64python2.5-devel-2.5.2-5.10mdvmes5.2.x86_64.rpm
 75a6f96e22760d4fdcc2ae46a512b260  mes5/x86_64/python-2.5.2-5.10mdvmes5.2.x86_64.rpm
 efcf39cf6b3bcc1d78fd35be60215b59  mes5/x86_64/python-base-2.5.2-5.10mdvmes5.2.x86_64.rpm
 fba99d4b5b1ff39ab9521a543d7c6ec8  mes5/x86_64/python-docs-2.5.2-5.10mdvmes5.2.x86_64.rpm
 68763e27ed0848ca8f9d2d30f31b02d9  mes5/x86_64/tkinter-2.5.2-5.10mdvmes5.2.x86_64.rpm
 5ee0e3d48de97f70edd16ff8dc13615e  mes5/x86_64/tkinter-apps-2.5.2-5.10mdvmes5.2.x86_64.rpm 
 95e5e9d7cf268894a9d520de0ce560d0  mes5/SRPMS/python-2.5.2-5.10mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFN2PFImqjQ0CJFipgRAiU/AJ4r8U479TGDL2Y/y8pnigz1WmCxMgCgsARl
AYo6vcjj/qwevAUXSbsysc8=
=oy4t
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ