LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

SCIENTIFIC-LINUX-DEVEL Archives

May 2011

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-DEVEL Home
	SCIENTIFIC-LINUX-DEVEL May 2011

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security ERRATA Moderate: python on SL4.x, SL5.x i386/x86_64
From:	Stephan Wiesand <[log in to unmask]>
Reply To:	Stephan Wiesand <[log in to unmask]>
Date:	Mon, 9 May 2011 09:56:46 +0200
Content-Type:	text/plain
Parts/Attachments:	text/plain (89 lines)

Hi Jason,

it seems these not pushed out to 4.9 yet?

Regards,
	Stephan

On May 6, 2011, at 22:58, Jason Harrington wrote:

> Synopsis:   Moderate: python security update
> Issue date: 2011-05-05
> CVE Names:  CVE-2009-3720
>            CVE-2010-1634
>            CVE-2010-2089
>            CVE-2010-3493
>            CVE-2011-1015
>            CVE-2011-1521
> 
> A flaw was found in the Python urllib and urllib2 libraries where they
> would not differentiate between different target URLs when handling
> automatic redirects. This caused Python applications using these modules to
> follow any new URL that they understood, including the "file://" URL type.
> This could allow a remote server to force a local Python application to
> read a local file instead of the remote one, possibly exposing local files
> that were not meant to be exposed. (CVE-2011-1521)
> 
> Multiple flaws were found in the Python audioop module. Supplying certain
> inputs could cause the audioop module to crash or, possibly, execute
> arbitrary code. (CVE-2010-1634, CVE-2010-2089)
> 
> A race condition was found in the way the Python smtpd module handled new
> connections. A remote user could use this flaw to cause a Python script
> using the smtpd module to terminate. (CVE-2010-3493)
> 
> An information disclosure flaw was found in the way the Python
> CGIHTTPServer module processed certain HTTP GET requests. A remote attacker
> could use a specially-crafted request to obtain the CGI script's source
> code. (CVE-2011-1015)
> 
> A buffer over-read flaw was found in the way the Python Expat parser
> handled malformed UTF-8 sequences when processing XML files. A
> specially-crafted XML file could cause Python applications using the Python
> Expat parser to crash while parsing the file. (CVE-2009-3720)
> 
> SL 4.x
>    SRPMS:
>        python-2.3.4-14.10.el4.src.rpm
> 
>    i386:
>        python-2.3.4-14.10.el4.i386.rpm
>        python-devel-2.3.4-14.10.el4.i386.rpm
>        python-docs-2.3.4-14.10.el4.i386.rpm
>        python-tools-2.3.4-14.10.el4.i386.rpm
>        tkinter-2.3.4-14.10.el4.i386.rpm
> 
>    x86_64:
>        python-2.3.4-14.10.el4.x86_64.rpm
>        python-devel-2.3.4-14.10.el4.x86_64.rpm
>        python-docs-2.3.4-14.10.el4.x86_64.rpm
>        python-tools-2.3.4-14.10.el4.x86_64.rpm
>        tkinter-2.3.4-14.10.el4.x86_64.rpm
> 
> SL 5.x
>    SRPMS:
>        python-2.4.3-44.el5.src.rpm
> 
>    i386:
>        python-2.4.3-44.el5.i386.rpm
>        python-devel-2.4.3-44.el5.i386.rpm
>        python-libs-2.4.3-44.el5.i386.rpm
>        python-tools-2.4.3-44.el5.i386.rpm
>        tkinter-2.4.3-44.el5.i386.rpm
> 
>    x86_64:
>        python-2.4.3-44.el5.x86_64.rpm
>        python-devel-2.4.3-44.el5.i386.rpm
>        python-devel-2.4.3-44.el5.x86_64.rpm
>        python-libs-2.4.3-44.el5.x86_64.rpm
>        python-tools-2.4.3-44.el5.x86_64.rpm
>        tkinter-2.4.3-44.el5.x86_64.rpm
> 
> - Scientific Linux Development Team

-- 
Stephan Wiesand
DESY -DV-
Platanenallee 6
15738 Zeuthen, Germany

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV