LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

June 2011

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA June 2011

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security ERRATA Moderate: python on SL6.x i386/x86_64
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Thu, 2 Jun 2011 09:52:29 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (73 lines)

python-docs was also part of the security update.  It is been tested and 
pushed out.  We apologize for missing it.

SL 6.x
       i386:
python-docs-2.6.6-2.el6.noarch.rpm
       x86_64:
python-docs-2.6.6-2.el6.noarch.rpm

Troy

On 06/01/2011 11:16 AM, Troy J Dawson wrote:
> Synopsis:    Moderate: python security, bug fix, and enhancement update
> Issue Date:  2011-05-19
> CVE Numbers: CVE-2010-3493
>                CVE-2011-1015
>                CVE-2011-1521
>
>
> Python is an interpreted, interactive, object-oriented programming
> language.
>
> A flaw was found in the Python urllib and urllib2 libraries where they
> would not differentiate between different target URLs when handling
> automatic redirects. This caused Python applications using these modules to
> follow any new URL that they understood, including the "file://" URL type.
> This could allow a remote server to force a local Python application to
> read a local file instead of the remote one, possibly exposing local files
> that were not meant to be exposed. (CVE-2011-1521)
>
> A race condition was found in the way the Python smtpd module handled new
> connections. A remote user could use this flaw to cause a Python script
> using the smtpd module to terminate. (CVE-2010-3493)
>
> An information disclosure flaw was found in the way the Python
> CGIHTTPServer module processed certain HTTP GET requests. A remote attacker
> could use a specially-crafted request to obtain the CGI script's source
> code. (CVE-2011-1015)
>
> This erratum also upgrades Python to upstream version 2.6.6, and includes a
> number of bug fixes and enhancements. Documentation for these bug fixes
> and enhancements is available from the Technical Notes document, linked to
> in the References section.
>
> All users of Python are advised to upgrade to these updated packages, which
> correct these issues, and fix the bugs and add the enhancements noted in
> the Technical Notes.
>
> SL6
>     i386:
>        python-2.6.6-20.el6.i686.rpm
>        python-libs-2.6.6-20.el6.i686.rpm
>        tkinter-2.6.6-20.el6.i686.rpm
>        python-devel-2.6.6-20.el6.i686.rpm
>        python-test-2.6.6-20.el6.i686.rpm
>        python-tools-2.6.6-20.el6.i686.rpm
>     x86_64:
>        python-2.6.6-20.el6.x86_64.rpm
>        python-libs-2.6.6-20.el6.x86_64.rpm
>        tkinter-2.6.6-20.el6.x86_64.rpm
>        python-devel-2.6.6-20.el6.x86_64.rpm
>        python-test-2.6.6-20.el6.x86_64.rpm
>        python-tools-2.6.6-20.el6.x86_64.rpm
>
> - Scientific Linux Development Team


-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/SCF/FEF/SLSMS Group
__________________________________________________

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV