Executive Summary
Summary | |
---|---|
Title | Python 3 vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-1314-1 | First vendor Publication | 2011-12-19 |
Vendor | Ubuntu | Last vendor Modification | 2011-12-19 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.4 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: Applications using certain Python 3 modules could be made to crash or expose sensitive information over the network. Software Description: - python3.1: An interactive high-level object-oriented language (version 3.1) - python3.2: An interactive high-level object-oriented language (version 3.2) Details: Giampaolo Rodola discovered that the smtpd module in Python 3 did not properly handle certain error conditions. A remote attacker could exploit this to cause a denial of service via daemon outage. This issue only affected Ubuntu 10.04 LTS. (CVE-2010-3493) Niels Heinen discovered that the urllib module in Python 3 would process Location headers that specify a file:// URL. A remote attacker could use this to obtain sensitive information or cause a denial of service via resource consumption. (CVE-2011-1521) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.04: Ubuntu 10.10: Ubuntu 10.04 LTS: In general, a standard system update will make all the necessary changes. Daemons using the urllib or smtpd modules may also need to be restarted after a pplying this update. References: Package Information: |
Original Source
Url : http://www.ubuntu.com/usn/USN-1314-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-399 | Resource Management Errors |
50 % | CWE-362 | Race Condition |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:15345 | |||
Oval ID: | oval:org.mitre.oval:def:15345 | ||
Title: | USN-1314-1 -- Python 3 vulnerabilities | ||
Description: | python3.1: An interactive high-level object-oriented language - python3.2: An interactive high-level object-oriented language Applications using certain Python 3 modules could be made to crash or expose sensitive information over the network. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1314-1 CVE-2010-3493 CVE-2011-1521 | Version: | 5 |
Platform(s): | Ubuntu 11.04 Ubuntu 10.04 Ubuntu 10.10 | Product(s): | Python |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19755 | |||
Oval ID: | oval:org.mitre.oval:def:19755 | ||
Title: | VMware ESXi and ESX updates to third party library and ESX Service Console | ||
Description: | Multiple race conditions in smtpd.py in the smtpd module in Python 2.6, 2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername function having an ENOTCONN error, a related issue to CVE-2010-3492. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-3493 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 VMWare ESX Server 4.0 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20200 | |||
Oval ID: | oval:org.mitre.oval:def:20200 | ||
Title: | VMware ESXi and ESX updates to third party library and ESX Service Console | ||
Description: | The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2011-1521 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 VMWare ESX Server 4.0 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21626 | |||
Oval ID: | oval:org.mitre.oval:def:21626 | ||
Title: | RHSA-2011:0554: python security, bug fix, and enhancement update (Moderate) | ||
Description: | The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2011:0554-01 CVE-2010-3493 CVE-2011-1015 CVE-2011-1521 | Version: | 42 |
Platform(s): | Red Hat Enterprise Linux 6 | Product(s): | python python-docs |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21923 | |||
Oval ID: | oval:org.mitre.oval:def:21923 | ||
Title: | RHSA-2011:0492: python security update (Moderate) | ||
Description: | The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2011:0492-01 CESA-2011:0492 CVE-2009-3720 CVE-2010-3493 CVE-2011-1015 CVE-2011-1521 | Version: | 55 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | python |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23229 | |||
Oval ID: | oval:org.mitre.oval:def:23229 | ||
Title: | ELSA-2011:0492: python security update (Moderate) | ||
Description: | The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011:0492-01 CVE-2009-3720 CVE-2010-3493 CVE-2011-1015 CVE-2011-1521 | Version: | 21 |
Platform(s): | Oracle Linux 5 | Product(s): | python |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23473 | |||
Oval ID: | oval:org.mitre.oval:def:23473 | ||
Title: | ELSA-2011:0554: python security, bug fix, and enhancement update (Moderate) | ||
Description: | The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011:0554-01 CVE-2010-3493 CVE-2011-1015 CVE-2011-1521 | Version: | 17 |
Platform(s): | Oracle Linux 6 | Product(s): | python python-docs |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:28032 | |||
Oval ID: | oval:org.mitre.oval:def:28032 | ||
Title: | DEPRECATED: ELSA-2011-0554 -- python security, bug fix, and enhancement update (moderate) | ||
Description: | python: [2.6.6-20] Resolves: CVE-2010-3493 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011-0554 CVE-2010-3493 CVE-2011-1015 CVE-2011-1521 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | python python-docs |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:28060 | |||
Oval ID: | oval:org.mitre.oval:def:28060 | ||
Title: | DEPRECATED: ELSA-2011-0492 -- python security update (moderate) | ||
Description: | [2.4.3-44] - add patch adapted from upstream (patch 208) to add support for building against system expat; add --with-system-expat to configure invocation; remove embedded copy of expat-1.95.8 from the source tree during prep - ensure pyexpat.so gets built by explicitly listing all C modules in the payload in %files, rather than using dynfiles Resolves: CVE-2009-3720 - backport three security fixes to 2.4 (patches 209, 210, 211): Resolves: CVE-2011-1521 Resolves: CVE-2011-1015 Resolves: CVE-2010-3493 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011-0492 CVE-2009-3720 CVE-2010-3493 CVE-2011-1015 CVE-2011-1521 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | python |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-10-19 | Name : Ubuntu Update for python2.4 USN-1613-2 File : nvt/gb_ubuntu_USN_1613_2.nasl |
2012-10-19 | Name : Ubuntu Update for python2.5 USN-1613-1 File : nvt/gb_ubuntu_USN_1613_1.nasl |
2012-10-05 | Name : Ubuntu Update for python2.6 USN-1596-1 File : nvt/gb_ubuntu_USN_1596_1.nasl |
2012-10-03 | Name : Ubuntu Update for python2.7 USN-1592-1 File : nvt/gb_ubuntu_USN_1592_1.nasl |
2012-07-30 | Name : CentOS Update for python CESA-2011:0491 centos4 x86_64 File : nvt/gb_CESA-2011_0491_python_centos4_x86_64.nasl |
2012-07-30 | Name : CentOS Update for python CESA-2011:0492 centos5 x86_64 File : nvt/gb_CESA-2011_0492_python_centos5_x86_64.nasl |
2012-06-06 | Name : RedHat Update for python RHSA-2011:0554-01 File : nvt/gb_RHSA-2011_0554-01_python.nasl |
2012-03-15 | Name : VMSA-2012-0001 VMware ESXi and ESX updates to third party library and ESX Ser... File : nvt/gb_VMSA-2012-0001.nasl |
2011-12-23 | Name : Ubuntu Update for python3.1 USN-1314-1 File : nvt/gb_ubuntu_USN_1314_1.nasl |
2011-10-20 | Name : Mac OS X v10.6.8 Multiple Vulnerabilities (2011-006) File : nvt/gb_macosx_su11-006.nasl |
2011-08-09 | Name : CentOS Update for python CESA-2011:0492 centos5 i386 File : nvt/gb_CESA-2011_0492_python_centos5_i386.nasl |
2011-08-09 | Name : CentOS Update for python CESA-2011:0491 centos4 i386 File : nvt/gb_CESA-2011_0491_python_centos4_i386.nasl |
2011-06-07 | Name : Python Multiple Vulnerabilities (Windows) File : nvt/gb_python_mult_vuln_win.nasl |
2011-05-23 | Name : Mandriva Update for python MDVSA-2011:096 (python) File : nvt/gb_mandriva_MDVSA_2011_096.nasl |
2011-05-06 | Name : RedHat Update for python RHSA-2011:0492-01 File : nvt/gb_RHSA-2011_0492-01_python.nasl |
2011-05-06 | Name : RedHat Update for python RHSA-2011:0491-01 File : nvt/gb_RHSA-2011_0491-01_python.nasl |
2010-11-16 | Name : Mandriva Update for python MDVSA-2010:215 (python) File : nvt/gb_mandriva_MDVSA_2010_215.nasl |
2010-11-16 | Name : Mandriva Update for python MDVSA-2010:216 (python) File : nvt/gb_mandriva_MDVSA_2010_216.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
71330 | Python urllib.request file:// URL Handler Redirect Issue Python contains a flaw related to the urllib/urlib2 redirect handling allowing file:// URL schemes. This may allow a remote attacker to use a crafted HTTP redirect response to disclose sensitive information or cause a denial of service via resource consumption. |
68739 | Python smptd Module smtpd.py Race Condition TCP Connection Termination Multip... |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2012-02-02 | IAVM : 2012-A-0020 - Multiple Vulnerabilities in VMware ESX 4.1 and ESXi 4.1 Severity : Category I - VMSKEY : V0031252 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-03-03 | Name : The remote VMware ESXi / ESX host is missing a security-related patch. File : vmware_VMSA-2012-0001_remote.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_libpython2_6-1_0-110506.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_libpython2_6-1_0-110506.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_libpython2_6-1_0-101028.nasl - Type : ACT_GATHER_INFO |
2014-01-07 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201401-04.nasl - Type : ACT_GATHER_INFO |
2013-11-13 | Name : The remote VMware ESXi 5.0 host is affected by multiple vulnerabilities. File : vmware_esxi_5_0_build_608089_remote.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0491.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0492.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_python-randomisation-update-120517.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_python-randomisation-update-120516.nasl - Type : ACT_GATHER_INFO |
2012-10-18 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1613-1.nasl - Type : ACT_GATHER_INFO |
2012-10-18 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1613-2.nasl - Type : ACT_GATHER_INFO |
2012-10-05 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1596-1.nasl - Type : ACT_GATHER_INFO |
2012-10-03 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1592-1.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110519_python_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110505_python_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-01-31 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2012-0001.nasl - Type : ACT_GATHER_INFO |
2011-12-20 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1314-1.nasl - Type : ACT_GATHER_INFO |
2011-12-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_python-7506.nasl - Type : ACT_GATHER_INFO |
2011-10-13 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_SecUpd2011-006.nasl - Type : ACT_GATHER_INFO |
2011-10-13 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_10_7_2.nasl - Type : ACT_GATHER_INFO |
2011-05-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libpython2_6-1_0-110506.nasl - Type : ACT_GATHER_INFO |
2011-05-25 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_python-7509.nasl - Type : ACT_GATHER_INFO |
2011-05-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-096.nasl - Type : ACT_GATHER_INFO |
2011-05-20 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0554.nasl - Type : ACT_GATHER_INFO |
2011-05-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_libpython2_6-1_0-110506.nasl - Type : ACT_GATHER_INFO |
2011-05-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0492.nasl - Type : ACT_GATHER_INFO |
2011-05-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0492.nasl - Type : ACT_GATHER_INFO |
2011-05-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0491.nasl - Type : ACT_GATHER_INFO |
2011-05-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0491.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_libpython2_6-1_0-101028.nasl - Type : ACT_GATHER_INFO |
2011-01-21 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_python-7314.nasl - Type : ACT_GATHER_INFO |
2011-01-21 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libpython2_6-1_0-101109.nasl - Type : ACT_GATHER_INFO |
2010-12-12 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libpython2_6-1_0-101028.nasl - Type : ACT_GATHER_INFO |
2010-11-01 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-216.nasl - Type : ACT_GATHER_INFO |
2010-11-01 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-215.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:59:29 |
|