6.4 - USN-1592-1

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	Python 2.7 vulnerabilities

Informations
Name	USN-1592-1	First vendor Publication	2012-10-02
Vendor	Ubuntu	Last vendor Modification	2012-10-02
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:P)
Cvss Base Score	6.4	Attack Range	Network
Cvss Impact Score	4.9	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10 - Ubuntu 11.04

Summary:

Several security issues were fixed in Python 2.7.

Software Description: - python2.7: An interactive high-level object-oriented language
(version 2.7)

Details:

Niels Heinen discovered that the urllib and urllib2 modules would process Location headers that specify a redirection to file: URLs. A remote attacker could exploit this to obtain sensitive information or cause a denial of service. This issue only affected Ubuntu 11.04. (CVE-2011-1521)

It was discovered that SimpleHTTPServer did not use a charset parameter in the Content-Type HTTP header. An attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 users. This issue only affected Ubuntu 11.04. (CVE-2011-4940)

It was discovered that Python distutils contained a race condition when creating the ~/.pypirc file. A local attacker could exploit this to obtain sensitive information. (CVE-2011-4944)

It was discovered that SimpleXMLRPCServer did not properly validate its input when handling HTTP POST requests. A remote attacker could exploit this to cause a denial of service via excessive CPU utilization. (CVE-2012-0845)

It was discovered that Python was susceptible to hash algorithm attacks. An attacker could cause a denial of service under certian circumstances. This updates adds the '-R' command line option and honors setting the PYTHONHASHSEED environment variable to 'random' to salt str and datetime objects with an unpredictable value. (CVE-2012-1150)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 11.10:
python2.7 2.7.2-5ubuntu1.1
python2.7-minimal 2.7.2-5ubuntu1.1

Ubuntu 11.04:
python2.7 2.7.1-5ubuntu2.2
python2.7-minimal 2.7.1-5ubuntu2.2

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1592-1
CVE-2011-1521, CVE-2011-4940, CVE-2011-4944, CVE-2012-0845,
CVE-2012-1150

Package Information:
https://launchpad.net/ubuntu/+source/python2.7/2.7.2-5ubuntu1.1
https://launchpad.net/ubuntu/+source/python2.7/2.7.1-5ubuntu2.2

Original Source

Url : http://www.ubuntu.com/usn/USN-1592-1

CWE : Common Weakness Enumeration

%	Id	Name
40 %	CWE-399	Resource Management Errors
20 %	CWE-310	Cryptographic Issues
20 %	CWE-264	Permissions, Privileges, and Access Controls
20 %	CWE-79	Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:15345

Oval ID:	oval:org.mitre.oval:def:15345
Title:	USN-1314-1 -- Python 3 vulnerabilities
Description:	python3.1: An interactive high-level object-oriented language - python3.2: An interactive high-level object-oriented language Applications using certain Python 3 modules could be made to crash or expose sensitive information over the network.
Family:	unix	Class:	patch
Reference(s):	USN-1314-1 CVE-2010-3493 CVE-2011-1521	Version:	5
Platform(s):	Ubuntu 11.04 Ubuntu 10.04 Ubuntu 10.10	Product(s):	Python
Definition Synopsis:
Release section Ubuntu 11.04 is installed AND Installed architecture is all AND Packages section python3.1-minimal DPKG is earlier than 3.1.3-1ubuntu1.1 AND python3.2-minimal DPKG is earlier than 3.2-1ubuntu1.1 OR Release section Ubuntu 10.04 is installed AND Installed architecture is all AND python3.1-minimal DPKG is earlier than 3.1.2-0ubuntu3.1 OR Release section Ubuntu 10.10 is installed AND Installed architecture is all AND python3.1-minimal DPKG is earlier than 3.1.2+20100915-0ubuntu4.1

Definition Id: oval:org.mitre.oval:def:17976

Oval ID:	oval:org.mitre.oval:def:17976
Title:	USN-1592-1 -- python2.7 vulnerabilities
Description:	Several security issues were fixed in Python 2.7.
Family:	unix	Class:	patch
Reference(s):	USN-1592-1 CVE-2011-1521 CVE-2011-4940 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150	Version:	7
Platform(s):	Ubuntu 11.10 Ubuntu 11.04	Product(s):	python2.7
Definition Synopsis:
Release section Ubuntu 11.10 is installed Packages match section python2.7 DPKG is earlier than 2.7.2-5ubuntu1.1 AND python2.7-minimal DPKG is earlier than 2.7.2-5ubuntu1.1 AND Release section Ubuntu 11.04 is installed Packages match section python2.7 DPKG is earlier than 2.7.1-5ubuntu2.2 AND python2.7-minimal DPKG is earlier than 2.7.1-5ubuntu2.2

Definition Id: oval:org.mitre.oval:def:18043

Oval ID:	oval:org.mitre.oval:def:18043
Title:	USN-1596-1 -- python2.6 vulnerabilities
Description:	Several security issues were fixed in Python 2.6.
Family:	unix	Class:	patch
Reference(s):	USN-1596-1 CVE-2008-5983 CVE-2010-1634 CVE-2010-2089 CVE-2010-3493 CVE-2011-1015 CVE-2011-1521 CVE-2011-4940 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150	Version:	7
Platform(s):	Ubuntu 11.10 Ubuntu 11.04 Ubuntu 10.04	Product(s):	python2.6
Definition Synopsis:
Release section Ubuntu 11.10 is installed Packages match section python2.6 DPKG is earlier than 2.6.7-4ubuntu1.1 AND python2.6-minimal DPKG is earlier than 2.6.7-4ubuntu1.1 AND Release section Ubuntu 11.04 is installed Packages match section python2.6 DPKG is earlier than 2.6.6-6ubuntu7.1 AND python2.6-minimal DPKG is earlier than 2.6.6-6ubuntu7.1 AND Release section Ubuntu 10.04 is installed Packages match section python2.6 DPKG is earlier than 2.6.5-1ubuntu6.1 AND python2.6-minimal DPKG is earlier than 2.6.5-1ubuntu6.1

Definition Id: oval:org.mitre.oval:def:19784

Oval ID:	oval:org.mitre.oval:def:19784
Title:	VMware security updates for vSphere API and ESX Service Console
Description:	Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2011-4944	Version:	4
Platform(s):	VMWare ESX Server 4.1	Product(s):
Definition Synopsis:
Patch ESX410-201211407-SG is not installed VMware ESX Server 4.1 is installed AND Patch ESX410-201211407-SG is not installed

Definition Id: oval:org.mitre.oval:def:20200

Oval ID:	oval:org.mitre.oval:def:20200
Title:	VMware ESXi and ESX updates to third party library and ESX Service Console
Description:	The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2011-1521	Version:	4
Platform(s):	VMWare ESX Server 4.1 VMWare ESX Server 4.0	Product(s):
Definition Synopsis:
Patch ESX410-201201405-SG is not installed VMware ESX Server 4.1 is installed AND Patch ESX410-201201405-SG is not installed OR Patch ESX400-201203402-SG is not installed VMware ESX Server 4.0 is installed AND Patch ESX400-201203402-SG is not installed

Definition Id: oval:org.mitre.oval:def:20623

Oval ID:	oval:org.mitre.oval:def:20623
Title:	VMware security updates for vSphere API and ESX Service Console
Description:	The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2011-4940	Version:	4
Platform(s):	VMWare ESX Server 4.1	Product(s):
Definition Synopsis:
Patch ESX410-201211407-SG is not installed VMware ESX Server 4.1 is installed AND Patch ESX410-201211407-SG is not installed

Definition Id: oval:org.mitre.oval:def:20677

Oval ID:	oval:org.mitre.oval:def:20677
Title:	VMware security updates for vSphere API and ESX Service Console
Description:	Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2012-1150	Version:	4
Platform(s):	VMWare ESX Server 4.1	Product(s):
Definition Synopsis:
Patch ESX410-201211407-SG is not installed VMware ESX Server 4.1 is installed AND Patch ESX410-201211407-SG is not installed

Definition Id: oval:org.mitre.oval:def:21287

Oval ID:	oval:org.mitre.oval:def:21287
Title:	RHSA-2012:0745: python security update (Moderate)
Description:	Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Family:	unix	Class:	patch
Reference(s):	RHSA-2012:0745-00 CESA-2012:0745 CVE-2011-4940 CVE-2011-4944 CVE-2012-1150	Version:	42
Platform(s):	Red Hat Enterprise Linux 5 CentOS Linux 5	Product(s):	python
Definition Synopsis:
Redhat 5 or Centos 5 release The operating system installed on the system is Red Hat Enterprise Linux 5 AND The operating system installed on the system is CentOS Linux 5.x Packages section python-devel is earlier than 0:2.4.3-46.el5_8.2 AND python-libs is earlier than 0:2.4.3-46.el5_8.2 AND python is earlier than 0:2.4.3-46.el5_8.2 AND tkinter is earlier than 0:2.4.3-46.el5_8.2 AND python-tools is earlier than 0:2.4.3-46.el5_8.2

Definition Id: oval:org.mitre.oval:def:21389

Oval ID:	oval:org.mitre.oval:def:21389
Title:	RHSA-2012:0744: python security update (Moderate)
Description:	Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Family:	unix	Class:	patch
Reference(s):	RHSA-2012:0744-01 CESA-2012:0744 CVE-2011-4940 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150	Version:	55
Platform(s):	Red Hat Enterprise Linux 6 CentOS Linux 6	Product(s):	python
Definition Synopsis:
Redhat 6 or Centos 6 release The operating system installed on the system is Red Hat Enterprise Linux 6 AND The operating system installed on the system is CentOS Linux 6.x Packages section python-devel is earlier than 0:2.6.6-29.el6_2.2 AND python-test is earlier than 0:2.6.6-29.el6_2.2 AND tkinter is earlier than 0:2.6.6-29.el6_2.2 AND python is earlier than 0:2.6.6-29.el6_2.2 AND python-tools is earlier than 0:2.6.6-29.el6_2.2 AND python-libs is earlier than 0:2.6.6-29.el6_2.2

Definition Id: oval:org.mitre.oval:def:21626

Oval ID:	oval:org.mitre.oval:def:21626
Title:	RHSA-2011:0554: python security, bug fix, and enhancement update (Moderate)
Description:	The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.
Family:	unix	Class:	patch
Reference(s):	RHSA-2011:0554-01 CVE-2010-3493 CVE-2011-1015 CVE-2011-1521	Version:	42
Platform(s):	Red Hat Enterprise Linux 6	Product(s):	python python-docs
Definition Synopsis:
The operating system installed on the system is Red Hat Enterprise Linux 6 Packages section python-docs is earlier than 0:2.6.6-2.el6 AND python-devel is earlier than 0:2.6.6-20.el6 AND python-test is earlier than 0:2.6.6-20.el6 AND tkinter is earlier than 0:2.6.6-20.el6 AND python is earlier than 0:2.6.6-20.el6 AND python-libs is earlier than 0:2.6.6-20.el6 AND python-tools is earlier than 0:2.6.6-20.el6

Definition Id: oval:org.mitre.oval:def:21923

Oval ID:	oval:org.mitre.oval:def:21923
Title:	RHSA-2011:0492: python security update (Moderate)
Description:	The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.
Family:	unix	Class:	patch
Reference(s):	RHSA-2011:0492-01 CESA-2011:0492 CVE-2009-3720 CVE-2010-3493 CVE-2011-1015 CVE-2011-1521	Version:	55
Platform(s):	Red Hat Enterprise Linux 5 CentOS Linux 5	Product(s):	python
Definition Synopsis:
Redhat 5 or Centos 5 release The operating system installed on the system is Red Hat Enterprise Linux 5 AND The operating system installed on the system is CentOS Linux 5.x Packages section python-devel is earlier than 0:2.4.3-44.el5 AND python-libs is earlier than 0:2.4.3-44.el5 AND tkinter is earlier than 0:2.4.3-44.el5 AND python is earlier than 0:2.4.3-44.el5 AND python-tools is earlier than 0:2.4.3-44.el5

Definition Id: oval:org.mitre.oval:def:23066

Oval ID:	oval:org.mitre.oval:def:23066
Title:	ELSA-2012:0745: python security update (Moderate)
Description:	Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Family:	unix	Class:	patch
Reference(s):	ELSA-2012:0745-00 CVE-2011-4940 CVE-2011-4944 CVE-2012-1150	Version:	17
Platform(s):	Oracle Linux 5	Product(s):	python
Definition Synopsis:
Oracle Linux 5.x rpm test python-devel is earlier than 0:2.4.3-46.el5_8.2 AND python-libs is earlier than 0:2.4.3-46.el5_8.2 AND python is earlier than 0:2.4.3-46.el5_8.2 AND tkinter is earlier than 0:2.4.3-46.el5_8.2 AND python-tools is earlier than 0:2.4.3-46.el5_8.2

Definition Id: oval:org.mitre.oval:def:23229

Oval ID:	oval:org.mitre.oval:def:23229
Title:	ELSA-2011:0492: python security update (Moderate)
Description:	The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.
Family:	unix	Class:	patch
Reference(s):	ELSA-2011:0492-01 CVE-2009-3720 CVE-2010-3493 CVE-2011-1015 CVE-2011-1521	Version:	21
Platform(s):	Oracle Linux 5	Product(s):	python
Definition Synopsis:
Oracle Linux 5.x rpm test python-devel is earlier than 0:2.4.3-44.el5 AND python-libs is earlier than 0:2.4.3-44.el5 AND tkinter is earlier than 0:2.4.3-44.el5 AND python is earlier than 0:2.4.3-44.el5 AND python-tools is earlier than 0:2.4.3-44.el5

Definition Id: oval:org.mitre.oval:def:23473

Oval ID:	oval:org.mitre.oval:def:23473
Title:	ELSA-2011:0554: python security, bug fix, and enhancement update (Moderate)
Description:	The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.
Family:	unix	Class:	patch
Reference(s):	ELSA-2011:0554-01 CVE-2010-3493 CVE-2011-1015 CVE-2011-1521	Version:	17
Platform(s):	Oracle Linux 6	Product(s):	python python-docs
Definition Synopsis:
Oracle Linux 6.x rpm test python-docs is earlier than 0:2.6.6-2.el6 AND python-devel is earlier than 0:2.6.6-20.el6 AND python-test is earlier than 0:2.6.6-20.el6 AND tkinter is earlier than 0:2.6.6-20.el6 AND python is earlier than 0:2.6.6-20.el6 AND python-libs is earlier than 0:2.6.6-20.el6 AND python-tools is earlier than 0:2.6.6-20.el6

Definition Id: oval:org.mitre.oval:def:23753

Oval ID:	oval:org.mitre.oval:def:23753
Title:	ELSA-2012:0744: python security update (Moderate)
Description:	Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Family:	unix	Class:	patch
Reference(s):	ELSA-2012:0744-01 CVE-2011-4940 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150	Version:	21
Platform(s):	Oracle Linux 6	Product(s):	python
Definition Synopsis:
Oracle Linux 6.x rpm test python-devel is earlier than 0:2.6.6-29.el6_2.2 AND python-test is earlier than 0:2.6.6-29.el6_2.2 AND tkinter is earlier than 0:2.6.6-29.el6_2.2 AND python is earlier than 0:2.6.6-29.el6_2.2 AND python-tools is earlier than 0:2.6.6-29.el6_2.2 AND python-libs is earlier than 0:2.6.6-29.el6_2.2

Definition Id: oval:org.mitre.oval:def:27594

Oval ID:	oval:org.mitre.oval:def:27594
Title:	DEPRECATED: ELSA-2012-0745 -- python security update (moderate)
Description:	[2.4.3-46.el5_8.2] - if hash randomization is enabled, also enable it within pyexpat Resolves: CVE-2012-0876 [2.4.3-46.el5_8.1] - distutils.commands.register: create ~/.pypirc securely Resolves: CVE-2011-4944 - send encoding in SimpleHTTPServer.list_directory to protect IE7 against potential XSS attacks Resolves: CVE-2011-4940 - oCERT-2011-003: add -R command-line option and PYTHONHASHSEED environment variable, to provide an opt-in way to protect against denial of service attacks due to hash collisions within the dict and set types Resolves: CVE-2012-1150
Family:	unix	Class:	patch
Reference(s):	ELSA-2012-0745 CVE-2011-4940 CVE-2011-4944 CVE-2012-1150	Version:	4
Platform(s):	Oracle Linux 5	Product(s):	python
Definition Synopsis:
Oracle Linux 5.x Packages match section python is earlier than 0:2.4.3-46.el5_8.2 AND python-devel is earlier than 0:2.4.3-46.el5_8.2 AND python-libs is earlier than 0:2.4.3-46.el5_8.2 AND python-tools is earlier than 0:2.4.3-46.el5_8.2 AND tkinter is earlier than 0:2.4.3-46.el5_8.2

Definition Id: oval:org.mitre.oval:def:27651

Oval ID:	oval:org.mitre.oval:def:27651
Title:	DEPRECATED: ELSA-2012-0744 -- python security update (moderate)
Description:	[2.6.6-29.el6_2.2] - if hash randomization is enabled, also enable it within pyexpat Resolves: CVE-2012-0876 [2.6.6-29.el6_2.1] - distutils.config: create ~/.pypirc securely Resolves: CVE-2011-4944 - fix endless loop in SimpleXMLRPCServer upon malformed POST request Resolves: CVE-2012-0845 - send encoding in SimpleHTTPServer.list_directory to protect IE7 against potential XSS attacks Resolves: CVE-2011-4940 - oCERT-2011-003: add -R command-line option and PYTHONHASHSEED environment variable, to provide an opt-in way to protect against denial of service attacks due to hash collisions within the dict and set types Resolves: CVE-2012-1150
Family:	unix	Class:	patch
Reference(s):	ELSA-2012-0744 CVE-2011-4940 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150	Version:	4
Platform(s):	Oracle Linux 6	Product(s):	python
Definition Synopsis:
Oracle Linux 6.x Packages match section python is earlier than 0:2.6.6-29.el6_2.2 AND python-devel is earlier than 0:2.6.6-29.el6_2.2 AND python-libs is earlier than 0:2.6.6-29.el6_2.2 AND python-test is earlier than 0:2.6.6-29.el6_2.2 AND python-tools is earlier than 0:2.6.6-29.el6_2.2 AND tkinter is earlier than 0:2.6.6-29.el6_2.2

Definition Id: oval:org.mitre.oval:def:28032

Oval ID:	oval:org.mitre.oval:def:28032
Title:	DEPRECATED: ELSA-2011-0554 -- python security, bug fix, and enhancement update (moderate)
Description:	python: [2.6.6-20] Resolves: CVE-2010-3493
Family:	unix	Class:	patch
Reference(s):	ELSA-2011-0554 CVE-2010-3493 CVE-2011-1015 CVE-2011-1521	Version:	4
Platform(s):	Oracle Linux 6	Product(s):	python python-docs
Definition Synopsis:
Oracle Linux 6.x Packages match section python is earlier than 0:2.6.6-20.el6 AND python-docs is earlier than 0:2.6.6-2.el6 AND python-devel is earlier than 0:2.6.6-20.el6 AND python-libs is earlier than 0:2.6.6-20.el6 AND python-test is earlier than 0:2.6.6-20.el6 AND python-tools is earlier than 0:2.6.6-20.el6 AND tkinter is earlier than 0:2.6.6-20.el6

Definition Id: oval:org.mitre.oval:def:28060

Oval ID:	oval:org.mitre.oval:def:28060
Title:	DEPRECATED: ELSA-2011-0492 -- python security update (moderate)
Description:	[2.4.3-44] - add patch adapted from upstream (patch 208) to add support for building against system expat; add --with-system-expat to configure invocation; remove embedded copy of expat-1.95.8 from the source tree during prep - ensure pyexpat.so gets built by explicitly listing all C modules in the payload in %files, rather than using dynfiles Resolves: CVE-2009-3720 - backport three security fixes to 2.4 (patches 209, 210, 211): Resolves: CVE-2011-1521 Resolves: CVE-2011-1015 Resolves: CVE-2010-3493
Family:	unix	Class:	patch
Reference(s):	ELSA-2011-0492 CVE-2009-3720 CVE-2010-3493 CVE-2011-1015 CVE-2011-1521	Version:	4
Platform(s):	Oracle Linux 5	Product(s):	python
Definition Synopsis:
Oracle Linux 5.x Packages match section python is earlier than 0:2.4.3-44.el5 AND python-devel is earlier than 0:2.4.3-44.el5 AND python-libs is earlier than 0:2.4.3-44.el5 AND python-tools is earlier than 0:2.4.3-44.el5 AND tkinter is earlier than 0:2.4.3-44.el5

CPE : Common Platform Enumeration

Type	Description	Count
Application	Python cpe:2.3:a:python:python:3.2.2150:::::::* cpe:2.3:a:python:python:3.2:-:::::: cpe:2.3:a:python:python:3.2:alpha:::::: cpe:2.3:a:python:python:3.1.5:-:::::: cpe:2.3:a:python:python:3.1.4:-:::::: cpe:2.3:a:python:python:3.1.3:-:::::: cpe:2.3:a:python:python:3.1.2150::::::x64: cpe:2.3:a:python:python:3.1.2:-:::::: cpe:2.3:a:python:python:3.1.1:-:::::: cpe:2.3:a:python:python:3.1:-:::::: cpe:2.3:a:python:python:3.0.1:::::::* cpe:2.3:a:python:python:3.0:-:::::: cpe:2.3:a:python:python:2.7.3:-:::::: cpe:2.3:a:python:python:2.7.2150:::::::* cpe:2.3:a:python:python:2.7.2:rc1:::::: cpe:2.3:a:python:python:2.7.1150:::::::* cpe:2.3:a:python:python:2.7.1150::::::x64: cpe:2.3:a:python:python:2.7.1:-:::::: cpe:2.3:a:python:python:2.7.1:rc1:::::: cpe:2.3:a:python:python:2.6.8:::::::* cpe:2.3:a:python:python:2.6.7:::::::* cpe:2.3:a:python:python:2.6.6150:::::::* cpe:2.3:a:python:python:2.6.6:::::::* cpe:2.3:a:python:python:2.6.5:::::::* cpe:2.3:a:python:python:2.6.4:::::::* cpe:2.3:a:python:python:2.6.3:::::::* cpe:2.3:a:python:python:2.6.2150:::::::* cpe:2.3:a:python:python:2.6.2:::::::* cpe:2.3:a:python:python:2.6.1:::::::* cpe:2.3:a:python:python:2.6.0:::::::* cpe:2.3:a:python:python:2.5.6:::::::* cpe:2.3:a:python:python:2.5.5:::::::* cpe:2.3:a:python:python:2.5.4:::::::* cpe:2.3:a:python:python:2.5.3:::::::* cpe:2.3:a:python:python:2.5.2:::::::* cpe:2.3:a:python:python:2.5.150:::::::* cpe:2.3:a:python:python:2.5.1:::::::* cpe:2.3:a:python:python:2.5.0:::::::* cpe:2.3:a:python:python:2.4.6:::::::* cpe:2.3:a:python:python:2.4.5:::::::* cpe:2.3:a:python:python:2.4.4:::::::* cpe:2.3:a:python:python:2.4.3:::::::* cpe:2.3:a:python:python:2.4.2:::::::* cpe:2.3:a:python:python:2.4.1:::::::* cpe:2.3:a:python:python:2.4.0:::::::* cpe:2.3:a:python:python:2.3.7:::::::* cpe:2.3:a:python:python:2.3.6:::::::* cpe:2.3:a:python:python:2.3.5:::::::* cpe:2.3:a:python:python:2.3.4:::::::* cpe:2.3:a:python:python:2.3.3:::::::* cpe:2.3:a:python:python:2.3.2:::::::* cpe:2.3:a:python:python:2.3.1:::::::* cpe:2.3:a:python:python:2.3.0:::::::* cpe:2.3:a:python:python:2.2.3:::::::* cpe:2.3:a:python:python:2.2.2:::::::* cpe:2.3:a:python:python:2.2.1:::::::* cpe:2.3:a:python:python:2.2.0:::::::* cpe:2.3:a:python:python:2.2:::::::* cpe:2.3:a:python:python:2.1.3:::::::* cpe:2.3:a:python:python:2.1.2:::::::* cpe:2.3:a:python:python:2.1.1:::::::* cpe:2.3:a:python:python:2.1:::::::* cpe:2.3:a:python:python:2.0.1:::::::* cpe:2.3:a:python:python:2.0:::::::* cpe:2.3:a:python:python:1.6.1:::::::* cpe:2.3:a:python:python:1.6:::::::* cpe:2.3:a:python:python:1.5.2:::::::* cpe:2.3:a:python:python:1.3:::::::* cpe:2.3:a:python:python:1.2:::::::* cpe:2.3:a:python:python:0.9.1:::::::* cpe:2.3:a:python:python:0.9.0:::::::* cpe:2.3:a:python:python:::::::: cpe:2.3:a:python:python:-:::::::*	73

OpenVAS Exploits

Date	Description
2012-11-16	Name : VMSA-2012-0016: VMware security updates for vSphere API and ESX Service Console File : nvt/gb_VMSA-2012-0016.nasl
2012-10-26	Name : Ubuntu Update for python3.1 USN-1616-1 File : nvt/gb_ubuntu_USN_1616_1.nasl
2012-10-26	Name : Ubuntu Update for python3.2 USN-1615-1 File : nvt/gb_ubuntu_USN_1615_1.nasl
2012-10-19	Name : Ubuntu Update for python2.4 USN-1613-2 File : nvt/gb_ubuntu_USN_1613_2.nasl
2012-10-19	Name : Ubuntu Update for python2.5 USN-1613-1 File : nvt/gb_ubuntu_USN_1613_1.nasl
2012-10-05	Name : Ubuntu Update for python2.6 USN-1596-1 File : nvt/gb_ubuntu_USN_1596_1.nasl
2012-10-03	Name : Ubuntu Update for python2.7 USN-1592-1 File : nvt/gb_ubuntu_USN_1592_1.nasl
2012-08-30	Name : Fedora Update for python FEDORA-2012-5892 File : nvt/gb_fedora_2012_5892_python_fc17.nasl
2012-08-30	Name : Fedora Update for python-docs FEDORA-2012-5892 File : nvt/gb_fedora_2012_5892_python-docs_fc17.nasl
2012-08-30	Name : Fedora Update for python3 FEDORA-2012-5785 File : nvt/gb_fedora_2012_5785_python3_fc17.nasl
2012-07-30	Name : CentOS Update for python CESA-2012:0745 centos5 File : nvt/gb_CESA-2012_0745_python_centos5.nasl
2012-07-30	Name : CentOS Update for python CESA-2011:0491 centos4 x86_64 File : nvt/gb_CESA-2011_0491_python_centos4_x86_64.nasl
2012-07-30	Name : CentOS Update for python CESA-2011:0492 centos5 x86_64 File : nvt/gb_CESA-2011_0492_python_centos5_x86_64.nasl
2012-07-30	Name : CentOS Update for python CESA-2012:0744 centos6 File : nvt/gb_CESA-2012_0744_python_centos6.nasl
2012-06-22	Name : Mandriva Update for python MDVSA-2012:097 (python) File : nvt/gb_mandriva_MDVSA_2012_097.nasl
2012-06-22	Name : Mandriva Update for python MDVSA-2012:096 (python) File : nvt/gb_mandriva_MDVSA_2012_096.nasl
2012-06-22	Name : Fedora Update for python3 FEDORA-2012-9135 File : nvt/gb_fedora_2012_9135_python3_fc16.nasl
2012-06-19	Name : RedHat Update for python RHSA-2012:0745-01 File : nvt/gb_RHSA-2012_0745-01_python.nasl
2012-06-19	Name : RedHat Update for python RHSA-2012:0744-01 File : nvt/gb_RHSA-2012_0744-01_python.nasl
2012-06-06	Name : RedHat Update for python RHSA-2011:0554-01 File : nvt/gb_RHSA-2011_0554-01_python.nasl
2012-05-08	Name : Fedora Update for python-docs FEDORA-2012-5924 File : nvt/gb_fedora_2012_5924_python-docs_fc16.nasl
2012-05-08	Name : Fedora Update for python FEDORA-2012-5924 File : nvt/gb_fedora_2012_5924_python_fc16.nasl
2012-05-04	Name : Fedora Update for python3 FEDORA-2012-5916 File : nvt/gb_fedora_2012_5916_python3_fc15.nasl
2012-03-15	Name : VMSA-2012-0001 VMware ESXi and ESX updates to third party library and ESX Ser... File : nvt/gb_VMSA-2012-0001.nasl
2012-03-12	Name : FreeBSD Ports: python32 File : nvt/freebsd_python32.nasl
2011-12-23	Name : Ubuntu Update for python3.1 USN-1314-1 File : nvt/gb_ubuntu_USN_1314_1.nasl
2011-10-20	Name : Mac OS X v10.6.8 Multiple Vulnerabilities (2011-006) File : nvt/gb_macosx_su11-006.nasl
2011-08-09	Name : CentOS Update for python CESA-2011:0492 centos5 i386 File : nvt/gb_CESA-2011_0492_python_centos5_i386.nasl
2011-08-09	Name : CentOS Update for python CESA-2011:0491 centos4 i386 File : nvt/gb_CESA-2011_0491_python_centos4_i386.nasl
2011-06-07	Name : Python Multiple Vulnerabilities (Windows) File : nvt/gb_python_mult_vuln_win.nasl
2011-05-23	Name : Mandriva Update for python MDVSA-2011:096 (python) File : nvt/gb_mandriva_MDVSA_2011_096.nasl
2011-05-06	Name : RedHat Update for python RHSA-2011:0491-01 File : nvt/gb_RHSA-2011_0491-01_python.nasl
2011-05-06	Name : RedHat Update for python RHSA-2011:0492-01 File : nvt/gb_RHSA-2011_0492-01_python.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
71330	Python urllib.request file:// URL Handler Redirect Issue Python contains a flaw related to the urllib/urlib2 redirect handling allowing file:// URL schemes. This may allow a remote attacker to use a crafted HTTP redirect response to disclose sensitive information or cause a denial of service via resource consumption.

Information Assurance Vulnerability Management (IAVM)

Date	Description
2012-11-29	IAVM : 2012-A-0189 - Multiple Vulnerabilities in VMware ESXi 4.1 and ESX 4.1 Severity : Category I - VMSKEY : V0035032
2012-02-02	IAVM : 2012-A-0020 - Multiple Vulnerabilities in VMware ESX 4.1 and ESXi 4.1 Severity : Category I - VMSKEY : V0031252

Nessus® Vulnerability Scanner

Date	Description
2016-03-03	Name : The remote VMware ESXi / ESX host is missing a security-related patch. File : vmware_VMSA-2012-0001_remote.nasl - Type : ACT_GATHER_INFO
2016-02-29	Name : The remote VMware ESX / ESXi host is missing a security-related patch. File : vmware_VMSA-2012-0016_remote.nasl - Type : ACT_GATHER_INFO
2015-01-19	Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_python_20130410.nasl - Type : ACT_GATHER_INFO
2014-12-12	Name : The remote VMware ESXi 5.1 host is affected by multiple vulnerabilities. File : vmware_esxi_5_1_build_2323236_remote.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_4_libpython2_6-1_0-110506.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_3_libpython2_6-1_0-110506.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-302.nasl - Type : ACT_GATHER_INFO
2014-01-07	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201401-04.nasl - Type : ACT_GATHER_INFO
2013-11-13	Name : The remote VMware ESXi 5.0 host is affected by multiple vulnerabilities. File : vmware_esxi_5_0_build_608089_remote.nasl - Type : ACT_GATHER_INFO
2013-10-23	Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_10_9.nasl - Type : ACT_GATHER_INFO
2013-09-04	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-81.nasl - Type : ACT_GATHER_INFO
2013-09-04	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-80.nasl - Type : ACT_GATHER_INFO
2013-09-04	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-98.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-0745.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-0744.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0492.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0491.nasl - Type : ACT_GATHER_INFO
2013-04-20	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-117.nasl - Type : ACT_GATHER_INFO
2013-01-25	Name : The remote SuSE 11 host is missing a security update. File : suse_11_apache2-mod_python-120503.nasl - Type : ACT_GATHER_INFO
2013-01-25	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_python-randomisation-update-120517.nasl - Type : ACT_GATHER_INFO
2013-01-25	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_python-randomisation-update-120516.nasl - Type : ACT_GATHER_INFO
2012-11-16	Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2012-0016.nasl - Type : ACT_GATHER_INFO
2012-10-25	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1616-1.nasl - Type : ACT_GATHER_INFO
2012-10-24	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1615-1.nasl - Type : ACT_GATHER_INFO
2012-10-18	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1613-1.nasl - Type : ACT_GATHER_INFO
2012-10-18	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1613-2.nasl - Type : ACT_GATHER_INFO
2012-10-05	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1596-1.nasl - Type : ACT_GATHER_INFO
2012-10-03	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1592-1.nasl - Type : ACT_GATHER_INFO
2012-09-06	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-097.nasl - Type : ACT_GATHER_INFO
2012-08-14	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_apache2-mod_python-8127.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120618_python_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120618_python_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110519_python_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110505_python_on_SL4_x.nasl - Type : ACT_GATHER_INFO
2012-06-21	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-096.nasl - Type : ACT_GATHER_INFO
2012-06-20	Name : The remote Fedora host is missing a security update. File : fedora_2012-9135.nasl - Type : ACT_GATHER_INFO
2012-06-20	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-0744.nasl - Type : ACT_GATHER_INFO
2012-06-19	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0745.nasl - Type : ACT_GATHER_INFO
2012-06-19	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0744.nasl - Type : ACT_GATHER_INFO
2012-06-19	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-0745.nasl - Type : ACT_GATHER_INFO
2012-05-07	Name : The remote Fedora host is missing a security update. File : fedora_2012-5785.nasl - Type : ACT_GATHER_INFO
2012-05-07	Name : The remote Fedora host is missing one or more security updates. File : fedora_2012-5924.nasl - Type : ACT_GATHER_INFO
2012-05-04	Name : The remote Fedora host is missing a security update. File : fedora_2012-5916.nasl - Type : ACT_GATHER_INFO
2012-05-02	Name : The remote Fedora host is missing one or more security updates. File : fedora_2012-5892.nasl - Type : ACT_GATHER_INFO
2012-02-14	Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_b4f8be9e56b211e19fb7003067b2972c.nasl - Type : ACT_GATHER_INFO
2012-01-31	Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2012-0001.nasl - Type : ACT_GATHER_INFO
2011-12-20	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1314-1.nasl - Type : ACT_GATHER_INFO
2011-12-13	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_python-7506.nasl - Type : ACT_GATHER_INFO
2011-10-13	Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_10_7_2.nasl - Type : ACT_GATHER_INFO
2011-10-13	Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_SecUpd2011-006.nasl - Type : ACT_GATHER_INFO
2011-05-25	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_python-7509.nasl - Type : ACT_GATHER_INFO
2011-05-25	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libpython2_6-1_0-110506.nasl - Type : ACT_GATHER_INFO
2011-05-23	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-096.nasl - Type : ACT_GATHER_INFO
2011-05-20	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0554.nasl - Type : ACT_GATHER_INFO
2011-05-13	Name : The remote openSUSE host is missing a security update. File : suse_11_2_libpython2_6-1_0-110506.nasl - Type : ACT_GATHER_INFO
2011-05-06	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0492.nasl - Type : ACT_GATHER_INFO
2011-05-06	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0491.nasl - Type : ACT_GATHER_INFO
2011-05-06	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0492.nasl - Type : ACT_GATHER_INFO
2011-05-06	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0491.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 12:00:50	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	5
Oval ID(s)	19
CPE ID(s)	73
osvdb(s)	1
Openvas Exploit(s)	33
IAVM(s)	2
Nessus® Exploit(s)	59

	Related
6.4	CVE-2011-1521
5	CVE-2012-1150
5	CVE-2012-0845
2.6	CVE-2011-4940
1.9	CVE-2011-4944
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 5 more Alert(s)