Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2015:075 | First vendor Publication | 2015-03-27 |
Vendor | Mandriva | Last vendor Modification | 2015-03-27 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Updated python packages fix security vulnerabilities: A vulnerability was reported in Python's socket module, due to a boundary error within the sock_recvfrom_into() function, which could be exploited to cause a buffer overflow. This could be used to crash a Python application that uses the socket.recvfrom_info() function or, possibly, execute arbitrary code with the permissions of the user running vulnerable Python code (CVE-2014-1912). This updates the python package to version 2.7.6, which fixes several other bugs, including denial of service flaws due to unbound readline() calls in the ftplib and nntplib modules (CVE-2013-1752). Denial of service flaws due to unbound readline() calls in the imaplib, poplib, and smtplib modules (CVE-2013-1752). A gzip bomb and unbound read denial of service flaw in python XMLRPC library (CVE-2013-1753). Python are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access (CVE-2014-4616). The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose a CGI script's source code or execute arbitrary scripts in the server's document root (CVE-2014-4650). Python before 2.7.8 is vulnerable to an integer overflow in the buffer type (CVE-2014-7185). When Python's standard library HTTP clients (httplib, urllib, urllib2, xmlrpclib) are used to access resources with HTTPS, by default the certificate is not checked against any trust store, nor is the hostname in the certificate checked against the requested host. It was possible to configure a trust root to be checked against, however there were no faculties for hostname checking (CVE-2014-9365). The python-pip and tix packages was added due to missing build dependencies. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2015:075 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
33 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
33 % | CWE-129 | Improper Validation of Array Index |
33 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:23923 | |||
Oval ID: | oval:org.mitre.oval:def:23923 | ||
Title: | USN-2125-1 -- python2.6, python2.7, python3.2, python3.3 vulnerability | ||
Description: | Python could be made to crash or run programs if it received specially crafted network traffic. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2125-1 CVE-2014-1912 | Version: | 5 |
Platform(s): | Ubuntu 13.10 Ubuntu 12.10 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | python2.7 python3.3 python3.2 python2.6 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:28365 | |||
Oval ID: | oval:org.mitre.oval:def:28365 | ||
Title: | SUSE-SU-2014:1518-1 -- Security update for Python (moderate) | ||
Description: | Python was updated to fix one security issue: * Potential wraparound/overflow in buffer() (CVE-2014-7185) As an additional hardening measure SSLv2 has been disabled (bnc#901715). Security Issues: * CVE-2014-7185 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7185> | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:1518-1 CVE-2014-7185 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | Python |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
ExploitDB Exploits
id | Description |
---|---|
2014-02-24 | Python socket.recvfrom_into() - Remote Buffer Overflow |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2015-08-20 | IAVM : 2015-A-0199 - Multiple Vulnerabilities in Apple Mac OS X Severity : Category I - VMSKEY : V0061337 |
2014-12-11 | IAVM : 2014-B-0161 - Multiple Vulnerabilities in VMware ESXi 5.1 Severity : Category I - VMSKEY : V0057717 |
Snort® IPS/IDS
Date | Description |
---|---|
2014-03-29 | Python socket.recvfrom_into remote buffer overflow attempt RuleID : 29968 - Revision : 3 - Type : SERVER-OTHER |
2014-03-29 | Python socket.recvfrom_into remote buffer overflow attempt RuleID : 29967 - Revision : 3 - Type : SERVER-OTHER |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2017-09-08 | Name : The remote EulerOS host is missing a security update. File : EulerOS_SA-2017-1186.nasl - Type : ACT_GATHER_INFO |
2017-09-08 | Name : The remote EulerOS host is missing a security update. File : EulerOS_SA-2017-1185.nasl - Type : ACT_GATHER_INFO |
2017-08-25 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2017-1868.nasl - Type : ACT_GATHER_INFO |
2017-08-22 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20170801_python_on_SL7_x.nasl - Type : ACT_GATHER_INFO |
2017-08-09 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2017-1868.nasl - Type : ACT_GATHER_INFO |
2017-08-02 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2017-1868.nasl - Type : ACT_GATHER_INFO |
2017-07-24 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL53192206.nasl - Type : ACT_GATHER_INFO |
2017-07-24 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL78825687.nasl - Type : ACT_GATHER_INFO |
2017-07-19 | Name : The remote database server is affected by a remote code execution vulnerability. File : mysql_cluster_7_3_6.nasl - Type : ACT_GATHER_INFO |
2015-12-30 | Name : The remote VMware ESXi host is missing a security-related patch. File : vmware_VMSA-2014-0012_remote.nasl - Type : ACT_GATHER_INFO |
2015-12-22 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20151119_python_on_SL7_x.nasl - Type : ACT_GATHER_INFO |
2015-12-15 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2015-621.nasl - Type : ACT_GATHER_INFO |
2015-12-02 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-2101.nasl - Type : ACT_GATHER_INFO |
2015-11-24 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-2101.nasl - Type : ACT_GATHER_INFO |
2015-11-20 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2101.nasl - Type : ACT_GATHER_INFO |
2015-08-17 | Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_10_10_5.nasl - Type : ACT_GATHER_INFO |
2015-08-06 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-1344-1.nasl - Type : ACT_GATHER_INFO |
2015-08-04 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20150722_python_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2015-07-31 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2015-0098.nasl - Type : ACT_GATHER_INFO |
2015-07-30 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-1330.nasl - Type : ACT_GATHER_INFO |
2015-07-28 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-1330.nasl - Type : ACT_GATHER_INFO |
2015-07-23 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-1330.nasl - Type : ACT_GATHER_INFO |
2015-06-26 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2653-1.nasl - Type : ACT_GATHER_INFO |
2015-06-25 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2015-552.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-1511-1.nasl - Type : ACT_GATHER_INFO |
2015-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2015-6010.nasl - Type : ACT_GATHER_INFO |
2015-04-22 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2015-5938.nasl - Type : ACT_GATHER_INFO |
2015-04-20 | Name : The remote Fedora host is missing a security update. File : fedora_2015-6003.nasl - Type : ACT_GATHER_INFO |
2015-03-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-076.nasl - Type : ACT_GATHER_INFO |
2015-03-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-075.nasl - Type : ACT_GATHER_INFO |
2015-03-24 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201503-10.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_python_20141120.nasl - Type : ACT_GATHER_INFO |
2014-12-12 | Name : The remote VMware ESXi 5.1 host is affected by multiple vulnerabilities. File : vmware_esxi_5_1_build_2323236_remote.nasl - Type : ACT_GATHER_INFO |
2014-12-06 | Name : The remote VMware ESXi host is missing a security-related patch. File : vmware_VMSA-2014-0012.nasl - Type : ACT_GATHER_INFO |
2014-11-28 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_python-2014-11-19-141119.nasl - Type : ACT_GATHER_INFO |
2014-11-14 | Name : The remote Fedora host is missing a security update. File : fedora_2014-14257.nasl - Type : ACT_GATHER_INFO |
2014-11-11 | Name : The remote Fedora host is missing a security update. File : fedora_2014-14208.nasl - Type : ACT_GATHER_INFO |
2014-11-10 | Name : The remote Fedora host is missing a security update. File : fedora_2014-14245.nasl - Type : ACT_GATHER_INFO |
2014-11-06 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-440.nasl - Type : ACT_GATHER_INFO |
2014-10-29 | Name : The remote Fedora host is missing a security update. File : fedora_2014-11522.nasl - Type : ACT_GATHER_INFO |
2014-10-22 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-197.nasl - Type : ACT_GATHER_INFO |
2014-10-15 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-588.nasl - Type : ACT_GATHER_INFO |
2014-10-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-380.nasl - Type : ACT_GATHER_INFO |
2014-10-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-374.nasl - Type : ACT_GATHER_INFO |
2014-10-01 | Name : The remote Fedora host is missing a security update. File : fedora_2014-11559.nasl - Type : ACT_GATHER_INFO |
2014-07-17 | Name : The remote Fedora host is missing a security update. File : fedora_2014-8035.nasl - Type : ACT_GATHER_INFO |
2014-07-17 | Name : The remote Fedora host is missing a security update. File : fedora_2014-7772.nasl - Type : ACT_GATHER_INFO |
2014-07-14 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-458.nasl - Type : ACT_GATHER_INFO |
2014-07-11 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-135.nasl - Type : ACT_GATHER_INFO |
2014-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2014-7800.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-333.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-213.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-278.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-289.nasl - Type : ACT_GATHER_INFO |
2014-04-29 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_python-201403-140331.nasl - Type : ACT_GATHER_INFO |
2014-04-10 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-074.nasl - Type : ACT_GATHER_INFO |
2014-04-04 | Name : The remote host contains an application that is affected by multiple vulnerab... File : macosx_libreoffice_420.nasl - Type : ACT_GATHER_INFO |
2014-04-04 | Name : The remote host contains an application that is affected by multiple vulnerab... File : libreoffice_420.nasl - Type : ACT_GATHER_INFO |
2014-03-18 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2880.nasl - Type : ACT_GATHER_INFO |
2014-03-07 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_python-201402-140224.nasl - Type : ACT_GATHER_INFO |
2014-03-04 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2125-1.nasl - Type : ACT_GATHER_INFO |
2014-03-03 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_8e5e6d42a0fa11e3b09a080027f2d077.nasl - Type : ACT_GATHER_INFO |
2014-03-02 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-293.nasl - Type : ACT_GATHER_INFO |
2014-03-02 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-292.nasl - Type : ACT_GATHER_INFO |
2014-02-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-041.nasl - Type : ACT_GATHER_INFO |
2014-02-17 | Name : The remote Fedora host is missing a security update. File : fedora_2014-2418.nasl - Type : ACT_GATHER_INFO |
2014-02-17 | Name : The remote Fedora host is missing a security update. File : fedora_2014-2394.nasl - Type : ACT_GATHER_INFO |
2013-11-14 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-241.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2019-07-25 12:06:41 |
|
2017-09-08 09:25:10 |
|
2015-03-31 13:29:28 |
|
2015-03-27 21:25:38 |
|