Executive Summary
Summary | |
---|---|
Title | Python 3.2 vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-1615-1 | First vendor Publication | 2012-10-23 |
Vendor | Ubuntu | Last vendor Modification | 2012-10-23 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.4 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.10 - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 Summary: Several security issues were fixed in Python 3.2. Software Description: - python3.2: Interactive high-level object-oriented language (version 3.2) Details: It was discovered that Python distutils contained a race condition when creating the ~/.pypirc file. A local attacker could exploit this to obtain sensitive information. (CVE-2011-4944) It was discovered that SimpleXMLRPCServer did not properly validate its input when handling HTTP POST requests. A remote attacker could exploit this to cause a denial of service via excessive CPU utilization. This issue only affected Ubuntu 11.04 and 11.10. (CVE-2012-0845) It was discovered that Python was susceptible to hash algorithm attacks. An attacker could cause a denial of service under certian circumstances. This updates adds the '-R' command line option and honors setting the PYTHONHASHSEED environment variable to 'random' to salt str and datetime objects with an unpredictable value. This issue only affected Ubuntu 11.04 and 11.10. (CVE-2012-1150) Serhiy Storchaka discovered that the UTF16 decoder in Python did not properly reset internal variables after error handling. An attacker could exploit this to cause a denial of service via memory corruption. This issue did not affect Ubuntu 12.10. (CVE-2012-2135) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.10: Ubuntu 12.04 LTS: Ubuntu 11.10: Ubuntu 11.04: In general, a standard system update will make all the necessary changes. References: Package Information: |
Original Source
Url : http://www.ubuntu.com/usn/USN-1615-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
33 % | CWE-399 | Resource Management Errors |
33 % | CWE-310 | Cryptographic Issues |
33 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:17837 | |||
Oval ID: | oval:org.mitre.oval:def:17837 | ||
Title: | USN-1615-1 -- python3.2 vulnerabilities | ||
Description: | Several security issues were fixed in Python 3.2. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1615-1 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2012-2135 | Version: | 7 |
Platform(s): | Ubuntu 12.10 Ubuntu 12.04 Ubuntu 11.10 Ubuntu 11.04 | Product(s): | python3.2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17941 | |||
Oval ID: | oval:org.mitre.oval:def:17941 | ||
Title: | USN-1616-1 -- python3.1 vulnerabilities | ||
Description: | Several security issues were fixed in Python 3.1. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1616-1 CVE-2008-5983 CVE-2010-1634 CVE-2010-2089 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2012-2135 | Version: | 7 |
Platform(s): | Ubuntu 11.04 Ubuntu 10.04 | Product(s): | python3.1 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17976 | |||
Oval ID: | oval:org.mitre.oval:def:17976 | ||
Title: | USN-1592-1 -- python2.7 vulnerabilities | ||
Description: | Several security issues were fixed in Python 2.7. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1592-1 CVE-2011-1521 CVE-2011-4940 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 | Version: | 7 |
Platform(s): | Ubuntu 11.10 Ubuntu 11.04 | Product(s): | python2.7 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18043 | |||
Oval ID: | oval:org.mitre.oval:def:18043 | ||
Title: | USN-1596-1 -- python2.6 vulnerabilities | ||
Description: | Several security issues were fixed in Python 2.6. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1596-1 CVE-2008-5983 CVE-2010-1634 CVE-2010-2089 CVE-2010-3493 CVE-2011-1015 CVE-2011-1521 CVE-2011-4940 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 | Version: | 7 |
Platform(s): | Ubuntu 11.10 Ubuntu 11.04 Ubuntu 10.04 | Product(s): | python2.6 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19784 | |||
Oval ID: | oval:org.mitre.oval:def:19784 | ||
Title: | VMware security updates for vSphere API and ESX Service Console | ||
Description: | Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2011-4944 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20677 | |||
Oval ID: | oval:org.mitre.oval:def:20677 | ||
Title: | VMware security updates for vSphere API and ESX Service Console | ||
Description: | Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2012-1150 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21287 | |||
Oval ID: | oval:org.mitre.oval:def:21287 | ||
Title: | RHSA-2012:0745: python security update (Moderate) | ||
Description: | Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:0745-00 CESA-2012:0745 CVE-2011-4940 CVE-2011-4944 CVE-2012-1150 | Version: | 42 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | python |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21389 | |||
Oval ID: | oval:org.mitre.oval:def:21389 | ||
Title: | RHSA-2012:0744: python security update (Moderate) | ||
Description: | Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:0744-01 CESA-2012:0744 CVE-2011-4940 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 | Version: | 55 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | python |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23066 | |||
Oval ID: | oval:org.mitre.oval:def:23066 | ||
Title: | ELSA-2012:0745: python security update (Moderate) | ||
Description: | Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:0745-00 CVE-2011-4940 CVE-2011-4944 CVE-2012-1150 | Version: | 17 |
Platform(s): | Oracle Linux 5 | Product(s): | python |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23753 | |||
Oval ID: | oval:org.mitre.oval:def:23753 | ||
Title: | ELSA-2012:0744: python security update (Moderate) | ||
Description: | Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:0744-01 CVE-2011-4940 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 | Version: | 21 |
Platform(s): | Oracle Linux 6 | Product(s): | python |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27594 | |||
Oval ID: | oval:org.mitre.oval:def:27594 | ||
Title: | DEPRECATED: ELSA-2012-0745 -- python security update (moderate) | ||
Description: | [2.4.3-46.el5_8.2] - if hash randomization is enabled, also enable it within pyexpat Resolves: CVE-2012-0876 [2.4.3-46.el5_8.1] - distutils.commands.register: create ~/.pypirc securely Resolves: CVE-2011-4944 - send encoding in SimpleHTTPServer.list_directory to protect IE7 against potential XSS attacks Resolves: CVE-2011-4940 - oCERT-2011-003: add -R command-line option and PYTHONHASHSEED environment variable, to provide an opt-in way to protect against denial of service attacks due to hash collisions within the dict and set types Resolves: CVE-2012-1150 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-0745 CVE-2011-4940 CVE-2011-4944 CVE-2012-1150 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | python |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27651 | |||
Oval ID: | oval:org.mitre.oval:def:27651 | ||
Title: | DEPRECATED: ELSA-2012-0744 -- python security update (moderate) | ||
Description: | [2.6.6-29.el6_2.2] - if hash randomization is enabled, also enable it within pyexpat Resolves: CVE-2012-0876 [2.6.6-29.el6_2.1] - distutils.config: create ~/.pypirc securely Resolves: CVE-2011-4944 - fix endless loop in SimpleXMLRPCServer upon malformed POST request Resolves: CVE-2012-0845 - send encoding in SimpleHTTPServer.list_directory to protect IE7 against potential XSS attacks Resolves: CVE-2011-4940 - oCERT-2011-003: add -R command-line option and PYTHONHASHSEED environment variable, to provide an opt-in way to protect against denial of service attacks due to hash collisions within the dict and set types Resolves: CVE-2012-1150 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-0744 CVE-2011-4940 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | python |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-11-16 | Name : VMSA-2012-0016: VMware security updates for vSphere API and ESX Service Console File : nvt/gb_VMSA-2012-0016.nasl |
2012-10-26 | Name : Ubuntu Update for python3.1 USN-1616-1 File : nvt/gb_ubuntu_USN_1616_1.nasl |
2012-10-26 | Name : Ubuntu Update for python3.2 USN-1615-1 File : nvt/gb_ubuntu_USN_1615_1.nasl |
2012-10-19 | Name : Ubuntu Update for python2.4 USN-1613-2 File : nvt/gb_ubuntu_USN_1613_2.nasl |
2012-10-19 | Name : Ubuntu Update for python2.5 USN-1613-1 File : nvt/gb_ubuntu_USN_1613_1.nasl |
2012-10-05 | Name : Ubuntu Update for python2.6 USN-1596-1 File : nvt/gb_ubuntu_USN_1596_1.nasl |
2012-10-03 | Name : Ubuntu Update for python2.7 USN-1592-1 File : nvt/gb_ubuntu_USN_1592_1.nasl |
2012-08-30 | Name : Fedora Update for python3 FEDORA-2012-5785 File : nvt/gb_fedora_2012_5785_python3_fc17.nasl |
2012-08-30 | Name : Fedora Update for python-docs FEDORA-2012-5892 File : nvt/gb_fedora_2012_5892_python-docs_fc17.nasl |
2012-08-30 | Name : Fedora Update for python FEDORA-2012-5892 File : nvt/gb_fedora_2012_5892_python_fc17.nasl |
2012-07-30 | Name : CentOS Update for python CESA-2012:0744 centos6 File : nvt/gb_CESA-2012_0744_python_centos6.nasl |
2012-07-30 | Name : CentOS Update for python CESA-2012:0745 centos5 File : nvt/gb_CESA-2012_0745_python_centos5.nasl |
2012-06-22 | Name : Fedora Update for python3 FEDORA-2012-9135 File : nvt/gb_fedora_2012_9135_python3_fc16.nasl |
2012-06-22 | Name : Mandriva Update for python MDVSA-2012:096 (python) File : nvt/gb_mandriva_MDVSA_2012_096.nasl |
2012-06-22 | Name : Mandriva Update for python MDVSA-2012:097 (python) File : nvt/gb_mandriva_MDVSA_2012_097.nasl |
2012-06-19 | Name : RedHat Update for python RHSA-2012:0745-01 File : nvt/gb_RHSA-2012_0745-01_python.nasl |
2012-06-19 | Name : RedHat Update for python RHSA-2012:0744-01 File : nvt/gb_RHSA-2012_0744-01_python.nasl |
2012-05-08 | Name : Fedora Update for python FEDORA-2012-5924 File : nvt/gb_fedora_2012_5924_python_fc16.nasl |
2012-05-08 | Name : Fedora Update for python-docs FEDORA-2012-5924 File : nvt/gb_fedora_2012_5924_python-docs_fc16.nasl |
2012-05-04 | Name : Fedora Update for python3 FEDORA-2012-5916 File : nvt/gb_fedora_2012_5916_python3_fc15.nasl |
2012-03-12 | Name : FreeBSD Ports: python32 File : nvt/freebsd_python32.nasl |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2012-11-29 | IAVM : 2012-A-0189 - Multiple Vulnerabilities in VMware ESXi 4.1 and ESX 4.1 Severity : Category I - VMSKEY : V0035032 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-02-29 | Name : The remote VMware ESX / ESXi host is missing a security-related patch. File : vmware_VMSA-2012-0016_remote.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_python_20130410.nasl - Type : ACT_GATHER_INFO |
2014-12-12 | Name : The remote VMware ESXi 5.1 host is affected by multiple vulnerabilities. File : vmware_esxi_5_1_build_2323236_remote.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-380.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-302.nasl - Type : ACT_GATHER_INFO |
2014-01-07 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201401-04.nasl - Type : ACT_GATHER_INFO |
2013-10-23 | Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_10_9.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-81.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-80.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-98.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-0745.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-0744.nasl - Type : ACT_GATHER_INFO |
2013-04-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-117.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_python-randomisation-update-120516.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_python-randomisation-update-120517.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_apache2-mod_python-120503.nasl - Type : ACT_GATHER_INFO |
2012-11-16 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2012-0016.nasl - Type : ACT_GATHER_INFO |
2012-10-25 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1616-1.nasl - Type : ACT_GATHER_INFO |
2012-10-24 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1615-1.nasl - Type : ACT_GATHER_INFO |
2012-10-18 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1613-2.nasl - Type : ACT_GATHER_INFO |
2012-10-18 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1613-1.nasl - Type : ACT_GATHER_INFO |
2012-10-05 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1596-1.nasl - Type : ACT_GATHER_INFO |
2012-10-03 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1592-1.nasl - Type : ACT_GATHER_INFO |
2012-09-06 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-097.nasl - Type : ACT_GATHER_INFO |
2012-08-14 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_apache2-mod_python-8127.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120618_python_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120618_python_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2012-06-21 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-096.nasl - Type : ACT_GATHER_INFO |
2012-06-20 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-0744.nasl - Type : ACT_GATHER_INFO |
2012-06-20 | Name : The remote Fedora host is missing a security update. File : fedora_2012-9135.nasl - Type : ACT_GATHER_INFO |
2012-06-19 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0745.nasl - Type : ACT_GATHER_INFO |
2012-06-19 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0744.nasl - Type : ACT_GATHER_INFO |
2012-06-19 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-0745.nasl - Type : ACT_GATHER_INFO |
2012-05-07 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2012-5924.nasl - Type : ACT_GATHER_INFO |
2012-05-07 | Name : The remote Fedora host is missing a security update. File : fedora_2012-5785.nasl - Type : ACT_GATHER_INFO |
2012-05-04 | Name : The remote Fedora host is missing a security update. File : fedora_2012-5916.nasl - Type : ACT_GATHER_INFO |
2012-05-02 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2012-5892.nasl - Type : ACT_GATHER_INFO |
2012-02-14 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_b4f8be9e56b211e19fb7003067b2972c.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:00:59 |
|