An insecure use of a temporary file has been found in Python. This erratum provides updated Python packages. [updated Feb 12 2003] Updated packages for Red Hat Linux 7.3 are available that fix a binary incompatibility change in the original erratum packages that affected redhat-config-users, and to add back the missing python-tools package. [Updated 16 April 2003] Added packages for Red Hat Linux on IBM iSeries and pSeries systems.
Python is an interpreted, interactive, object-oriented programming language. Zack Weinberg discovered that os._execvpe from os.py in Python 2.2.1 and earlier creates temporary files with predictable names. This could allow local users to execute arbitrary code via a symlink attack. All users should upgrade to these errata packages, which contain a patch to python 1.5.2 and are not vulnerable to this issue. Please note that for Red Hat Linux 7.3 we have updated the python2 packages from version 2.2 to version 2.2.2. Red Hat Linux 8.0 shipped a version of Python that already contained a fix for this issue and is therefore not vulnerable to this issue.