Rapid7 Vulnerability & Exploit Database

RHSA-2011:0491: python security update

Back to Search

RHSA-2011:0491: python security update

Severity
6
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
Published
05/24/2011
Created
07/25/2018
Added
05/24/2011
Modified
07/04/2017

Description

Python is an interpreted, interactive, object-oriented programminglanguage.A flaw was found in the Python urllib and urllib2 libraries where theywould not differentiate between different target URLs when handlingautomatic redirects. This caused Python applications using these modules tofollow any new URL that they understood, including the "file://" URL type.This could allow a remote server to force a local Python application toread a local file instead of the remote one, possibly exposing local filesthat were not meant to be exposed. (CVE-2011-1521)Multiple flaws were found in the Python audioop module. Supplying certaininputs could cause the audioop module to crash or, possibly, executearbitrary code. (CVE-2010-1634, CVE-2010-2089)A race condition was found in the way the Python smtpd module handled newconnections. A remote user could use this flaw to cause a Python scriptusing the smtpd module to terminate. (CVE-2010-3493)An information disclosure flaw was found in the way the PythonCGIHTTPServer module processed certain HTTP GET requests. A remote attackercould use a specially-crafted request to obtain the CGI script's sourcecode. (CVE-2011-1015)A buffer over-read flaw was found in the way the Python Expat parserhandled malformed UTF-8 sequences when processing XML files. Aspecially-crafted XML file could cause Python applications using the PythonExpat parser to crash while parsing the file. (CVE-2009-3720)This update makes Python use the system Expat library rather than its owninternal copy; therefore, users must have the version of Expat shipped withRHSA-2009:1625 installed, or a later version, to resolve the CVE-2009-3720issue.All Python users should upgrade to these updated packages, which containbackported patches to correct these issues.

Solution(s)

  • redhat-upgrade-python
  • redhat-upgrade-python-devel
  • redhat-upgrade-python-docs
  • redhat-upgrade-python-tools
  • redhat-upgrade-tkinter

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;