Rapid7 Vulnerability & Exploit Database

RHSA-2011:0554: python security, bug fix, and enhancement update

Back to Search

RHSA-2011:0554: python security, bug fix, and enhancement update

Severity
6
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
Published
05/24/2011
Created
07/25/2018
Added
06/02/2011
Modified
07/04/2017

Description

Python is an interpreted, interactive, object-oriented programminglanguage.A flaw was found in the Python urllib and urllib2 libraries where theywould not differentiate between different target URLs when handlingautomatic redirects. This caused Python applications using these modules tofollow any new URL that they understood, including the "file://" URL type.This could allow a remote server to force a local Python application toread a local file instead of the remote one, possibly exposing local filesthat were not meant to be exposed. (CVE-2011-1521)A race condition was found in the way the Python smtpd module handled newconnections. A remote user could use this flaw to cause a Python scriptusing the smtpd module to terminate. (CVE-2010-3493)An information disclosure flaw was found in the way the PythonCGIHTTPServer module processed certain HTTP GET requests. A remote attackercould use a specially-crafted request to obtain the CGI script's sourcecode. (CVE-2011-1015)This erratum also upgrades Python to upstream version 2.6.6, and includes anumber of bug fixes and enhancements. Documentation for these bug fixesand enhancements is available from the Technical Notes document, linked toin the References section.All users of Python are advised to upgrade to these updated packages, whichcorrect these issues, and fix the bugs and add the enhancements noted inthe Technical Notes.

Solution(s)

  • redhat-upgrade-python
  • redhat-upgrade-python-debuginfo
  • redhat-upgrade-python-devel
  • redhat-upgrade-python-docs
  • redhat-upgrade-python-libs
  • redhat-upgrade-python-test
  • redhat-upgrade-python-tools
  • redhat-upgrade-tkinter

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;