Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[RHSA-2015:2101-01] Moderate: python security, bug fix, and enhancement update

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: python security, bug fix, and enhancement update

Advisory ID: RHSA-2015:2101-01

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2101.html

Issue date: 2015-11-19

CVE Names: CVE-2013-1752 CVE-2013-1753 CVE-2014-4616

CVE-2014-4650 CVE-2014-7185

=====================================================================

 

1. Summary:

 

Updated python packages that fix multiple security issues, several bugs,

and add various enhancements are now available for Red Hat Enterprise

Linux 7.

 

Red Hat Product Security has rated this update as having Moderate security

impact. Common Vulnerability Scoring System (CVSS) base scores, which give

detailed severity ratings, are available for each vulnerability from the

CVE links in the References section.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux Client (v. 7) - x86_64

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64

Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

 

3. Description:

 

Python is an interpreted, interactive, object-oriented programming language

often compared to Tcl, Perl, Scheme, or Java. Python includes modules,

classes, exceptions, very high level dynamic data types and dynamic typing.

Python supports interfaces to many system calls and libraries, as well as

to various windowing systems (X11, Motif, Tk, Mac and MFC).

 

It was discovered that the Python xmlrpclib module did not restrict the

size of gzip-compressed HTTP responses. A malicious XMLRPC server could

cause an XMLRPC client using xmlrpclib to consume an excessive amount of

memory. (CVE-2013-1753)

 

It was discovered that multiple Python standard library modules

implementing network protocols (such as httplib or smtplib) failed to

restrict the sizes of server responses. A malicious server could cause a

client using one of the affected modules to consume an excessive amount of

memory. (CVE-2013-1752)

 

It was discovered that the CGIHTTPServer module incorrectly handled URL

encoded paths. A remote attacker could use this flaw to execute scripts

outside of the cgi-bin directory, or disclose the source code of the

scripts in the cgi-bin directory. (CVE-2014-4650)

 

An integer overflow flaw was found in the way the buffer() function handled

its offset and size arguments. An attacker able to control these arguments

could use this flaw to disclose portions of the application memory or cause

it to crash. (CVE-2014-7185)

 

A flaw was found in the way the json module handled negative index

arguments passed to certain functions (such as raw_decode()). An attacker

able to control the index value passed to one of the affected functions

could possibly use this flaw to disclose portions of the application

memory. (CVE-2014-4616)

 

The Python standard library HTTP client modules (such as httplib or urllib)

did not perform verification of TLS/SSL certificates when connecting to

HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack

connections and eavesdrop or modify transferred data. (CVE-2014-9365)

 

Note: The Python standard library was updated to make it possible to enable

certificate verification by default. However, for backwards compatibility,

verification remains disabled by default. Future updates may change this

default. Refer to the Knowledgebase article 2039753 linked to in the

References section for further details about this change. (BZ#1219108)

 

This update also fixes the following bugs:

 

* Subprocesses used with the Eventlet library or regular threads previously

tried to close epoll file descriptors twice, which led to an "Invalid

argument" error. Subprocesses have been fixed to close the file descriptors

only once. (BZ#1103452)

 

* When importing the readline module from a Python script, Python no longer

produces erroneous random characters on stdout. (BZ#1189301)

 

* The cProfile utility has been fixed to print all values that the "-s"

option supports when this option is used without a correct value.

(BZ#1237107)

 

* The load_cert_chain() function now accepts "None" as a keyfile argument.

(BZ#1250611)

 

In addition, this update adds the following enhancements:

 

* Security enhancements as described in PEP 466 have been backported to the

Python standard library, for example, new features of the ssl module:

Server Name Indication (SNI) support, support for new TLSv1.x protocols,

new hash algorithms in the hashlib module, and many more. (BZ#1111461)

 

* Support for the ssl.PROTOCOL_TLSv1_2 protocol has been added to the ssl

library. (BZ#1192015)

 

* The ssl.SSLSocket.version() method is now available to access information

about the version of the SSL protocol used in a connection. (BZ#1259421)

 

All python users are advised to upgrade to these updated packages, which

contain backported patches to correct these issues and add these

enhancements.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

For details on how to apply this update, refer to:

 

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1046170 - CVE-2013-1753 python: XMLRPC library unrestricted decompression of HTTP responses using gzip enconding

1046174 - CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib

1058482 - tmpwatch removes python multiprocessing sockets

1112285 - CVE-2014-4616 python: missing boundary check in JSON module

1113527 - CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs

1146026 - CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read

1173041 - CVE-2014-9365 python: failure to validate certificates in the HTTP client with TLS (PEP 476)

1177613 - setup.py bdist_rpm NameError: global name 'get_python_version' is not defined

1181624 - multiprocessing BaseManager serve_client() does not check EINTR on recv

1237107 - cProfile main() traceback if options syntax is invalid

1250611 - SSLContext.load_cert_chain() keyfile argument can't be set to None

1259421 - Backport SSLSocket.version() to python 2.7.5

 

6. Package List:

 

Red Hat Enterprise Linux Client (v. 7):

 

Source:

python-2.7.5-34.el7.src.rpm

 

x86_64:

python-2.7.5-34.el7.x86_64.rpm

python-debuginfo-2.7.5-34.el7.i686.rpm

python-debuginfo-2.7.5-34.el7.x86_64.rpm

python-libs-2.7.5-34.el7.i686.rpm

python-libs-2.7.5-34.el7.x86_64.rpm

 

Red Hat Enterprise Linux Client Optional (v. 7):

 

x86_64:

python-debug-2.7.5-34.el7.x86_64.rpm

python-debuginfo-2.7.5-34.el7.x86_64.rpm

python-devel-2.7.5-34.el7.x86_64.rpm

python-test-2.7.5-34.el7.x86_64.rpm

python-tools-2.7.5-34.el7.x86_64.rpm

tkinter-2.7.5-34.el7.x86_64.rpm

 

Red Hat Enterprise Linux ComputeNode (v. 7):

 

Source:

python-2.7.5-34.el7.src.rpm

 

x86_64:

python-2.7.5-34.el7.x86_64.rpm

python-debuginfo-2.7.5-34.el7.i686.rpm

python-debuginfo-2.7.5-34.el7.x86_64.rpm

python-devel-2.7.5-34.el7.x86_64.rpm

python-libs-2.7.5-34.el7.i686.rpm

python-libs-2.7.5-34.el7.x86_64.rpm

 

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

 

x86_64:

python-debug-2.7.5-34.el7.x86_64.rpm

python-debuginfo-2.7.5-34.el7.x86_64.rpm

python-test-2.7.5-34.el7.x86_64.rpm

python-tools-2.7.5-34.el7.x86_64.rpm

tkinter-2.7.5-34.el7.x86_64.rpm

 

Red Hat Enterprise Linux Server (v. 7):

 

Source:

python-2.7.5-34.el7.src.rpm

 

aarch64:

python-2.7.5-34.el7.aarch64.rpm

python-debuginfo-2.7.5-34.el7.aarch64.rpm

python-devel-2.7.5-34.el7.aarch64.rpm

python-libs-2.7.5-34.el7.aarch64.rpm

 

ppc64:

python-2.7.5-34.el7.ppc64.rpm

python-debuginfo-2.7.5-34.el7.ppc.rpm

python-debuginfo-2.7.5-34.el7.ppc64.rpm

python-devel-2.7.5-34.el7.ppc64.rpm

python-libs-2.7.5-34.el7.ppc.rpm

python-libs-2.7.5-34.el7.ppc64.rpm

 

ppc64le:

python-2.7.5-34.el7.ppc64le.rpm

python-debuginfo-2.7.5-34.el7.ppc64le.rpm

python-devel-2.7.5-34.el7.ppc64le.rpm

python-libs-2.7.5-34.el7.ppc64le.rpm

 

s390x:

python-2.7.5-34.el7.s390x.rpm

python-debuginfo-2.7.5-34.el7.s390.rpm

python-debuginfo-2.7.5-34.el7.s390x.rpm

python-devel-2.7.5-34.el7.s390x.rpm

python-libs-2.7.5-34.el7.s390.rpm

python-libs-2.7.5-34.el7.s390x.rpm

 

x86_64:

python-2.7.5-34.el7.x86_64.rpm

python-debuginfo-2.7.5-34.el7.i686.rpm

python-debuginfo-2.7.5-34.el7.x86_64.rpm

python-devel-2.7.5-34.el7.x86_64.rpm

python-libs-2.7.5-34.el7.i686.rpm

python-libs-2.7.5-34.el7.x86_64.rpm

 

Red Hat Enterprise Linux Server Optional (v. 7):

 

aarch64:

python-debug-2.7.5-34.el7.aarch64.rpm

python-debuginfo-2.7.5-34.el7.aarch64.rpm

python-test-2.7.5-34.el7.aarch64.rpm

python-tools-2.7.5-34.el7.aarch64.rpm

tkinter-2.7.5-34.el7.aarch64.rpm

 

ppc64:

python-debug-2.7.5-34.el7.ppc64.rpm

python-debuginfo-2.7.5-34.el7.ppc64.rpm

python-test-2.7.5-34.el7.ppc64.rpm

python-tools-2.7.5-34.el7.ppc64.rpm

tkinter-2.7.5-34.el7.ppc64.rpm

 

ppc64le:

python-debug-2.7.5-34.el7.ppc64le.rpm

python-debuginfo-2.7.5-34.el7.ppc64le.rpm

python-test-2.7.5-34.el7.ppc64le.rpm

python-tools-2.7.5-34.el7.ppc64le.rpm

tkinter-2.7.5-34.el7.ppc64le.rpm

 

s390x:

python-debug-2.7.5-34.el7.s390x.rpm

python-debuginfo-2.7.5-34.el7.s390x.rpm

python-test-2.7.5-34.el7.s390x.rpm

python-tools-2.7.5-34.el7.s390x.rpm

tkinter-2.7.5-34.el7.s390x.rpm

 

x86_64:

python-debug-2.7.5-34.el7.x86_64.rpm

python-debuginfo-2.7.5-34.el7.x86_64.rpm

python-test-2.7.5-34.el7.x86_64.rpm

python-tools-2.7.5-34.el7.x86_64.rpm

tkinter-2.7.5-34.el7.x86_64.rpm

 

Red Hat Enterprise Linux Workstation (v. 7):

 

Source:

python-2.7.5-34.el7.src.rpm

 

x86_64:

python-2.7.5-34.el7.x86_64.rpm

python-debuginfo-2.7.5-34.el7.i686.rpm

python-debuginfo-2.7.5-34.el7.x86_64.rpm

python-devel-2.7.5-34.el7.x86_64.rpm

python-libs-2.7.5-34.el7.i686.rpm

python-libs-2.7.5-34.el7.x86_64.rpm

 

Red Hat Enterprise Linux Workstation Optional (v. 7):

 

x86_64:

python-debug-2.7.5-34.el7.x86_64.rpm

python-debuginfo-2.7.5-34.el7.x86_64.rpm

python-test-2.7.5-34.el7.x86_64.rpm

python-tools-2.7.5-34.el7.x86_64.rpm

tkinter-2.7.5-34.el7.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2013-1752

https://access.redhat.com/security/cve/CVE-2013-1753

https://access.redhat.com/security/cve/CVE-2014-4616

https://access.redhat.com/security/cve/CVE-2014-4650

https://access.redhat.com/security/cve/CVE-2014-7185

https://access.redhat.com/security/updates/classification/#moderate

https://access.redhat.com/articles/2039753

https://www.python.org/dev/peps/pep-0466/

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2015 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFWTj/SXlSAg2UNWIIRAuXcAKCCJdw1P4H3y4fnhu6lXW2AcADYJgCfRO+v

qMX3qLAXBobeDiPX4eN9Pxc=

=JQMw

-----END PGP SIGNATURE-----

 

--

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×