Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[Security Announce] [ MDVSA-2008:164 ] python

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

This is a multi-part message in MIME format...

 

------------=_1218159637-11275-7981

 

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

_______________________________________________________________________

 

Mandriva Linux Security Advisory MDVSA-2008:164

http://www.mandriva.com/security/

_______________________________________________________________________

 

Package : python

Date : August 7, 2008

Affected: Corporate 4.0

_______________________________________________________________________

 

Problem Description:

 

Multiple integer overflows in the imageop module in Python prior to

2.5.3 allowed context-dependent attackers to cause a denial of service

(crash) or possibly execute arbitrary code via crafted images that

trigger heap-based buffer overflows (CVE-2008-1679). This was due

to an incomplete fix for CVE-2007-4965.

 

David Remahl of Apple Product Security reported several integer

overflows in a number of core modules (CVE-2008-2315).

 

Justin Ferguson reported multiple buffer overflows in unicode string

processing that affected 32bit systems (CVE-2008-3142).

 

Multiple integer overflows were reported by the Google Security Team

that had been fixed in Python 2.5.2 (CVE-2008-3143).

 

Justin Ferguson reported a number of integer overflows and underflows

in the PyOS_vsnprintf() function, as well as an off-by-one error

when passing zero-length strings, that led to memory corruption

(CVE-2008-3144).

 

The updated packages have been patched to correct these issues.

As well, Python packages on Corporate Server 4 have been updated to

the latest version 2.4.5.

_______________________________________________________________________

 

References:

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1679

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3142

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3143

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3144

_______________________________________________________________________

 

Updated Packages:

 

Corporate 4.0:

900137924c889fa7d005ab3d895243c8 corporate/4.0/i586/libpython2.4-2.4.5-0.1.20060mlcs4.i586.rpm

7c3de61878f0c0bac533f9a51c0dea81 corporate/4.0/i586/libpython2.4-devel-2.4.5-0.1.20060mlcs4.i586.rpm

490ccd940ea503dca0a761d9bfacc5da corporate/4.0/i586/python-2.4.5-0.1.20060mlcs4.i586.rpm

a4617bf6d939be01e0f114c1906ea66c corporate/4.0/i586/python-base-2.4.5-0.1.20060mlcs4.i586.rpm

8445ef65b15c5dea104e05f9090664e1 corporate/4.0/i586/python-docs-2.4.5-0.1.20060mlcs4.i586.rpm

c1d2948b33c23fe810e462b92667901b corporate/4.0/i586/tkinter-2.4.5-0.1.20060mlcs4.i586.rpm

f0043982cc31ea43c0957b8eaf72cddf corporate/4.0/SRPMS/python-2.4.5-0.1.20060mlcs4.src.rpm

 

Corporate 4.0/X86_64:

540b5dbd4692ba0d2a9e3b17785f8ea2 corporate/4.0/x86_64/lib64python2.4-2.4.5-0.1.20060mlcs4.x86_64.rpm

551b23b1225cd32f7e41c118c3ee4faa corporate/4.0/x86_64/lib64python2.4-devel-2.4.5-0.1.20060mlcs4.x86_64.rpm

1f03aadf3fb3319212969c95e6a12fce corporate/4.0/x86_64/python-2.4.5-0.1.20060mlcs4.x86_64.rpm

143ee3746b47d8a2eaeab35f828885fb corporate/4.0/x86_64/python-base-2.4.5-0.1.20060mlcs4.x86_64.rpm

ce41c796e4fa6d40fe9f987a46613f24 corporate/4.0/x86_64/python-docs-2.4.5-0.1.20060mlcs4.x86_64.rpm

a77cc847126150d324f4c6f594f3bfbe corporate/4.0/x86_64/tkinter-2.4.5-0.1.20060mlcs4.x86_64.rpm

f0043982cc31ea43c0957b8eaf72cddf corporate/4.0/SRPMS/python-2.4.5-0.1.20060mlcs4.src.rpm

_______________________________________________________________________

 

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

 

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

 

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 

You can view other update advisories for Mandriva Linux at:

 

http://www.mandriva.com/security/advisories

 

If you want to report vulnerabilities, please contact

 

security_(at)_mandriva.com

_______________________________________________________________________

 

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.9 (GNU/Linux)

 

iD8DBQFIm3i8mqjQ0CJFipgRAvMmAKDUud5h0eHD+RH9yG2RVxtp6agR3ACgidij

03K7iRakDQ950tPu2b8+mCU=

=rCOM

-----END PGP SIGNATURE-----

 

 

------------=_1218159637-11275-7981

Content-Type: text/plain; name="message-footer.txt"

Content-Disposition: inline; filename="message-footer.txt"

Content-Transfer-Encoding: 8bit

 

To unsubscribe, send a email to sympa ( -at -) mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://www.mandrivastore.com

Join the Club : http://www.mandrivaclub.com

_______________________________________________________

 

------------=_1218159637-11275-7981--

 

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×