drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in Python
Name: |
Mehrere Probleme in Python |
|
ID: |
USN-3134-1 |
|
Distribution: |
Ubuntu |
|
Plattformen: |
Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, Ubuntu 16.04 LTS |
|
Datum: |
Mi, 23. November 2016, 06:39 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5699
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0772
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000110 |
|
Applikationen: |
Python |
|
Originalnachricht |
--===============5299755443102623674== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="AwNVUpjOmSj7UnwZ" Content-Disposition: inline
--AwNVUpjOmSj7UnwZ Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inlin Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-3134-1 November 22, 2016
python2.7, python3.2, python3.4, python3.5 vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Python.
Software Description: - python2.7: An interactive high-level object-oriented language - python3.5: An interactive high-level object-oriented language - python3.4: An interactive high-level object-oriented language - python3.2: An interactive high-level object-oriented language
Details:
It was discovered that the smtplib library in Python did not return an error when StartTLS fails. A remote attacker could possibly use this to expose sensitive information. (CVE-2016-0772)
Rémi Rampin discovered that Python would not protect CGI applications from contents of the HTTP_PROXY environment variable when based on the contents of the Proxy header from HTTP requests. A remote attacker could possibly use this to cause a CGI application to redirect outgoing HTTP requests. (CVE-2016-1000110)
Insu Yun discovered an integer overflow in the zipimporter module in Python that could lead to a heap-based overflow. An attacker could use this to craft a special zip file that when read by Python could possibly execute arbitrary code. (CVE-2016-5636)
Guido Vranken discovered that the urllib modules in Python did not properly handle carriage return line feed (CRLF) in headers. A remote attacker could use this to craft URLs that inject arbitrary HTTP headers. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5699)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.04 LTS: libpython2.7 2.7.12-1ubuntu0~16.04.1 libpython2.7-minimal 2.7.12-1ubuntu0~16.04.1 libpython2.7-stdlib 2.7.12-1ubuntu0~16.04.1 libpython3.5 3.5.2-2ubuntu0~16.04.1 libpython3.5-minimal 3.5.2-2ubuntu0~16.04.1 libpython3.5-stdlib 3.5.2-2ubuntu0~16.04.1 python2.7 2.7.12-1ubuntu0~16.04.1 python2.7-minimal 2.7.12-1ubuntu0~16.04.1 python3.5 3.5.2-2ubuntu0~16.04.1 python3.5-minimal 3.5.2-2ubuntu0~16.04.1
Ubuntu 14.04 LTS: libpython2.7 2.7.6-8ubuntu0.3 libpython2.7-minimal 2.7.6-8ubuntu0.3 libpython2.7-stdlib 2.7.6-8ubuntu0.3 libpython3.4 3.4.3-1ubuntu1~14.04.5 libpython3.4-minimal 3.4.3-1ubuntu1~14.04.5 libpython3.4-stdlib 3.4.3-1ubuntu1~14.04.5 python2.7 2.7.6-8ubuntu0.3 python2.7-minimal 2.7.6-8ubuntu0.3 python3.4 3.4.3-1ubuntu1~14.04.5 python3.4-minimal 3.4.3-1ubuntu1~14.04.5
Ubuntu 12.04 LTS: libpython2.7 2.7.3-0ubuntu3.9 libpython3.2 3.2.3-0ubuntu3.8 python2.7 2.7.3-0ubuntu3.9 python2.7-minimal 2.7.3-0ubuntu3.9 python3.2 3.2.3-0ubuntu3.8 python3.2-minimal 3.2.3-0ubuntu3.8
After a standard system update you need to restart any Python applications to make all the necessary changes.
References: http://www.ubuntu.com/usn/usn-3134-1 CVE-2016-0772, CVE-2016-1000110, CVE-2016-5636, CVE-2016-5699
Package Information: https://launchpad.net/ubuntu/+source/python2.7/2.7.12-1ubuntu0~16.04.1 https://launchpad.net/ubuntu/+source/python3.5/3.5.2-2ubuntu0~16.04.1 https://launchpad.net/ubuntu/+source/python2.7/2.7.6-8ubuntu0.3 https://launchpad.net/ubuntu/+source/python3.4/3.4.3-1ubuntu1~14.04.5 https://launchpad.net/ubuntu/+source/python2.7/2.7.3-0ubuntu3.9 https://launchpad.net/ubuntu/+source/python3.2/3.2.3-0ubuntu3.8
--AwNVUpjOmSj7UnwZ Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBCgAGBQJYNJiXAAoJEC8Jno0AXoH06qkQAJS5lnw+DdywEs0iwJRgu53z pco0/HqWbztRs1/f8nXsARvonBxIC0Fl3vswJyI6UiGixec1sbfe02hFa3CqU+Wz 8Y8HLJoGo5aXw3i4HW2LcBRdSWf6Pc3FqvAVTXstxC54bWoQwvzRSl8cI27fHJSZ 3BEXFSYTi9LkYTGJshs7VsMHJ0PwdGdNk92API3l6Dh6qIOs2WSyannakceqEiZc eK5ipSxdTZ7DAlAFktRf26QZY81jIf9yUf0D7aLH9roGNOwfRAg4c8dYjPZ9nYTD Ah41SS0qTwhx5rbtTBuOgrlgZ8miNsrVKWOUrAxXvVXzGkDoiUkEVHBgvH1Va9fW F7cA/XaYhvWDcP4BAI6G0mxL8Sb+GLKliSvisCHoeLRYz0MfWeWh+++/3o+uXQX4 9maWC3Sls+bTKthqDki7sds2q7prA4uhstpk6/wcTU7WLeN1kVhYVxfSAPwG31X1 O0riPLg51SLaCCTdThB2D0RO+mvnXuAEgpn1Ceq5PoqgjWrxi0DRHdCb4TOtu7xy TqIwItNierXZ4HHsrJRptrcBwKYBWkNazugi/A0b2rlKxW59w2SwquIwYM2f3lPg ZPgsAKf3Kh+dtC+hWtHx1iuLmPA0khF1QxHR01SpPiBqvOgTv13yA5TI+C+4n77A 0RGE9tvWcIgLNuFyvWrm =nfHm -----END PGP SIGNATURE-----
--AwNVUpjOmSj7UnwZ--
--===============5299755443102623674== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============5299755443102623674==--
|
|
|
|