Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in Python
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in Python
ID: USN-1616-1
Distribution: Ubuntu
Plattformen: Ubuntu 10.04 LTS, Ubuntu 11.04
Datum: Do, 25. Oktober 2012, 06:32
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5983
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1634
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4944
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0845
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2135
Applikationen: Python

Originalnachricht

 
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============9008141692122609979==
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="------------enig464EDF81645B0DA18C1383CD"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig464EDF81645B0DA18C1383CD
Content-Type: text/plain; charset=ISO-8859-
Content-Transfer-Encoding: quoted-printable


==========================================================================
Ubuntu Security Notice USN-1616-1
October 24, 2012

python3.1 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.04
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in Python 3.1.

Software Description:
- python3.1: An interactive high-level object-oriented language (version
3.1)

Details:

It was discovered that Python would prepend an empty string to sys.path
under certain circumstances. A local attacker with write access to the
current working directory could exploit this to execute arbitrary code.
This issue only affected Ubuntu 10.04 LTS. (CVE-2008-5983)

It was discovered that the audioop module did not correctly perform input
validation. If a user or automatated system were tricked into opening a
crafted audio file, an attacker could cause a denial of service via
application crash. These issues only affected Ubuntu 10.04 LTS.
(CVE-2010-1634, CVE-2010-2089)

It was discovered that Python distutils contained a race condition when
creating the ~/.pypirc file. A local attacker could exploit this to obtain
sensitive information. (CVE-2011-4944)

It was discovered that SimpleXMLRPCServer did not properly validate its
input when handling HTTP POST requests. A remote attacker could exploit
this to cause a denial of service via excessive CPU utilization.
(CVE-2012-0845)

It was discovered that Python was susceptible to hash algorithm attacks.
An attacker could cause a denial of service under certian circumstances.
This update adds the '-R' command line option and honors setting the
PYTHONHASHSEED environment variable to 'random' to salt str and
 datetime
objects with an unpredictable value. (CVE-2012-1150)

Serhiy Storchaka discovered that the UTF16 decoder in Python did not
properly reset internal variables after error handling. An attacker could
exploit this to cause a denial of service via memory corruption.
(CVE-2012-2135)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.04:
  python3.1                       3.1.3-1ubuntu1.2
  python3.1-minimal               3.1.3-1ubuntu1.2

Ubuntu 10.04 LTS:
  python3.1                       3.1.2-0ubuntu3.2
  python3.1-minimal               3.1.2-0ubuntu3.2

In general, a standard system update will make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-1616-1
  CVE-2008-5983, CVE-2010-1634, CVE-2010-2089, CVE-2011-4944,
  CVE-2012-0845, CVE-2012-1150, CVE-2012-2135

Package Information:
  https://launchpad.net/ubuntu/+source/python3.1/3.1.3-1ubuntu1.2
  https://launchpad.net/ubuntu/+source/python3.1/3.1.2-0ubuntu3.2





--------------enig464EDF81645B0DA18C1383CD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBCgAGBQJQiB+tAAoJEFHb3FjMVZVzrbsP/3lBmedckiSddvu2DDvnLQc1
KSjaxahRBSODjPwWtFV8+MdowtyBD9NByPC2y1jE+uaeT0zT7wbEp6w1kCyd99Lf
j4ivD6kDAIL4w06sqdAsofSMte/JsL0ODBblBukxqA1dNBjiWxyvOi75QLkBmMAM
UgT78J85NvyrW8s1SAPN5D70txK1j9k99I2g8YWBjSYfPiWjRJdzGgiSRZrgz5S2
mAmWc4Rvy0/8OvH6vtMkCU6JcLm+QbLeHpaGxbJyF1KyNYDLIjkVVf2P+78ro95A
LvAobSZ6QPIg/K/dj8WI11akgHI/si7CAWSJg+nI4eU5mpQWZxfH0dR4vDa3qj2T
xYGX7Fc2qd1MMsYVH9tEBcYDK9gqdvEZ8aJqT0I9HYpO8Msgq9i//NakG2REMpW7
6g8fNKVeYXahvUKmkW54OYT09aHfru2FYnXi5MXHrYhPZIfRq0eV4Sebryw5h0+w
XWDsKpCapoL65WzwoDjXE/Z/av6jPQcaSwfl/sNlmSa6Gq+bdS9/TDRhOVV3zTeI
B3bGMZxA5tDb9+sntbor8f8f3IxoTe9PkchCpgPHsbnHZCNoVIAFlsDCzSmO3oi8
7uLPuaBV5r/tGHAzNRtZvhjk2tqlC5M9TN5lPvUzg+fCs4uBPyu3QHFs7b98wYpd
5WHTarBlV1lyRhsULMbN
=6ENH
-----END PGP SIGNATURE-----

--------------enig464EDF81645B0DA18C1383CD--


--===============9008141692122609979==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============9008141692122609979==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung