LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Ubuntu alert USN-1314-1 (python3.1, python3.2)



From:
    	      Jamie Strandboge <jamie@canonical.com> 


To:
    	      ubuntu-security-announce@lists.ubuntu.com 


Subject:
    	      [USN-1314-1] Python 3 vulnerabilities 


Date:
    	      Mon, 19 Dec 2011 20:42:29 -0600


Message-ID:
    	      <1324348949.11060.15.camel@localhost>


Archive-link:
    	      Article, Thread
              


==========================================================================
Ubuntu Security Notice USN-1314-1
December 19, 2011

python3.1, python3.2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS

Summary:

Applications using certain Python 3 modules could be made to crash or
expose sensitive information over the network.

Software Description:
- python3.1: An interactive high-level object-oriented language (version 3.1)
- python3.2: An interactive high-level object-oriented language (version 3.2)

Details:

Giampaolo Rodola discovered that the smtpd module in Python 3 did not
properly handle certain error conditions. A remote attacker could exploit
this to cause a denial of service via daemon outage. This issue only
affected Ubuntu 10.04 LTS. (CVE-2010-3493)

Niels Heinen discovered that the urllib module in Python 3 would process
Location headers that specify a file:// URL. A remote attacker could use
this to obtain sensitive information or cause a denial of service via
resource consumption. (CVE-2011-1521)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.04:
  python3.1-minimal               3.1.3-1ubuntu1.1
  python3.2-minimal               3.2-1ubuntu1.1

Ubuntu 10.10:
  python3.1-minimal               3.1.2+20100915-0ubuntu4.1

Ubuntu 10.04 LTS:
  python3.1-minimal               3.1.2-0ubuntu3.1

In general, a standard system update will make all the necessary changes.
Daemons using the urllib or smtpd modules may also need to be restarted
after a pplying this update.

References:
  http://www.ubuntu.com/usn/usn-1314-1
  CVE-2010-3493, CVE-2011-1521

Package Information:
  https://launchpad.net/ubuntu/+source/python3.1/3.1.3-1ubu...
  https://launchpad.net/ubuntu/+source/python3.2/3.2-1ubunt...
  https://launchpad.net/ubuntu/+source/python3.1/3.1.2+2010...
  https://launchpad.net/ubuntu/+source/python3.1/3.1.2-0ubu...


-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds