Trustix alert 2002-0073 (python)
| From: | tsl@trustix.com (Trustix Secure Linux Advisor) | |
| To: | tsl-announce@trustix.org | |
| Subject: | TSLSA-2002-0073-python | |
| Date: | Thu, 17 Oct 2002 13:14:40 +0200 |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Trustix Secure Linux Security Advisory #2002-0073 Package name: python Summary: temp file issue Date: 2002-10-17 Affected versions: TSL 1.5 - -------------------------------------------------------------------------- Package description: Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries. Programmers can write new built-in modules for Python in C or C++. Python can be used as an extension language for applications that need a programmable interface. This package contains most of the standard Python modules, as well as modules for interfacing to RPM. Problem description: Zack Weinberg discovered an insecure use of a temporary file in os._execvpe from os.py. The impelementation uses a predictable name which could lead to execution of arbitrary code. Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system. Location: All TSL updates are available from <URI:http://www.trustix.net/pub/Trustix/updates/> <URI:ftp://ftp.trustix.net/pub/Trustix/updates/> About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater. Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Get SWUP from: <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/> Public testing: These packages have been available for public testing for some time. If you want to contribute by testing the various packages in the testing tree, please feel free to share your findings on the tsl-discuss mailinglist. The testing tree is located at <URI:http://www.trustix.net/pub/Trustix/testing/> <URI:ftp://ftp.trustix.net/pub/Trustix/testing/> Questions? Check out our mailing lists: <URI:http://www.trustix.net/support/> Verification: This advisory along with all TSL packages are signed with the TSL sign key. This key is available from: <URI:http://www.trustix.net/TSL-GPG-KEY> The advisory itself is available from the errata pages at <URI:http://www.trustix.net/errata/trustix-1.5/> or directly at <URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0073-python.asc.txt> MD5sums of the packages: - -------------------------------------------------------------------------- 5fe611081d34dc9c34d37b52ed2923b4 ./1.5/SRPMS/python-1.5.2-15tr.src.rpm 91ed650b84cf4fe84ff21da1c94f805d ./1.5/RPMS/python-tools-1.5.2-15tr.i586.rpm a60abe3bed81db3cb8898618ee4d7977 ./1.5/RPMS/python-docs-1.5.2-15tr.i586.rpm 1a9673f3b1928c3ca8599be9a0c8848e ./1.5/RPMS/python-devel-1.5.2-15tr.i586.rpm 5d5001757149d587f105825e2b82a404 ./1.5/RPMS/python-1.5.2-15tr.i586.rpm - -------------------------------------------------------------------------- Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9rpZvwRTcg4BxxS0RAnvkAJ96oKNTyaCrGrKsPD7vzLeB8+7/lACfR0om ebUZgN0ixhehj1/LUBD+Plg= =nh4i -----END PGP SIGNATURE----- _______________________________________________ tsl-announce mailing list tsl-announce@trustix.org http://www.trustix.org/mailman/listinfo.cgi/tsl-announce