Mageia alert MGASA-2012-0169 (python)
| From: | Mageia Updates <buildsystem-daemon@mageia.org> | |
| To: | updates-announce@ml.mageia.org | |
| Subject: | [updates-announce] MGASA-2012-0169: python-2.7.1-6.2.mga1 (1/core) | |
| Date: | Thu, 19 Jul 2012 01:35:39 +0200 | |
| Message-ID: | <20120718233539.GA17471@valstar.mageia.org> |
MGASA-2012-0169 Date: July 19th, 2012 Affected releases: 1 Description: Updated python packages fix security vulnerabilities: The _ssl module would always disable the CBC IV attack countermeasure (CVE-2011-3389). A race condition was found in the way the Python distutils module set file permissions during the creation of the .pypirc file. If a local user had access to the home directory of another user who is running distutils, they could use this flaw to gain access to that user's .pypirc file, which can contain usernames and passwords for code repositories (CVE-2011-4944). A flaw was found in the way the Python SimpleXMLRPCServer module handled clients disconnecting prematurely. A remote attacker could use this flaw to cause excessive CPU consumption on a server using SimpleXMLRPCServer (CVE-2012-0845). Hash table collisions CPU usage DoS for the embedded copy of expat (CVE-2012-0876). A denial of service flaw was found in the implementation of associative arrays (dictionaries) in Python. An attacker able to supply a large number of inputs to a Python application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions (CVE-2012-1150). Additionally, python has been built against the system expat and ffi libraries, to avoid any future issues with those. Updated Packages: python-2.7.1-6.2.mga1 python-docs-2.7.1-6.2.mga1 tkinter-2.7.1-6.2.mga1 tkinter-apps-2.7.1-6.2.mga1 lib(64)python2.7-2.7.1-6.2.mga1 lib(64)python-devel-2.7.1-6.2.mga1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4944 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0845 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1150 http://lists.opensuse.org/opensuse-updates/2012-05/msg000... http://www.mandriva.com/en/support/security/advisories/?d... https://bugs.mageia.org/show_bug.cgi?id=5843 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-...