Mageia alert MGASA-2015-0122 (python-rope) [LWN.net]

From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2015-0122: Updated python-rope packages fix security vulnerabilities 
Date:
    	       Wed, 1 Apr 2015 14:13:58 +0200
Message-ID:
    	       <20150401121358.B9935414F9@valstar.mageia.org>
MGASA-2015-0122 - Updated python-rope packages fix security vulnerabilities

Publication date: 01 Apr 2015
URL: http://advisories.mageia.org/MGASA-2015-0122.html
Type: security
Affected Mageia releases: 4
CVE: CVE-2014-3539

Description:
The python-rope utility has been caught passing remotely supplied data to 
pickle.load(), enabling possible code-execution attacks. This can happen when
the 'perform_doa' (dynamic object analysis) option is enabled, which it
previously had been by default.

This update changes the default configuration to disable this option. This
only mitigates the issue, as it will still be vulnerable if the option is
enabled.

If 'perform_doa' is enabled, python-rope can be persuaded to open under some
circumstances a network port for short moment of time, which can be used to
push commands to the running process, so the process could run some commands
under the privileges of the user running python-rope. Anyone who enables this
option is advised to make sure the computer is protected by a firewall.

References:
- https://bugs.mageia.org/show_bug.cgi?id=15427
- http://lists.opensuse.org/opensuse-updates/2015-03/msg000...
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3539

SRPMS:
- 4/core/python-rope-0.9.4-4.1.mga4

From:		Mageia Updates <buildsystem-daemon@mageia.org>
To:		updates-announce@ml.mageia.org
Subject:		[updates-announce] MGASA-2015-0122: Updated python-rope packages fix security vulnerabilities
Date:		Wed, 1 Apr 2015 14:13:58 +0200
Message-ID:		<20150401121358.B9935414F9@valstar.mageia.org>