Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1616-1] Python 3.1 vulnerabilities (Jamie Strandboge)
----------------------------------------------------------------------
Message: 1
Date: Wed, 24 Oct 2012 12:04:38 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1616-1] Python 3.1 vulnerabilities
Message-ID: <50881FA6.3000702@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1616-1
October 24, 2012
python3.1 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Python 3.1.
Software Description:
- python3.1: An interactive high-level object-oriented language (version
3.1)
Details:
It was discovered that Python would prepend an empty string to sys.path
under certain circumstances. A local attacker with write access to the
current working directory could exploit this to execute arbitrary code.
This issue only affected Ubuntu 10.04 LTS. (CVE-2008-5983)
It was discovered that the audioop module did not correctly perform input
validation. If a user or automatated system were tricked into opening a
crafted audio file, an attacker could cause a denial of service via
application crash. These issues only affected Ubuntu 10.04 LTS.
(CVE-2010-1634, CVE-2010-2089)
It was discovered that Python distutils contained a race condition when
creating the ~/.pypirc file. A local attacker could exploit this to obtain
sensitive information. (CVE-2011-4944)
It was discovered that SimpleXMLRPCServer did not properly validate its
input when handling HTTP POST requests. A remote attacker could exploit
this to cause a denial of service via excessive CPU utilization.
(CVE-2012-0845)
It was discovered that Python was susceptible to hash algorithm attacks.
An attacker could cause a denial of service under certian circumstances.
This update adds the '-R' command line option and honors setting the
PYTHONHASHSEED environment variable to 'random' to salt str and datetime
objects with an unpredictable value. (CVE-2012-1150)
Serhiy Storchaka discovered that the UTF16 decoder in Python did not
properly reset internal variables after error handling. An attacker could
exploit this to cause a denial of service via memory corruption.
(CVE-2012-2135)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
python3.1 3.1.3-1ubuntu1.2
python3.1-minimal 3.1.3-1ubuntu1.2
Ubuntu 10.04 LTS:
python3.1 3.1.2-0ubuntu3.2
python3.1-minimal 3.1.2-0ubuntu3.2
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1616-1
CVE-2008-5983, CVE-2010-1634, CVE-2010-2089, CVE-2011-4944,
CVE-2012-0845, CVE-2012-1150, CVE-2012-2135
Package Information:
https://launchpad.net/ubuntu/+source/python3.1/3.1.3-1ubuntu1.2
https://launchpad.net/ubuntu/+source/python3.1/3.1.2-0ubuntu3.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121024/384177a9/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 97, Issue 15
********************************************************
News
Subscribe to:
Post Comments (Atom)
Blog Archive
-
▼
2012
(533)
-
▼
October
(19)
- ubuntu-security-announce Digest, Vol 97, Issue 19
- ubuntu-security-announce Digest, Vol 97, Issue 18
- ubuntu-security-announce Digest, Vol 97, Issue 17
- ubuntu-security-announce Digest, Vol 97, Issue 16
- ubuntu-security-announce Digest, Vol 97, Issue 15
- ubuntu-security-announce Digest, Vol 97, Issue 14
- ubuntu-security-announce Digest, Vol 97, Issue 13
- ubuntu-security-announce Digest, Vol 97, Issue 12
- ubuntu-security-announce Digest, Vol 97, Issue 11
- ubuntu-security-announce Digest, Vol 97, Issue 10
- ubuntu-security-announce Digest, Vol 97, Issue 9
- ubuntu-security-announce Digest, Vol 97, Issue 8
- ubuntu-security-announce Digest, Vol 97, Issue 7
- ubuntu-security-announce Digest, Vol 97, Issue 6
- ubuntu-security-announce Digest, Vol 97, Issue 5
- ubuntu-security-announce Digest, Vol 97, Issue 4
- ubuntu-security-announce Digest, Vol 97, Issue 3
- ubuntu-security-announce Digest, Vol 97, Issue 2
- ubuntu-security-announce Digest, Vol 97, Issue 1
-
▼
October
(19)
No comments:
Post a Comment