 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.871501 |
| Category: | Red Hat Local Security Checks |
| Title: | RedHat Update for python RHSA-2015:2101-01 |
| Summary: | The remote host is missing an update for the 'python'; package(s) announced via the referenced advisory. |
| Description: | Summary: The remote host is missing an update for the 'python' package(s) announced via the referenced advisory. Vulnerability Insight: Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme, or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). It was discovered that the Python xmlrpclib module did not restrict the size of gzip-compressed HTTP responses. A malicious XMLRPC server could cause an XMLRPC client using xmlrpclib to consume an excessive amount of memory. (CVE-2013-1753) It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict the sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory. (CVE-2013-1752) It was discovered that the CGIHTTPServer module incorrectly handled URL encoded paths. A remote attacker could use this flaw to execute scripts outside of the cgi-bin directory, or disclose the source code of the scripts in the cgi-bin directory. (CVE-2014-4650) An integer overflow flaw was found in the way the buffer() function handled its offset and size arguments. An attacker able to control these arguments could use this flaw to disclose portions of the application memory or cause it to crash. (CVE-2014-7185) A flaw was found in the way the json module handled negative index arguments passed to certain functions (such as raw_decode()). An attacker able to control the index value passed to one of the affected functions could possibly use this flaw to disclose portions of the application memory. (CVE-2014-4616) The Python standard library HTTP client modules (such as httplib or urllib) did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data. (CVE-2014-9365) Note: The Python standard library was updated to make it possible to enable certificate verification by default. However, for backwards compatibility, verification remains disabled by default. Future updates may change this default. Refer to the Knowledgebase article 2039753 linked to in the References section for further details about this change. (BZ#1219108) This update also fixes the following bugs: * Subprocesses used with the Eventlet library or regular threads previously tried to close epoll file descriptors twice, which led to an 'Invalid argument' error. Subprocesses h ... Description truncated, please see the referenced URL(s) for more information. Affected Software/OS: python on Red Hat Enterprise Linux Server (v. 7) Solution: Please Install the Updated Packages. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2013-1752 Common Vulnerability Exposure (CVE) ID: CVE-2013-1753 Common Vulnerability Exposure (CVE) ID: CVE-2014-4616 BugTraq ID: 68119 http://www.securityfocus.com/bid/68119 https://security.gentoo.org/glsa/201503-10 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395 https://hackerone.com/reports/12297 http://openwall.com/lists/oss-security/2014/06/24/7 RedHat Security Advisories: RHSA-2015:1064 http://rhn.redhat.com/errata/RHSA-2015-1064.html SuSE Security Announcement: openSUSE-SU-2014:0890 (Google Search) http://lists.opensuse.org/opensuse-updates/2014-07/msg00015.html Common Vulnerability Exposure (CVE) ID: CVE-2014-4650 http://bugs.python.org/issue21766 http://openwall.com/lists/oss-security/2014/06/26/3 RedHat Security Advisories: Red Hat https://access.redhat.com/security/cve/cve-2014-4650 Common Vulnerability Exposure (CVE) ID: CVE-2014-7185 http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html BugTraq ID: 70089 http://www.securityfocus.com/bid/70089 http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139663.html http://www.openwall.com/lists/oss-security/2014/09/23/5 http://www.openwall.com/lists/oss-security/2014/09/25/47 RedHat Security Advisories: RHSA-2015:1330 http://rhn.redhat.com/errata/RHSA-2015-1330.html SuSE Security Announcement: openSUSE-SU-2014:1292 (Google Search) http://lists.opensuse.org/opensuse-updates/2014-10/msg00016.html XForce ISS Database: python-bufferobject-overflow(96193) https://exchange.xforce.ibmcloud.com/vulnerabilities/96193 Common Vulnerability Exposure (CVE) ID: CVE-2014-9365 BugTraq ID: 71639 http://www.securityfocus.com/bid/71639 http://www.openwall.com/lists/oss-security/2014/12/11/1 RedHat Security Advisories: RHSA-2016:1166 https://access.redhat.com/errata/RHSA-2016:1166 RedHat Security Advisories: RHSA-2017:1162 https://access.redhat.com/errata/RHSA-2017:1162 RedHat Security Advisories: RHSA-2017:1868 https://access.redhat.com/errata/RHSA-2017:1868 |
| Copyright | Copyright (C) 2015 Greenbone AG |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |