Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.891663
Category:Debian Local Security Checks
Title:Debian LTS: Security Advisory for python3.4 (DLA-1663-1)
Summary:This DLA fixes a problem parsing x509 certificates, a pickle integer;overflow, and some other minor issues:;;CVE-2016-0772;;The smtplib library in CPython does not return an error when StartTLS fails,;which might allow man-in-the-middle attackers to bypass the TLS protections by;leveraging a network position between the client and the registry to block the;StartTLS command, aka a 'StartTLS stripping attack.';;CVE-2016-5636;;Integer overflow in the get_data function in zipimport.c in CPython;allows remote attackers to have unspecified impact via a negative data size;value, which triggers a heap-based buffer overflow.;;CVE-2016-5699;;CRLF injection vulnerability in the HTTPConnection.putheader function in;urllib2 and urllib in CPython allows remote attackers to inject arbitrary HTTP;headers via CRLF sequences in a URL.;;CVE-2018-20406;;Modules/_pickle.c has an integer overflow via a large LONG_BINPUT value;that is mishandled during a 'resize to twice the size' attempt. This issue;might cause memory exhaustion, but is only relevant if the pickle format is;used for serializing tens or hundreds of gigabytes of data.;;CVE-2019-5010;;NULL pointer dereference using a specially crafted X509 certificate.
Description:Summary:
This DLA fixes a problem parsing x509 certificates, a pickle integer
overflow, and some other minor issues:

CVE-2016-0772

The smtplib library in CPython does not return an error when StartTLS fails,
which might allow man-in-the-middle attackers to bypass the TLS protections by
leveraging a network position between the client and the registry to block the
StartTLS command, aka a 'StartTLS stripping attack.'

CVE-2016-5636

Integer overflow in the get_data function in zipimport.c in CPython
allows remote attackers to have unspecified impact via a negative data size
value, which triggers a heap-based buffer overflow.

CVE-2016-5699

CRLF injection vulnerability in the HTTPConnection.putheader function in
urllib2 and urllib in CPython allows remote attackers to inject arbitrary HTTP
headers via CRLF sequences in a URL.

CVE-2018-20406

Modules/_pickle.c has an integer overflow via a large LONG_BINPUT value
that is mishandled during a 'resize to twice the size' attempt. This issue
might cause memory exhaustion, but is only relevant if the pickle format is
used for serializing tens or hundreds of gigabytes of data.

CVE-2019-5010

NULL pointer dereference using a specially crafted X509 certificate.

Affected Software/OS:
python3.4 on Debian Linux

Solution:
For Debian 8 'Jessie', these problems have been fixed in version
3.4.2-1+deb8u2.

We recommend that you upgrade your python3.4 packages.

CVSS Score:
10.0

CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2016-0772
BugTraq ID: 91225
http://www.securityfocus.com/bid/91225
https://security.gentoo.org/glsa/201701-18
https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html
http://www.openwall.com/lists/oss-security/2016/06/14/9
RedHat Security Advisories: RHSA-2016:1626
http://rhn.redhat.com/errata/RHSA-2016-1626.html
RedHat Security Advisories: RHSA-2016:1627
http://rhn.redhat.com/errata/RHSA-2016-1627.html
RedHat Security Advisories: RHSA-2016:1628
http://rhn.redhat.com/errata/RHSA-2016-1628.html
RedHat Security Advisories: RHSA-2016:1629
http://rhn.redhat.com/errata/RHSA-2016-1629.html
RedHat Security Advisories: RHSA-2016:1630
http://rhn.redhat.com/errata/RHSA-2016-1630.html
SuSE Security Announcement: openSUSE-SU-2020:0086 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
Common Vulnerability Exposure (CVE) ID: CVE-2016-5636
BugTraq ID: 91247
http://www.securityfocus.com/bid/91247
http://www.openwall.com/lists/oss-security/2016/06/15/15
http://www.openwall.com/lists/oss-security/2016/06/16/1
RedHat Security Advisories: RHSA-2016:2586
http://rhn.redhat.com/errata/RHSA-2016-2586.html
http://www.securitytracker.com/id/1038138
Common Vulnerability Exposure (CVE) ID: CVE-2016-5699
BugTraq ID: 91226
http://www.securityfocus.com/bid/91226
http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
http://www.openwall.com/lists/oss-security/2016/06/14/7
http://www.openwall.com/lists/oss-security/2016/06/15/12
http://www.openwall.com/lists/oss-security/2016/06/16/2
Common Vulnerability Exposure (CVE) ID: CVE-2019-5010
https://security.gentoo.org/glsa/202003-26
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0758
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
RedHat Security Advisories: RHSA-2019:3520
https://access.redhat.com/errata/RHSA-2019:3520
RedHat Security Advisories: RHSA-2019:3725
https://access.redhat.com/errata/RHSA-2019:3725
CopyrightCopyright (C) 2019 Greenbone Networks GmbH

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2022 E-Soft Inc. All rights reserved.