From security@linux-mandrake.com Fri Feb 11 12:43:48 2005 From: Mandrakelinux Security Team To: bugtraq@securityfocus.com Date: Thu, 10 Feb 2005 17:03:47 -0700 Subject: MDKSA-2005:035 - Updated python packages fix vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: python Advisory ID: MDKSA-2005:035 Date: February 10th, 2005 Affected versions: 10.0, 10.1, 9.2, Corporate 3.0, Corporate Server 2.1 ______________________________________________________________________ Problem Description: A flaw in the python language was found by the development team. The SimpleXMLRPCServer library module could permit remote attackers unintended access to internals of the registered object or it's module, or possibly even other modules. This only affects python XML-RPC servers that use the register_instance() method to register an object without a _dispatch() method. Servers that only use the register_function() method are not affected. The updated packages have been patched to prevent these problems. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0089 http://www.python.org/security/PSF-2005-001/ ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: 8beb720d0eae578c43ca467f9a1af0f0 10.0/RPMS/libpython2.3-2.3.3-2.1.100mdk.i586.rpm ef66feb9f7b7c165064fc9c7835cdb11 10.0/RPMS/libpython2.3-devel-2.3.3-2.1.100mdk.i586.rpm 87538481a96b416bacaf24ba8e3f1cd2 10.0/RPMS/python-2.3.3-2.1.100mdk.i586.rpm 8d1970207ff9e2476aafb904bc2358b8 10.0/RPMS/python-base-2.3.3-2.1.100mdk.i586.rpm f00152d2ac6dbee6c49d804bcb1d4dcd 10.0/RPMS/python-docs-2.3.3-2.1.100mdk.i586.rpm 01b64afd5de30bd99df9e73da2f97ef9 10.0/RPMS/tkinter-2.3.3-2.1.100mdk.i586.rpm d360151e4588581e7d47c273e8a28abe 10.0/SRPMS/python-2.3.3-2.1.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 9fdbab4d563592fe73e221d46d0088d8 amd64/10.0/RPMS/lib64python2.3-2.3.3-2.1.100mdk.amd64.rpm 0140b944f6f09185236c1e1026eb4edd amd64/10.0/RPMS/lib64python2.3-devel-2.3.3-2.1.100mdk.amd64.rpm 0214045b468514f641c912aed17184ff amd64/10.0/RPMS/python-2.3.3-2.1.100mdk.amd64.rpm ed2373ac815649687a0775fe675a23f2 amd64/10.0/RPMS/python-base-2.3.3-2.1.100mdk.amd64.rpm 8078413cf31c8e248f41b2a1435cd172 amd64/10.0/RPMS/python-docs-2.3.3-2.1.100mdk.amd64.rpm d60fc339f824778e9cdc4c4ad71e90de amd64/10.0/RPMS/tkinter-2.3.3-2.1.100mdk.amd64.rpm d360151e4588581e7d47c273e8a28abe amd64/10.0/SRPMS/python-2.3.3-2.1.100mdk.src.rpm Mandrakelinux 10.1: f2b6b56ef68da39ece17679c19974f5a 10.1/RPMS/libpython2.3-2.3.4-6.1.101mdk.i586.rpm 5b5dfa7242a64c974cb9924258db0b7c 10.1/RPMS/libpython2.3-devel-2.3.4-6.1.101mdk.i586.rpm fd96e90717ac3f12ca2547cd131ab647 10.1/RPMS/python-2.3.4-6.1.101mdk.i586.rpm d1be4187307bcec359fce591a42cb735 10.1/RPMS/python-base-2.3.4-6.1.101mdk.i586.rpm 44317eba795d6080caa84dc5110e6b93 10.1/RPMS/python-docs-2.3.4-6.1.101mdk.i586.rpm 28997aa409843358d58fac301705d577 10.1/RPMS/tkinter-2.3.4-6.1.101mdk.i586.rpm c5f72acab1469acca0c82d147a5f9d53 10.1/SRPMS/python-2.3.4-6.1.101mdk.src.rpm Mandrakelinux 10.1/X86_64: e01470376f25024cdba630bf0f262601 x86_64/10.1/RPMS/lib64python2.3-2.3.4-6.1.101mdk.x86_64.rpm 373bc691f9863209895a70d3fd6b3a0e x86_64/10.1/RPMS/lib64python2.3-devel-2.3.4-6.1.101mdk.x86_64.rpm 2f60f873c8ff1e4b263f31245dd552ec x86_64/10.1/RPMS/python-2.3.4-6.1.101mdk.x86_64.rpm cba9bd7fedc1d0baa19e50d537630758 x86_64/10.1/RPMS/python-base-2.3.4-6.1.101mdk.x86_64.rpm e075976730591898d3384407d2881a1b x86_64/10.1/RPMS/python-docs-2.3.4-6.1.101mdk.x86_64.rpm 5107f719c5019d6fb106e9b7994609ca x86_64/10.1/RPMS/tkinter-2.3.4-6.1.101mdk.x86_64.rpm c5f72acab1469acca0c82d147a5f9d53 x86_64/10.1/SRPMS/python-2.3.4-6.1.101mdk.src.rpm Corporate Server 2.1: 4d5f7f0b4afe43618dd0bc498ff8d3e0 corporate/2.1/RPMS/libpython2.2-2.2.1-14.5.C21mdk.i586.rpm f8867fc6df620f53119e5615d2fa22f9 corporate/2.1/RPMS/libpython2.2-devel-2.2.1-14.5.C21mdk.i586.rpm bf6059fdb24ea5d3dbe8dce8d072e455 corporate/2.1/RPMS/python-2.2.1-14.5.C21mdk.i586.rpm da122b29af94b70fefd7925fc4609905 corporate/2.1/RPMS/python-base-2.2.1-14.5.C21mdk.i586.rpm ae65a5f9311fc6bdb4cc3da19e3e6cb2 corporate/2.1/RPMS/python-docs-2.2.1-14.5.C21mdk.i586.rpm 1c3cf551abd546c49db7564e7a066494 corporate/2.1/RPMS/tkinter-2.2.1-14.5.C21mdk.i586.rpm 57971ed8b6aa2b2aa0ae008d6f98cdee corporate/2.1/SRPMS/python-2.2.1-14.5.C21mdk.src.rpm Corporate Server 2.1/X86_64: d0942542d1e4830db22e0328f92c75ee x86_64/corporate/2.1/RPMS/libpython2.2-2.2.1-14.5.C21mdk.x86_64.rpm 1da495831b1b25fe84fc30473b216669 x86_64/corporate/2.1/RPMS/libpython2.2-devel-2.2.1-14.5.C21mdk.x86_64.rpm a174a8cd8d0c63fa468816163cd97706 x86_64/corporate/2.1/RPMS/python-2.2.1-14.5.C21mdk.x86_64.rpm 8f8dcf92d7f0bebdb9866a2e92726344 x86_64/corporate/2.1/RPMS/python-base-2.2.1-14.5.C21mdk.x86_64.rpm 24fe305bc5de288af4b760f3e26dba5d x86_64/corporate/2.1/RPMS/python-docs-2.2.1-14.5.C21mdk.x86_64.rpm a636d96a37886c29bc85bc1e0ddb9442 x86_64/corporate/2.1/RPMS/tkinter-2.2.1-14.5.C21mdk.x86_64.rpm 57971ed8b6aa2b2aa0ae008d6f98cdee x86_64/corporate/2.1/SRPMS/python-2.2.1-14.5.C21mdk.src.rpm Corporate 3.0: 2aaeb1239ffaa4cad46f0d9c4265032b corporate/3.0/RPMS/libpython2.3-2.3.3-2.1.C30mdk.i586.rpm 6822876c43310eccf3a5a56c43a1c63a corporate/3.0/RPMS/libpython2.3-devel-2.3.3-2.1.C30mdk.i586.rpm 1e4e4af576af783b4cfea4c57f709ce4 corporate/3.0/RPMS/python-2.3.3-2.1.C30mdk.i586.rpm 2afaede9d73bd6eb6e05e0c21fb51582 corporate/3.0/RPMS/python-base-2.3.3-2.1.C30mdk.i586.rpm 8631fc6d9d7703a4505254072e53ec23 corporate/3.0/RPMS/python-docs-2.3.3-2.1.C30mdk.i586.rpm 3e521c99c2f3fecb08d0725e34124c31 corporate/3.0/RPMS/tkinter-2.3.3-2.1.C30mdk.i586.rpm ab6ecb0920b653d919a1457b975885c0 corporate/3.0/SRPMS/python-2.3.3-2.1.C30mdk.src.rpm Corporate 3.0/X86_64: 2f4267d5c0daafa12985b1eb684982e6 x86_64/corporate/3.0/RPMS/lib64python2.3-2.3.3-2.1.C30mdk.x86_64.rpm 8b27c37138ea5f059fa5fb77b8139191 x86_64/corporate/3.0/RPMS/lib64python2.3-devel-2.3.3-2.1.C30mdk.x86_64.rpm 99b2278e72154e47e9daf66eeabf1277 x86_64/corporate/3.0/RPMS/python-2.3.3-2.1.C30mdk.x86_64.rpm 83e1a95c63a61187a6aa4b53cb30cbfa x86_64/corporate/3.0/RPMS/python-base-2.3.3-2.1.C30mdk.x86_64.rpm 770042e98bdbeb6549c45f7c1a20de03 x86_64/corporate/3.0/RPMS/python-docs-2.3.3-2.1.C30mdk.x86_64.rpm 5ab7162344890c5a86ce2993ae61e546 x86_64/corporate/3.0/RPMS/tkinter-2.3.3-2.1.C30mdk.x86_64.rpm ab6ecb0920b653d919a1457b975885c0 x86_64/corporate/3.0/SRPMS/python-2.3.3-2.1.C30mdk.src.rpm Mandrakelinux 9.2: a892b22a7e1f89c019e1670d7cdd60f0 9.2/RPMS/libpython2.3-2.3-3.1.92mdk.i586.rpm 05871f84d666ea3ba9dcbfe1981b44ae 9.2/RPMS/libpython2.3-devel-2.3-3.1.92mdk.i586.rpm e1c0e145784a9c28dbc8d4e0ce8f564f 9.2/RPMS/python-2.3-3.1.92mdk.i586.rpm ecaececfba4689432bf40232ad82de34 9.2/RPMS/python-base-2.3-3.1.92mdk.i586.rpm 95c699992a960020a837c119ac349d75 9.2/RPMS/python-docs-2.3-3.1.92mdk.i586.rpm b643ebf76e8283d533600179d9b64806 9.2/RPMS/tkinter-2.3-3.1.92mdk.i586.rpm 8b7b22bd98ee80fa30889f1de4500431 9.2/SRPMS/python-2.3-3.1.92mdk.src.rpm Mandrakelinux 9.2/AMD64: f4b9e7152e31dc1c199cbb137a1a1cf0 amd64/9.2/RPMS/lib64python2.3-2.3-3.1.92mdk.amd64.rpm 5da8eeff579d07a3a39730f962ac0360 amd64/9.2/RPMS/lib64python2.3-devel-2.3-3.1.92mdk.amd64.rpm 7d24517e15c9ef41a6cf5796982d4c93 amd64/9.2/RPMS/python-2.3-3.1.92mdk.amd64.rpm dda09aea00c4688fef2baa171c64b94a amd64/9.2/RPMS/python-base-2.3-3.1.92mdk.amd64.rpm 7ecf9b85490cde267f81370dc41d918a amd64/9.2/RPMS/python-docs-2.3-3.1.92mdk.amd64.rpm 76ae48434564bc7522cbdf006d09ed27 amd64/9.2/RPMS/tkinter-2.3-3.1.92mdk.amd64.rpm 8b7b22bd98ee80fa30889f1de4500431 amd64/9.2/SRPMS/python-2.3-3.1.92mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCC/ZjmqjQ0CJFipgRAi95AJ4vpZrIjCr0ELcviVbHKq8Dkbt+jACgofT6 U2txH8XfADhe9WOXh1OFc1o= =Xsxz -----END PGP SIGNATURE-----