[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200807-16.xml - gentoo-commits

From:	"Robert Buchholz (rbu)" <rbu@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200807-16.xml
Date:	Thu, 31 Jul 2008 23:45:28
Message-Id:	`E1KOhpl-00051z-R1@stork.gentoo.org`

1

rbu         08/07/31 23:45:25

2

3

  Added:                glsa-200807-16.xml

4

  Log:

5

  GLSA 200807-16

6

7

Revision  Changes    Path

8

1.1                  xml/htdocs/security/en/glsa/glsa-200807-16.xml

9

10

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200807-16.xml?rev=1.1&view=markup

11

plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200807-16.xml?rev=1.1&content-type=text/plain

12

13

Index: glsa-200807-16.xml

14

===================================================================

15

<?xml version="1.0" encoding="utf-8"?>

16

<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>

17

<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>

18

<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">

19

20

<glsa id="200807-16">

21

  <title>Python: Multiple vulnerabilities</title>

22

  <synopsis>

23

    Multiple vulnerabilities in Python may allow for the execution of arbitrary

24

    code.

25

  </synopsis>

26

  <product type="ebuild">python</product>

27

  <announced>July 31, 2008</announced>

28

  <revised>July 31, 2008: 01</revised>

29

  <bug>230640</bug>

30

  <bug>232137</bug>

31

  <access>remote</access>

32

  <affected>

33

    <package name="dev-lang/python" auto="yes" arch="*">

34

      <unaffected range="rge">2.4.4-r14</unaffected>

35

      <unaffected range="ge">2.5.2-r6</unaffected>

36

      <vulnerable range="lt">2.5.2-r6</vulnerable>

37

    </package>

38

  </affected>

39

  <background>

40

<p>

41

    Python is an interpreted, interactive, object-oriented programming

42

    language.

43

    </p>

44

  </background>

45

  <description>

46

<p>

47

    Multiple vulnerabilities were discovered in Python:

48

    </p>

49

    <ul>

50

    <li>

51

    David Remahl of Apple Product Security reported several integer

52

    overflows in core modules such as stringobject, unicodeobject,

53

    bufferobject, longobject, tupleobject, stropmodule, gcmodule,

54

    mmapmodule (CVE-2008-2315).

55

    </li>

56

    <li>

57

    David Remahl of Apple Product Security also reported an integer

58

    overflow in the hashlib module, leading to unreliable cryptographic

59

    digest results (CVE-2008-2316).

60

    </li>

61

    <li>

62

    Justin Ferguson reported multiple buffer overflows in unicode string

63

    processing that only affect 32bit systems (CVE-2008-3142).

64

    </li>

65

    <li>

66

    The Google Security Team reported multiple integer overflows

67

    (CVE-2008-3143).

68

    </li>

69

    <li>

70

    Justin Ferguson reported multiple integer underflows and overflows in

71

    the PyOS_vsnprintf() function, and an off-by-one error when passing

72

    zero-length strings, leading to memory corruption (CVE-2008-3144).

73

    </li>

74

    </ul>

75

  </description>

76

  <impact type="normal">

77

<p>

78

    A remote attacker could exploit these vulnerabilities in Python

79

    applications or daemons that pass user-controlled input to vulnerable

80

    functions. Exploitation might lead to the execution of arbitrary code

81

    or a Denial of Service. Vulnerabilities within the hashlib might lead

82

    to weakened cryptographic protection of data integrity or authenticity.

83

    </p>

84

  </impact>

85

  <workaround>

86

<p>

87

    There is no known workaround at this time.

88

    </p>

89

  </workaround>

90

  <resolution>

91

<p>

92

    All Python 2.4 users should upgrade to the latest version:

93

    </p>

94

    <code>

95

    # emerge --sync

96

    # emerge --ask --oneshot --verbose &quot;&gt;=dev-lang/python-2.4.4-r14&quot;</code>

97

<p>

98

    All Python 2.5 users should upgrade to the latest version:

99

    </p>

100

    <code>

101

    # emerge --sync

102

    # emerge --ask --oneshot --verbose &quot;&gt;=dev-lang/python-2.5.2-r6&quot;</code>

103

<p>

104

    Please note that Python 2.3 is masked since June 24, and we will not be

105

    releasing updates to it. It will be removed from the tree in the near

106

    future.

107

    </p>

108

  </resolution>

109

  <references>

110

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315">CVE-2008-2315</uri>

111

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2316">CVE-2008-2316</uri>

112

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3142">CVE-2008-3142</uri>

113

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3143">CVE-2008-3143</uri>

114

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3144">CVE-2008-3144</uri>

115

  </references>

116

  <metadata tag="submitter" timestamp="Thu, 31 Jul 2008 15:42:37 +0000">

117

rbu

118

  </metadata>

119

  <metadata tag="bugReady" timestamp="Thu, 31 Jul 2008 15:45:02 +0000">

120

rbu

121

  </metadata>

122

</glsa>

1	rbu 08/07/31 23:45:25
2
3	Added: glsa-200807-16.xml
4	Log:
5	GLSA 200807-16
6
7	Revision Changes Path
8	1.1 xml/htdocs/security/en/glsa/glsa-200807-16.xml
9
10	file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200807-16.xml?rev=1.1&view=markup
11	plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200807-16.xml?rev=1.1&content-type=text/plain
12
13	Index: glsa-200807-16.xml
14	===================================================================
15	<?xml version="1.0" encoding="utf-8"?>
16	<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
17	<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
18	<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
19
20	<glsa id="200807-16">
21	<title>Python: Multiple vulnerabilities</title>
22	<synopsis>
23	Multiple vulnerabilities in Python may allow for the execution of arbitrary
24	code.
25	</synopsis>
26	<product type="ebuild">python</product>
27	<announced>July 31, 2008</announced>
28	<revised>July 31, 2008: 01</revised>
29	<bug>230640</bug>
30	<bug>232137</bug>
31	<access>remote</access>
32	<affected>
33	<package name="dev-lang/python" auto="yes" arch="*">
34	<unaffected range="rge">2.4.4-r14</unaffected>
35	<unaffected range="ge">2.5.2-r6</unaffected>
36	<vulnerable range="lt">2.5.2-r6</vulnerable>
37	</package>
38	</affected>
39	<background>
40	<p>
41	Python is an interpreted, interactive, object-oriented programming
42	language.
43	</p>
44	</background>
45	<description>
46	<p>
47	Multiple vulnerabilities were discovered in Python:
48	</p>
49	<ul>
50	<li>
51	David Remahl of Apple Product Security reported several integer
52	overflows in core modules such as stringobject, unicodeobject,
53	bufferobject, longobject, tupleobject, stropmodule, gcmodule,
54	mmapmodule (CVE-2008-2315).
55	</li>
56	<li>
57	David Remahl of Apple Product Security also reported an integer
58	overflow in the hashlib module, leading to unreliable cryptographic
59	digest results (CVE-2008-2316).
60	</li>
61	<li>
62	Justin Ferguson reported multiple buffer overflows in unicode string
63	processing that only affect 32bit systems (CVE-2008-3142).
64	</li>
65	<li>
66	The Google Security Team reported multiple integer overflows
67	(CVE-2008-3143).
68	</li>
69	<li>
70	Justin Ferguson reported multiple integer underflows and overflows in
71	the PyOS_vsnprintf() function, and an off-by-one error when passing
72	zero-length strings, leading to memory corruption (CVE-2008-3144).
73	</li>
74	</ul>
75	</description>
76	<impact type="normal">
77	<p>
78	A remote attacker could exploit these vulnerabilities in Python
79	applications or daemons that pass user-controlled input to vulnerable
80	functions. Exploitation might lead to the execution of arbitrary code
81	or a Denial of Service. Vulnerabilities within the hashlib might lead
82	to weakened cryptographic protection of data integrity or authenticity.
83	</p>
84	</impact>
85	<workaround>
86	<p>
87	There is no known workaround at this time.
88	</p>
89	</workaround>
90	<resolution>
91	<p>
92	All Python 2.4 users should upgrade to the latest version:
93	</p>
94	<code>
95	# emerge --sync
96	# emerge --ask --oneshot --verbose ">=dev-lang/python-2.4.4-r14"</code>
97	<p>
98	All Python 2.5 users should upgrade to the latest version:
99	</p>
100	<code>
101	# emerge --sync
102	# emerge --ask --oneshot --verbose ">=dev-lang/python-2.5.2-r6"</code>
103	<p>
104	Please note that Python 2.3 is masked since June 24, and we will not be
105	releasing updates to it. It will be removed from the tree in the near
106	future.
107	</p>
108	</resolution>
109	<references>
110	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315">CVE-2008-2315</uri>
111	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2316">CVE-2008-2316</uri>
112	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3142">CVE-2008-3142</uri>
113	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3143">CVE-2008-3143</uri>
114	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3144">CVE-2008-3144</uri>
115	</references>
116	<metadata tag="submitter" timestamp="Thu, 31 Jul 2008 15:42:37 +0000">
117	rbu
118	</metadata>
119	<metadata tag="bugReady" timestamp="Thu, 31 Jul 2008 15:45:02 +0000">
120	rbu
121	</metadata>
122	</glsa>

Gentoo Archives: gentoo-commits