Mandrake security alert: Updated python packages fix buffer overflow vulnerability
A buffer overflow in python 2.2's getaddrinfo() function was discovered by Sebastian Schmidt.
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: python
Advisory ID: MDKSA-2004:019
Date: March 9th, 2004
Affected versions: 9.0, Corporate Server 2.1
______________________________________________________________________
Problem Description:
A buffer overflow in python 2.2's getaddrinfo() function was
discovered by Sebastian Schmidt. If python 2.2 is built without
IPv6 support, an attacker could configure their name server to let a
hostname resolve to a special IPv6 address, which could contain a
memory address where shellcode is placed. This problem does not
affect python versions prior to 2.2 or versions 2.2.2+, and it also
doesn't exist if IPv6 support is enabled.
The updated packages have been patched to correct the problem. Thanks
to Sebastian for both the discovery and patch.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0150
______________________________________________________________________
Updated Packages:
Corporate Server 2.1:
879da513052f8a7f22f46b32c8edd064 corporate/2.1/RPMS/libpython2.2-2.2.1-14.4.C21mdk.i586.rpm
41aabf6642342583667e7f7614b2b1af corporate/2.1/RPMS/libpython2.2-devel-2.2.1-14.4.C21mdk.i586.rpm
79afd48bc89cf1dd3580f9b9d210ab08 corporate/2.1/RPMS/python-2.2.1-14.4.C21mdk.i586.rpm
0e6280b152a9f65677da9ce35bbfc987 corporate/2.1/RPMS/python-base-2.2.1-14.4.C21mdk.i586.rpm
9e0eaadd3d9e3a15b95acb17fbde064d corporate/2.1/RPMS/python-docs-2.2.1-14.4.C21mdk.i586.rpm
f241bc6291f1d5a46e95a2e5fa7e7791 corporate/2.1/RPMS/tkinter-2.2.1-14.4.C21mdk.i586.rpm
84625a172626fe08ff13bce7b2030641 corporate/2.1/SRPMS/python-2.2.1-14.4.C21mdk.src.rpm
Corporate Server 2.1/x86_64:
5b523008885552a89c17197f1091c850 x86_64/corporate/2.1/RPMS/libpython2.2-2.2.1-14.4.C21mdk.x86_64.rpm
44befc507f68059d14f46c758ed57380 x86_64/corporate/2.1/RPMS/libpython2.2-devel-2.2.1-14.4.C21mdk.x86_64.rpm
0dfefaf01bb9ac8a5cecc444900be1b2 x86_64/corporate/2.1/RPMS/python-2.2.1-14.4.C21mdk.x86_64.rpm
cd79821fb454279049337f3bd0885479 x86_64/corporate/2.1/RPMS/python-base-2.2.1-14.4.C21mdk.x86_64.rpm
955bd9c56f666e19e146feb9da0087b7 x86_64/corporate/2.1/RPMS/python-docs-2.2.1-14.4.C21mdk.x86_64.rpm
651c007f402400e18c51ac97ae3da84e x86_64/corporate/2.1/RPMS/tkinter-2.2.1-14.4.C21mdk.x86_64.rpm
84625a172626fe08ff13bce7b2030641 x86_64/corporate/2.1/SRPMS/python-2.2.1-14.4.C21mdk.src.rpm
Mandrakelinux 9.0:
9e8ecf81acdf6e00066b020bead51c4a 9.0/RPMS/libpython2.2-2.2.1-14.4.90mdk.i586.rpm
990622b91606efd81f8fe2b40c8576f3 9.0/RPMS/libpython2.2-devel-2.2.1-14.4.90mdk.i586.rpm
b91abc21fad8020cbee047ad1bbf0da8 9.0/RPMS/python-2.2.1-14.4.90mdk.i586.rpm
a08fb0bad8dafca71f0e08a343c95412 9.0/RPMS/python-base-2.2.1-14.4.90mdk.i586.rpm
3d2be84aab4e0fab2cb86c9e6bacc25f 9.0/RPMS/python-docs-2.2.1-14.4.90mdk.i586.rpm
a765ef4de6610a6ea880dc17aeab7636 9.0/RPMS/tkinter-2.2.1-14.4.90mdk.i586.rpm
1ad8d764521ada5597da5f5083dfd1f6 9.0/SRPMS/python-2.2.1-14.4.90mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
All packages are signed by Mandrakesoft for security. You can obtain
the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver http://www.mandrakesecure.net 0x22458A98
Please be aware that sometimes it takes the mirrors a few hours to
update.
You can view other update advisories for Mandrakelinux at:
http://www.mandrakesecure.net/en/advisories/
Mandrakesoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
visiting:
http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFATqJ/mqjQ0CJFipgRAtEtAJkB8w2/Qf1eXYE/eGMBh55sKX/MpwCeI+No
P3uOOAxXMBCVPT+J3QDN41E=
=8F0Z
-----END PGP SIGNATURE-----
|
This topic does not have any threads posted yet!
You cannot post until you login.