python-2.7.5-34.0.1.el7.AXS7

エラータID: AXSA:2015-803:01

Release date: 
Thursday, November 26, 2015 - 20:28
Subject: 
python-2.7.5-34.0.1.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

IPy is a Python module for handling IPv4 and IPv6 Addresses and Networks
in a fashion similar to perl's Net::IP and friends. The IP class allows
a comfortable parsing and handling for most notations in use for IPv4
and IPv6 Addresses and Networks.

Security issues fixed with this release:

CVE-2013-1752
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2013-1753
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2014-4616
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2014-4650
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2014-7185
Integer overflow in bufferobject.c in Python before 2.7.8 allows
context-dependent attackers to obtain sensitive information from
process memory via a large size and offset in a "buffer" function.

Fixed bugs:

* Subprocesses used with the Eventlet library or regular threads previously tried to close epoll file descriptors twice, which led to an "Invalid argument" error. Subprocesses have been fixed to close the file descriptors only once.
* When importing the readline module from a Python script, Python no longer produces erroneous random characters on stdout.
* The cProfile utility has been fixed to print all values that the "-s" option supports when this option is used without a correct value.
* The load_cert_chain() function now accepts "None" as a keyfile argument.
Enhancements:

* Security enhancements as described in PEP 466 have been backported to the Python standard library, for example, new features of the ssl module: Server Name Indication (SNI) support, support for new TLSv1.x protocols, new hash algorithms in the hashlib module, and many more.
* Support for the ssl.PROTOCOL_TLSv1_2 protocol has been added to the ssl library.
* The ssl.SSLSocket.version() method is now available to access information about the version of the SSL protocol used in a connection.

Solution: 

Update packages.

CVEs: 
CVE-2013-1752
** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib - fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x. NOTE: this was REJECTed because it is incompatible with CNT1 "Independently Fixable" in the CVE Counting Decisions.
CVE-2013-1753
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2014-4616
Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.
CVE-2014-4650
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2014-7185
Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function.
Additional Info: 

N/A

Download: 

SRPMS
  1. python-2.7.5-34.0.1.el7.AXS7.src.rpm
    MD5: a9300cdd7532c935db2e2f8e2e768fa8
    SHA-256: ff453f7c981cdc2dfd6ec82d2e2a7b20252b8b9297b44b4d86a2bc05b5ecae3f
    Size: 10.14 MB

Asianux Server 7 for x86_64
  1. python-2.7.5-34.0.1.el7.AXS7.x86_64.rpm
    MD5: 89ca3847312120381f017faaeeb00284
    SHA-256: 37f1a63c205bb9e32a2d25c98a0394ec4f5bff9842b490dbdaa6436e94662aaf
    Size: 87.16 kB
  2. python-devel-2.7.5-34.0.1.el7.AXS7.x86_64.rpm
    MD5: 2d2cf44c8138fc52e2bb84368d2e4cd3
    SHA-256: 667f778dda89c45a7871f3d114ecd3a408fbf2556d7e2c7941279024ebbdff4a
    Size: 389.93 kB
  3. python-libs-2.7.5-34.0.1.el7.AXS7.x86_64.rpm
    MD5: 43b01931dc78ec11da907efb9b44f4d0
    SHA-256: 6b2d7eeb4e00b20dfebc3ec96e84521541c71bd6b589cc7ae46a423f166d8210
    Size: 5.63 MB
  4. python-libs-2.7.5-34.0.1.el7.AXS7.i686.rpm
    MD5: 94ca1c507d8a81885decc30aad1fa0a0
    SHA-256: 56561f3c019a27e72fba8be6325c86607c3c82c3332838070f9493cd42012e6e
    Size: 5.58 MB