python33-python-3.3.2-18.AXS4
エラータID: AXSA:2016-628:01
リリース日:
2016/08/19 Friday - 00:11
題名:
python33-python-3.3.2-18.AXS4
影響のあるチャネル:
Asianux Server 4 for x86_64
Severity:
Moderate
Description:
[修正内容]
以下項目について対処しました。
[Security Fix]
- Python の smtplib ライブラリは、StartTLS が失敗した際にエラーを返しておらず、クライアントと StartTLS コマンドをブロックするためのレジストリ間のネットワークポジションを利用することによって、中間者攻撃を行う攻撃者が、TLS の保護を回避する可能性のある脆弱性があります。(CVE-2016-0772)
- Python の urllib2 および urllib の HTTPConnection.putheader 関数には、CRLF インジェクションの脆弱性が存在し、URL の CRLF シーケンスを介して、リモートの攻撃者が任意の HTTP ヘッダを挿入する脆弱性があります。(CVE-2016-5699)
- 現時点では CVE-2016-1000110 の情報が公開されておりません。
CVE の情報が公開され次第情報をアップデートいたします。
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2016-1000110
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2016-0772
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
CVE-2016-5699
CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
追加情報:
N/A
ダウンロード:
SRPMS
- python33-python-3.3.2-18.AXS4.src.rpm
MD5: 761301d43ed76486fceb10aceef7f2ab
SHA-256: 9b21f49e335e98705691ee5a88c0eba68dcd5bf12afcd9405831f90ce09fb788
Size: 11.41 MB
Asianux Server 4 for x86_64
- python33-python-3.3.2-18.AXS4.x86_64.rpm
MD5: 322a6b003380d6ad860575ec66b2a140
SHA-256: 154aebcbf9fe2fdc941b03ddf58a2bec9e3c994225e1ecd87595b1023d08d78c
Size: 42.89 kB - python33-python-debug-3.3.2-18.AXS4.x86_64.rpm
MD5: c9d6bcd3b66028a5318887b5941e99b6
SHA-256: 25a7aa6906b3b5a8c4909621f44986a08c518f64dc647260ff7c6a9f0cbc86c8
Size: 2.08 MB - python33-python-devel-3.3.2-18.AXS4.x86_64.rpm
MD5: 3bbaaa8e084f1d20a3e461002d4680f1
SHA-256: dbae6270b43d37c4576a039bd1d8ce2e98607a88bc7fd079abf79f7ee4e61569
Size: 174.47 kB - python33-python-libs-3.3.2-18.AXS4.x86_64.rpm
MD5: 9b04ed4604daf5470b2cfe726202847a
SHA-256: cea0585300511481e1d461026f565ed68b837a721d8d32cf0d9a8822b7220cd3
Size: 6.24 MB - python33-python-test-3.3.2-18.AXS4.x86_64.rpm
MD5: 1125fd8a85d6ee0fb9b2ceb8d9714272
SHA-256: 6f9d304531677ba6602d22c88bdfb83904260ac3de738aa8e75aa8421b457ac4
Size: 5.31 MB - python33-python-tkinter-3.3.2-18.AXS4.x86_64.rpm
MD5: 505a3e5bbe115c1b317f7e997d514eea
SHA-256: 8d80f2a56a5dbe7f654919406f5cde0acc26e85ee5bdf03a678617c440731bab
Size: 339.04 kB - python33-python-tools-3.3.2-18.AXS4.x86_64.rpm
MD5: 0c4dbdc1cf96c4459faccdb92042289c
SHA-256: 295763af5c6a404b68c007c8f45ec28e43c644d7d095bc6b27d36cc0584448b7
Size: 432.57 kB