Mandriva Linux Security Advisory 2014-135 - Updated python and python-simplejson packages fix security vulnerability. Python is susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access. This issue also affected the python-simplejson package, which has been patched to fix the bug.
2e1ca44b3c7d0495fc892ad6c604a6c8751d93020484cf8a66712eb8e88b1b55-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2014:135
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : python
Date : July 10, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated python and python-simplejson package fixes security
vulnerability
Python are susceptible to arbitrary process memory reading by a user
or adversary due to a bug in the _json module caused by insufficient
bounds checking. The bug is caused by allowing the user to supply a
negative value that is used an an array index, causing the scanstring
function to access process memory outside of the string it is intended
to access (CVE-2014-4616).
This issue also affected the python-simplejson package, which has
been patched to fix the bug.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4616
http://advisories.mageia.org/MGASA-2014-0285.html
http://advisories.mageia.org/MGASA-2014-0286.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
d9dc3e344912fe13ca0abaac75f1a2bc mbs1/x86_64/lib64python2.7-2.7.3-4.7.mbs1.x86_64.rpm
d95379dfaf5a4c1c4b866b1ed4508cc6 mbs1/x86_64/lib64python-devel-2.7.3-4.7.mbs1.x86_64.rpm
9afec1ffb70517b2d0ee7e7000f71db4 mbs1/x86_64/python-2.7.3-4.7.mbs1.x86_64.rpm
6f4db8fc759094286f4c2f091e3c836a mbs1/x86_64/python-docs-2.7.3-4.7.mbs1.noarch.rpm
47ac5e01908c8e338c5c57ea8b289f0a mbs1/x86_64/python-simplejson-2.3.3-2.1.mbs1.x86_64.rpm
6220ae202c1e8a36ee0247dbd6c562b0 mbs1/x86_64/tkinter-2.7.3-4.7.mbs1.x86_64.rpm
190dd1f702c49cec2f19dc318194f5c8 mbs1/x86_64/tkinter-apps-2.7.3-4.7.mbs1.x86_64.rpm
170ddde5f118f76a595ff5c7956cd9b0 mbs1/SRPMS/python-2.7.3-4.7.mbs1.src.rpm
572c8374b57cfc16727897b8a959222d mbs1/SRPMS/python-simplejson-2.3.3-2.1.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFTvlq+mqjQ0CJFipgRAqnRAJ4vUdls4eD724SAhy9DNCANAi7GuQCeNJsv
ROlYsAiuq+ZaadCvfp+5yWw=
=CMcx
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed