Twenty Year Anniversary

Ubuntu Security Notice USN-3134-1

Ubuntu Security Notice USN-3134-1
Posted Nov 22, 2016
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 3134-1 - It was discovered that the smtplib library in Python did not return an error when StartTLS fails. A remote attacker could possibly use this to expose sensitive information. Various other issues were also addressed.

tags | advisory, remote, web, cgi, python
systems | linux, ubuntu
advisories | CVE-2016-0772, CVE-2016-1000110, CVE-2016-5636, CVE-2016-5699
MD5 | 0ce8a8b98671640d3e776ca2617dbc64

Ubuntu Security Notice USN-3134-1

Change Mirror Download

===========================================================================
Ubuntu Security Notice USN-3134-1
November 22, 2016

python2.7, python3.2, python3.4, python3.5 vulnerabilities
===========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Python.

Software Description:
- python2.7: An interactive high-level object-oriented language
- python3.5: An interactive high-level object-oriented language
- python3.4: An interactive high-level object-oriented language
- python3.2: An interactive high-level object-oriented language

Details:

It was discovered that the smtplib library in Python did not return an
error when StartTLS fails. A remote attacker could possibly use this to
expose sensitive information. (CVE-2016-0772)

R=E9mi Rampin discovered that Python would not protect CGI applications
=66rom contents of the HTTP_PROXY environment variable when based on
the contents of the Proxy header from HTTP requests. A remote attacker
could possibly use this to cause a CGI application to redirect outgoing
HTTP requests. (CVE-2016-1000110)

Insu Yun discovered an integer overflow in the zipimporter module in
Python that could lead to a heap-based overflow. An attacker could
use this to craft a special zip file that when read by Python could
possibly execute arbitrary code. (CVE-2016-5636)

Guido Vranken discovered that the urllib modules in Python did
not properly handle carriage return line feed (CRLF) in headers. A
remote attacker could use this to craft URLs that inject arbitrary
HTTP headers. This issue only affected Ubuntu 12.04 LTS and Ubuntu
14.04 LTS. (CVE-2016-5699)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
libpython2.7 2.7.12-1ubuntu0~16.04.1
libpython2.7-minimal 2.7.12-1ubuntu0~16.04.1
libpython2.7-stdlib 2.7.12-1ubuntu0~16.04.1
libpython3.5 3.5.2-2ubuntu0~16.04.1
libpython3.5-minimal 3.5.2-2ubuntu0~16.04.1
libpython3.5-stdlib 3.5.2-2ubuntu0~16.04.1
python2.7 2.7.12-1ubuntu0~16.04.1
python2.7-minimal 2.7.12-1ubuntu0~16.04.1
python3.5 3.5.2-2ubuntu0~16.04.1
python3.5-minimal 3.5.2-2ubuntu0~16.04.1

Ubuntu 14.04 LTS:
libpython2.7 2.7.6-8ubuntu0.3
libpython2.7-minimal 2.7.6-8ubuntu0.3
libpython2.7-stdlib 2.7.6-8ubuntu0.3
libpython3.4 3.4.3-1ubuntu1~14.04.5
libpython3.4-minimal 3.4.3-1ubuntu1~14.04.5
libpython3.4-stdlib 3.4.3-1ubuntu1~14.04.5
python2.7 2.7.6-8ubuntu0.3
python2.7-minimal 2.7.6-8ubuntu0.3
python3.4 3.4.3-1ubuntu1~14.04.5
python3.4-minimal 3.4.3-1ubuntu1~14.04.5

Ubuntu 12.04 LTS:
libpython2.7 2.7.3-0ubuntu3.9
libpython3.2 3.2.3-0ubuntu3.8
python2.7 2.7.3-0ubuntu3.9
python2.7-minimal 2.7.3-0ubuntu3.9
python3.2 3.2.3-0ubuntu3.8
python3.2-minimal 3.2.3-0ubuntu3.8

After a standard system update you need to restart any Python
applications to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3134-1
CVE-2016-0772, CVE-2016-1000110, CVE-2016-5636, CVE-2016-5699

Package Information:
https://launchpad.net/ubuntu/+source/python2.7/2.7.12-1ubuntu0~16.04.1
https://launchpad.net/ubuntu/+source/python3.5/3.5.2-2ubuntu0~16.04.1
https://launchpad.net/ubuntu/+source/python2.7/2.7.6-8ubuntu0.3
https://launchpad.net/ubuntu/+source/python3.4/3.4.3-1ubuntu1~14.04.5
https://launchpad.net/ubuntu/+source/python2.7/2.7.3-0ubuntu3.9
https://launchpad.net/ubuntu/+source/python3.2/3.2.3-0ubuntu3.8


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    21 Files
  • 19
    Oct 19th
    16 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close