Exploit the possiblities

Ubuntu Security Notice USN-3134-1

Ubuntu Security Notice USN-3134-1
Posted Nov 22, 2016
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 3134-1 - It was discovered that the smtplib library in Python did not return an error when StartTLS fails. A remote attacker could possibly use this to expose sensitive information. Various other issues were also addressed.

tags | advisory, remote, web, cgi, python
systems | linux, ubuntu
advisories | CVE-2016-0772, CVE-2016-1000110, CVE-2016-5636, CVE-2016-5699
MD5 | 0ce8a8b98671640d3e776ca2617dbc64

Ubuntu Security Notice USN-3134-1

Change Mirror Download

===========================================================================
Ubuntu Security Notice USN-3134-1
November 22, 2016

python2.7, python3.2, python3.4, python3.5 vulnerabilities
===========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Python.

Software Description:
- python2.7: An interactive high-level object-oriented language
- python3.5: An interactive high-level object-oriented language
- python3.4: An interactive high-level object-oriented language
- python3.2: An interactive high-level object-oriented language

Details:

It was discovered that the smtplib library in Python did not return an
error when StartTLS fails. A remote attacker could possibly use this to
expose sensitive information. (CVE-2016-0772)

R=E9mi Rampin discovered that Python would not protect CGI applications
=66rom contents of the HTTP_PROXY environment variable when based on
the contents of the Proxy header from HTTP requests. A remote attacker
could possibly use this to cause a CGI application to redirect outgoing
HTTP requests. (CVE-2016-1000110)

Insu Yun discovered an integer overflow in the zipimporter module in
Python that could lead to a heap-based overflow. An attacker could
use this to craft a special zip file that when read by Python could
possibly execute arbitrary code. (CVE-2016-5636)

Guido Vranken discovered that the urllib modules in Python did
not properly handle carriage return line feed (CRLF) in headers. A
remote attacker could use this to craft URLs that inject arbitrary
HTTP headers. This issue only affected Ubuntu 12.04 LTS and Ubuntu
14.04 LTS. (CVE-2016-5699)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
libpython2.7 2.7.12-1ubuntu0~16.04.1
libpython2.7-minimal 2.7.12-1ubuntu0~16.04.1
libpython2.7-stdlib 2.7.12-1ubuntu0~16.04.1
libpython3.5 3.5.2-2ubuntu0~16.04.1
libpython3.5-minimal 3.5.2-2ubuntu0~16.04.1
libpython3.5-stdlib 3.5.2-2ubuntu0~16.04.1
python2.7 2.7.12-1ubuntu0~16.04.1
python2.7-minimal 2.7.12-1ubuntu0~16.04.1
python3.5 3.5.2-2ubuntu0~16.04.1
python3.5-minimal 3.5.2-2ubuntu0~16.04.1

Ubuntu 14.04 LTS:
libpython2.7 2.7.6-8ubuntu0.3
libpython2.7-minimal 2.7.6-8ubuntu0.3
libpython2.7-stdlib 2.7.6-8ubuntu0.3
libpython3.4 3.4.3-1ubuntu1~14.04.5
libpython3.4-minimal 3.4.3-1ubuntu1~14.04.5
libpython3.4-stdlib 3.4.3-1ubuntu1~14.04.5
python2.7 2.7.6-8ubuntu0.3
python2.7-minimal 2.7.6-8ubuntu0.3
python3.4 3.4.3-1ubuntu1~14.04.5
python3.4-minimal 3.4.3-1ubuntu1~14.04.5

Ubuntu 12.04 LTS:
libpython2.7 2.7.3-0ubuntu3.9
libpython3.2 3.2.3-0ubuntu3.8
python2.7 2.7.3-0ubuntu3.9
python2.7-minimal 2.7.3-0ubuntu3.9
python3.2 3.2.3-0ubuntu3.8
python3.2-minimal 3.2.3-0ubuntu3.8

After a standard system update you need to restart any Python
applications to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3134-1
CVE-2016-0772, CVE-2016-1000110, CVE-2016-5636, CVE-2016-5699

Package Information:
https://launchpad.net/ubuntu/+source/python2.7/2.7.12-1ubuntu0~16.04.1
https://launchpad.net/ubuntu/+source/python3.5/3.5.2-2ubuntu0~16.04.1
https://launchpad.net/ubuntu/+source/python2.7/2.7.6-8ubuntu0.3
https://launchpad.net/ubuntu/+source/python3.4/3.4.3-1ubuntu1~14.04.5
https://launchpad.net/ubuntu/+source/python2.7/2.7.3-0ubuntu3.9
https://launchpad.net/ubuntu/+source/python3.2/3.2.3-0ubuntu3.8


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close