-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2008:012 http://www.mandriva.com/security/ _______________________________________________________________________ Package : python Date : January 14, 2008 Affected: Corporate 3.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: An integer overflow flaw was discovered in how python's pcre module handled certain regular expressions. If a python application using the pcre module were to compile and execute untrusted regular expressions, it could possibly lead to an application crash or the excution of arbitrary code with the privileges of the python interpreter (CVE-2006-7228). Multiple integer overflows were found in python's imageop module. If an application written in python used the imageop module to process untrusted images, it could cause the application to crash, enter an infinite loop, or possibly execute arbitrary code with the privileges of the python interpreter (CVE-2007-4965). The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7228 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4965 _______________________________________________________________________ Updated Packages: Corporate 3.0: 6c3c9196c69a9590c2337ec47b812512 corporate/3.0/i586/libpython2.3-2.3.3-2.5.C30mdk.i586.rpm 633d4e1b82ffb0bab95dbad17c8658c7 corporate/3.0/i586/libpython2.3-devel-2.3.3-2.5.C30mdk.i586.rpm 2437c3ef65df378ea6b91e18515e31a5 corporate/3.0/i586/python-2.3.3-2.5.C30mdk.i586.rpm 4cbdfcb886ccfea966976a0e8b45eed7 corporate/3.0/i586/python-base-2.3.3-2.5.C30mdk.i586.rpm 2b0da1499ae353820f062b2566964c56 corporate/3.0/i586/python-docs-2.3.3-2.5.C30mdk.i586.rpm 9cfe879d13ca873e5b3f925e01afe738 corporate/3.0/i586/tkinter-2.3.3-2.5.C30mdk.i586.rpm d45b5129aa7e97f4b486a2b54e2b10e0 corporate/3.0/SRPMS/python-2.3.3-2.5.C30mdk.src.rpm Corporate 3.0/X86_64: 58eb34e9829788ee0d0c9a2aca9d9b4d corporate/3.0/x86_64/lib64python2.3-2.3.3-2.5.C30mdk.x86_64.rpm a7c01d1746edbf260c67c982d62ab5f8 corporate/3.0/x86_64/lib64python2.3-devel-2.3.3-2.5.C30mdk.x86_64.rpm e5e3cd26caee40c1a89896b3dd99f183 corporate/3.0/x86_64/python-2.3.3-2.5.C30mdk.x86_64.rpm 250e98c26995e58d5c074b483bc5168b corporate/3.0/x86_64/python-base-2.3.3-2.5.C30mdk.x86_64.rpm d3763c75ed560b944f2900ec27fc3a24 corporate/3.0/x86_64/python-docs-2.3.3-2.5.C30mdk.x86_64.rpm aefa7c0274efa2d0c4d546b88940f7d0 corporate/3.0/x86_64/tkinter-2.3.3-2.5.C30mdk.x86_64.rpm d45b5129aa7e97f4b486a2b54e2b10e0 corporate/3.0/SRPMS/python-2.3.3-2.5.C30mdk.src.rpm Multi Network Firewall 2.0: f431a6aadd0f4e952c4b0515bbd21d9e mnf/2.0/i586/libpython2.3-2.3.3-2.5.M20mdk.i586.rpm ed3b1c628b9165e1562e56b91c8762b2 mnf/2.0/i586/libpython2.3-devel-2.3.3-2.5.M20mdk.i586.rpm fa2bc6f689c780f406a5eb7a035d3d51 mnf/2.0/i586/python-2.3.3-2.5.M20mdk.i586.rpm a6a3082c9a938ae17ac55a90e1f34159 mnf/2.0/i586/python-base-2.3.3-2.5.M20mdk.i586.rpm aa492f1068bdaeaa07450844a36e53f0 mnf/2.0/i586/python-docs-2.3.3-2.5.M20mdk.i586.rpm 69e1686a9dcc20bd77e2925b2fc9f4ca mnf/2.0/i586/tkinter-2.3.3-2.5.M20mdk.i586.rpm b4f010845985ce30fd8eef89d348f61f mnf/2.0/SRPMS/python-2.3.3-2.5.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) iD8DBQFHi79lmqjQ0CJFipgRAubYAKCZBEYNbwsnhywcAm7zAiQL61MyvQCg1DOd Xr5C7PIEgYrp28fE1yD4TzE= =tyfR -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/