Updated python & python3 packages fix multiple vulnerabilities
Publication date: 19 Feb 2014Modification date: 19 Feb 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-1912 , CVE-2013-1752
Description
Updated python and python3 packages fix security vulnerabilities:
A vulnerability was reported in Python's socket module, due to a boundary
error within the sock_recvfrom_into() function, which could be exploited to
cause a buffer overflow. This could be used to crash a Python application
that uses the socket.recvfrom_info() function or, possibly, execute arbitrary
code with the permissions of the user running vulnerable Python code
(CVE-2014-1912).
This updates the python package to version 2.7.6, which fixes several other
bugs, including denial of service flaws due to unbound readline() calls in
the ftplib and nntplib modules (CVE-2013-1752).
The python3 package has been patched to fix the CVE-2014-1912 issue.
References
- http://bugs.python.org/issue20246
- http://hg.python.org/cpython/raw-file/99d03261c1ba/Misc/NEWS
- https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128243.html
- https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128361.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1046174
- http://openwall.com/lists/oss-security/2013/12/23/10
- https://bugs.mageia.org/show_bug.cgi?id=12127
- https://bugs.mageia.org/show_bug.cgi?id=12772
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1912
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752
SRPMS
3/core
- python-2.7.6-1.mga3
- python3-3.3.0-4.6.mga3
4/core
- python-2.7.6-1.mga4
- python3-3.3.2-13.1.mga4