Advisories » MGASA-2016-0296

Updated python3/python packages fix security vulnerability

Publication date: 31 Aug 2016
Modification date: 31 Aug 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-1000110

Description

Fix for CVE-2016-1000110 HTTPoxy attack. Many software projects and
vendors have implemented support for the “Proxy” request header in their
respective CGI implementations and languages by creating the “HTTP_PROXY”
environmental variable based on the header value. When this variable is
used (in many cases automatically by various HTTP client libraries) any
outgoing requests generated in turn from the attackers original request
can be redirected to an attacker controlled proxy. This allows attackers
to view potentially sensitive information, reply with malformed data, or
to hold connections open causing a potential denial of service.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=19189
• https://bugzilla.redhat.com/show_bug.cgi?id=1359175
• http://lwn.net/Vulnerabilities/697141/
• https://bugs.python.org/issue27568
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000110

SRPMS

5/core

• python3-3.4.3-1.5.mga5
• python-2.7.9-2.4.mga5