Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.CENTOS_RHSA-2016-2586.NASL
HistoryNov 28, 2016 - 12:00 a.m.

CentOS 7 : python (CESA-2016:2586)

2016-11-2800:00:00
This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
74
JSON

An update for python is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es) :

  • A vulnerability was discovered in Python, in the built-in zipimporter. A specially crafted zip file placed in a module path such that it would be loaded by a later ‘import’ statement could cause a heap overflow, leading to arbitrary code execution. (CVE-2016-5636)

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2016:2586 and 
# CentOS Errata and Security Advisory 2016:2586 respectively.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(95332);
  script_version("3.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");

  script_cve_id("CVE-2016-5636");
  script_xref(name:"RHSA", value:"2016:2586");

  script_name(english:"CentOS 7 : python (CESA-2016:2586)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote CentOS host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"An update for python is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security
impact of Low. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link (s) in the References section.

Python is an interpreted, interactive, object-oriented programming
language, which includes modules, classes, exceptions, very high level
dynamic data types and dynamic typing. Python supports interfaces to
many system calls and libraries, as well as to various windowing
systems.

Security Fix(es) :

* A vulnerability was discovered in Python, in the built-in
zipimporter. A specially crafted zip file placed in a module path such
that it would be loaded by a later 'import' statement could cause a
heap overflow, leading to arbitrary code execution. (CVE-2016-5636)

Additional Changes :

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.3 Release Notes linked from the References section."
  );
  # https://lists.centos.org/pipermail/centos-cr-announce/2016-November/003444.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?835bbe7e"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected python packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5636");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:python");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:python-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:python-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:python-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:python-test");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:python-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:tkinter");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/11/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/28");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"CentOS Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/CentOS/release");
if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver);

if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);


flag = 0;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"python-2.7.5-48.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"python-debug-2.7.5-48.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"python-devel-2.7.5-48.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"python-libs-2.7.5-48.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"python-test-2.7.5-48.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"python-tools-2.7.5-48.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"tkinter-2.7.5-48.el7")) flag++;


if (flag)
{
  cr_plugin_caveat = '\n' +
    'NOTE: The security advisory associated with this vulnerability has a\n' +
    'fixed package version that may only be available in the continuous\n' +
    'release (CR) repository for CentOS, until it is present in the next\n' +
    'point release of CentOS.\n\n' +

    'If an equal or higher package level does not exist in the baseline\n' +
    'repository for your major version of CentOS, then updates from the CR\n' +
    'repository will need to be applied in order to address the\n' +
    'vulnerability.\n';
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get() + cr_plugin_caveat
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python / python-debug / python-devel / python-libs / python-test / etc");
}
VendorProductVersionCPE
centoscentospythonp-cpe:/a:centos:centos:python
centoscentospython-debugp-cpe:/a:centos:centos:python-debug
centoscentospython-develp-cpe:/a:centos:centos:python-devel
centoscentospython-libsp-cpe:/a:centos:centos:python-libs
centoscentospython-testp-cpe:/a:centos:centos:python-test
centoscentospython-toolsp-cpe:/a:centos:centos:python-tools
centoscentostkinterp-cpe:/a:centos:centos:tkinter
centoscentos7cpe:/o:centos:centos:7

Related

fedora 8
veracode 1
openvas 31
nessus 33
ubuntucve 1
prion 1
redhat 1
ibm 4
centos 1
freebsd 1
debiancve 1
cve 1
gentoo 1
osv 2
amazon 1
debian 2
mageia 1
oraclelinux 2
cloudfoundry 1
ubuntu 1
suse 1
apple 2
fedora
fedora
[SECURITY] Fedora 24 Update: python3-3.5.1-12.fc24
2016-07-12 20:29:28
[SECURITY] Fedora 24 Update: python3-3.5.1-8.fc24
2016-06-18 19:08:38
[SECURITY] Fedora 23 Update: python3-3.4.3-11.fc23
2016-07-15 10:24:13
veracode
veracode
Integer Overflows
2020-09-21 06:29:36
openvas
openvas
RedHat Update for python RHSA-2016:2586-02
2016-11-04 00:00:00
Fedora Update for python FEDORA-2016-eff21665e7
2016-08-02 00:00:00
Fedora Update for python3 FEDORA-2016-32e5a8c3a8
2016-06-18 00:00:00
nessus
nessus
FreeBSD : Python -- Integer overflow in zipimport module (1d0f6852-33d8-11e6-a671-60a44ce6887b)
2016-06-20 00:00:00
Fedora 23 : python3 (2016-32e5a8c3a8)
2016-07-14 00:00:00
Oracle Linux 7 : python (ELSA-2016-2586)
2016-11-11 00:00:00
ubuntucve
ubuntucve
CVE-2016-5636
2016-09-02 00:00:00
prion
prion
Integer overflow
2016-09-02 14:59:00
redhat
redhat
(RHSA-2016:2586) Low: python security, bug fix, and enhancement update
2016-11-03 06:07:15
ibm
ibm
Security Bulletin: A vulnerability in python affects PowerKVM
2018-06-18 01:34:47
Security Bulletin: OpenSource Python Vulnerablities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2016-5699, CVE-2016-5636)
2018-06-17 15:39:52
Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in python (CVE-2018-1061 CVE-2018-1060 CVE-2016-5636)
2019-04-15 15:20:02
centos
centos
python, tkinter security update
2016-11-25 15:43:04
freebsd
freebsd
Python -- Integer overflow in zipimport module
2016-01-21 00:00:00
debiancve
debiancve
CVE-2016-5636
2016-09-02 14:59:00
cve
cve
CVE-2016-5636
2016-09-02 14:59:00
gentoo
gentoo
Python: Multiple vulnerabilities
2017-01-10 00:00:00
osv
osv
python2.7 - security update
2016-06-21 00:00:00
python3.4 - security update
2019-02-07 00:00:00
amazon
amazon
Medium: python26, python27, python34
2016-07-20 18:00:00
debian
debian
[SECURITY] [DLA 522-1] python2.7 security update
2016-06-21 20:25:23
[SECURITY] [DLA 1663-1] python3.4 security update
2019-02-07 10:18:09
mageia
mageia
Updated python packages fix security vulnerabilities
2016-06-22 19:36:39
oraclelinux
oraclelinux
python security, bug fix, and enhancement update
2016-11-09 00:00:00
python security and bug fix update
2017-08-07 00:00:00
cloudfoundry
cloudfoundry
USN-3134-1: Python vulnerabilities | Cloud Foundry
2016-12-14 00:00:00
ubuntu
ubuntu
Python vulnerabilities
2016-11-22 00:00:00
suse
suse
Security update for python3 (important)
2020-01-21 00:00:00
apple
apple
About the security content of macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite - Apple Support
2017-08-29 02:52:03
About the security content of macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
2017-03-27 00:00:00
JSON
Related for CENTOS_RHSA-2016-2586.NASL
fedora8veracode1openvas31nessus33ubuntucve1prion1redhat1ibm4centos1freebsd1debiancve1cve1gentoo1osv2amazon1debian2mageia1oraclelinux2cloudfoundry1ubuntu1suse1apple2