Lucene search

K
osvGoogleOSV:DLA-25-2
HistoryJul 31, 2014 - 12:00 a.m.

python2.6 - regression update

2014-07-3100:00:00
Google
osv.dev
7

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

A regression has been identified in the python2.6 update of DLA-25-1,
which may cause python applications to abort if they were running during
the upgrade but they had not already imported the ‘os’ module, and do so
after the upgrade. This update fixes this upgrade scenario.

For reference, the original advisory text follows.

Multiple vulnerabilities were discovered in python2.6. The more
relevant are:

  • CVE-2013-4238
    Incorrect handling of NUL bytes in certificate hostnames may allow
    server spoofing via specially-crafted certificates signed by
    a trusted Certification Authority.
  • CVE-2014-1912
    Buffer overflow in socket.recvfrom_into leading to application
    crash and possibly code execution.

For Debian 6 Squeeze, these issues have been fixed in python2.6 version 2.6.6-8+deb6u2

CPENameOperatorVersion
python2.6eq2.6.6-8

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P