ID RHSA-2014:1690 Type redhat Reporter RedHat Modified 2018-06-07T02:47:44
Description
The python-backports-ssl_match_hostname package provides RFC 6125 compliant
wildcard matching.
A denial of service flaw was found in the way Python's SSL module
implementation performed matching of certain certificate names. A remote
attacker able to obtain a valid certificate that contained multiple
wildcard characters could use this flaw to issue a request to validate such
a certificate, resulting in excessive consumption of CPU. (CVE-2013-2099)
This issue was discovered by Florian Weimer of Red Hat Product Security.
All python-backports-ssl_match_hostname users are advised to upgrade to
this updated package, which contains a backported patch to correct this
issue.
{"id": "RHSA-2014:1690", "hash": "6ec38ef239dc123b95edbafb340e87ab", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2014:1690) Low: python-backports-ssl_match_hostname security update", "description": "The python-backports-ssl_match_hostname package provides RFC 6125 compliant\nwildcard matching.\n\nA denial of service flaw was found in the way Python's SSL module\nimplementation performed matching of certain certificate names. A remote\nattacker able to obtain a valid certificate that contained multiple\nwildcard characters could use this flaw to issue a request to validate such\na certificate, resulting in excessive consumption of CPU. (CVE-2013-2099)\n\nThis issue was discovered by Florian Weimer of Red Hat Product Security.\n\nAll python-backports-ssl_match_hostname users are advised to upgrade to\nthis updated package, which contains a backported patch to correct this\nissue.\n", "published": "2014-10-22T04:00:00", "modified": "2018-06-07T02:47:44", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:1690", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2013-2099"], "lastseen": "2018-12-11T19:40:41", "history": [{"bulletin": {"id": "RHSA-2014:1690", "hash": "", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2014:1690) Low: python-backports-ssl_match_hostname security update", "description": "The python-backports-ssl_match_hostname package provides RFC 6125 compliant\nwildcard matching.\n\nA denial of service flaw was found in the way Python's SSL module\nimplementation performed matching of certain certificate names. A remote\nattacker able to obtain a valid certificate that contained multiple\nwildcard characters could use this flaw to issue a request to validate such\na certificate, resulting in excessive consumption of CPU. (CVE-2013-2099)\n\nThis issue was discovered by Florian Weimer of Red Hat Product Security.\n\nAll python-backports-ssl_match_hostname users are advised to upgrade to\nthis updated package, which contains a backported patch to correct this\nissue.\n", "published": "2014-10-22T04:00:00", "modified": "2017-03-03T16:13:10", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:1690", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2013-2099"], "lastseen": "2017-03-03T19:18:29", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "affectedPackage": [{"arch": "src", "packageFilename": "python-backports-ssl_match_hostname-3.4.0.2-1.el6.src.rpm", "OSVersion": "6", "packageName": "python-backports-ssl_match_hostname", "OS": "RedHat", "packageVersion": "3.4.0.2-1.el6", "operator": "lt"}, {"arch": "noarch", "packageFilename": "python-backports-ssl_match_hostname-3.4.0.2-1.el6.noarch.rpm", "OSVersion": "6", "packageName": "python-backports-ssl_match_hostname", "OS": "RedHat", "packageVersion": "3.4.0.2-1.el6", "operator": "lt"}]}, "lastseen": "2017-03-03T19:18:29", "differentElements": ["modified"], "edition": 1}, {"bulletin": {"id": "RHSA-2014:1690", "hash": "4ae12b732c764e087e7c8a6e8361ac07", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2014:1690) Low: python-backports-ssl_match_hostname security update", "description": "The python-backports-ssl_match_hostname package provides RFC 6125 compliant\nwildcard matching.\n\nA denial of service flaw was found in the way Python's SSL module\nimplementation performed matching of certain certificate names. A remote\nattacker able to obtain a valid certificate that contained multiple\nwildcard characters could use this flaw to issue a request to validate such\na certificate, resulting in excessive consumption of CPU. (CVE-2013-2099)\n\nThis issue was discovered by Florian Weimer of Red Hat Product Security.\n\nAll python-backports-ssl_match_hostname users are advised to upgrade to\nthis updated package, which contains a backported patch to correct this\nissue.\n", "published": "2014-10-22T04:00:00", "modified": "2018-06-07T02:47:44", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2014:1690", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2013-2099"], "lastseen": "2018-06-06T23:50:01", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "arch": "noarch", "packageName": "python-backports-ssl_match_hostname", "packageVersion": "3.4.0.2-1.el6", "packageFilename": "python-backports-ssl_match_hostname-3.4.0.2-1.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "src", "packageName": "python-backports-ssl_match_hostname", "packageVersion": "3.4.0.2-1.el6", "packageFilename": "python-backports-ssl_match_hostname-3.4.0.2-1.el6.src.rpm", "operator": "lt"}]}, "lastseen": "2018-06-06T23:50:01", "differentElements": ["affectedPackage"], "edition": 2}], "viewCount": 3, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-2099"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29809", "SECURITYVULNS:VULN:13283"]}, {"type": "nessus", "idList": ["FEDORA_2013-9628.NASL", "FEDORA_2013-12414.NASL", "FEDORA_2013-13140.NASL", "ALA_ALAS-2015-521.NASL", "MANDRIVA_MDVSA-2013-229.NASL", "REDHAT-RHSA-2015-0042.NASL", "FEDORA_2014-16390.NASL", "FEDORA_2013-9620.NASL", "FEDORA_2013-12396.NASL", "FEDORA_2013-13213.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310120059", "OPENVAS:865686", "OPENVAS:1361412562310866701", "OPENVAS:1361412562310807261", "OPENVAS:1361412562310841589", "OPENVAS:1361412562310868619", "OPENVAS:1361412562310865686", "OPENVAS:866065", "OPENVAS:841571", "OPENVAS:1361412562310807259"]}, {"type": "redhat", "idList": ["RHSA-2015:0042", "RHSA-2014:1263", "RHSA-2016:1166"]}, {"type": "amazon", "idList": ["ALAS-2015-521"]}, {"type": "ubuntu", "idList": ["USN-1984-1", "USN-1985-1", "USN-1983-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1107-1:992AA"]}, {"type": "gentoo", "idList": ["GLSA-201401-04"]}], "modified": "2018-12-11T19:40:41"}, "vulnersScore": 5.0}, "objectVersion": "1.4", "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "arch": "noarch", "packageName": "python-backports-ssl_match_hostname", "packageVersion": "3.4.0.2-1.el6", "packageFilename": "python-backports-ssl_match_hostname-3.4.0.2-1.el6.noarch.rpm", "operator": "lt"}], "_object_type": "robots.models.redhat.RedHatBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"]}
{"cve": [{"lastseen": "2016-09-03T18:18:30", "bulletinFamily": "NVD", "description": "Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.", "modified": "2016-06-08T21:59:01", "published": "2013-10-09T10:53:20", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2099", "id": "CVE-2013-2099", "title": "CVE-2013-2099", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-01-16T20:16:22", "bulletinFamily": "scanner", "description": "- Fixes CVE-2013-2099, maliciously crafted SSL certificate\n can cause a denial of service.\n\n - Builds the C extensions from the Cython source instead\n of the pregenerated C files.\n\n - Build without strict-aliasing on Fedora versions which\n have a bug in the python distutils module.\n\n - Install the localization files\n\n - (F17-only) Update from upstream 2.5.0 to 2.5.1\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2018-12-05T00:00:00", "published": "2013-07-12T00:00:00", "id": "FEDORA_2013-9628.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=67371", "title": "Fedora 17 : bzr-2.5.1-11.fc17 (2013-9628)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-9628.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(67371);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/12/05 20:31:21\");\n\n script_cve_id(\"CVE-2013-2099\");\n script_bugtraq_id(59877, 60197);\n script_xref(name:\"FEDORA\", value:\"2013-9628\");\n\n script_name(english:\"Fedora 17 : bzr-2.5.1-11.fc17 (2013-9628)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Fixes CVE-2013-2099, maliciously crafted SSL certificate\n can cause a denial of service.\n\n - Builds the C extensions from the Cython source instead\n of the pregenerated C files.\n\n - Build without strict-aliasing on Fedora versions which\n have a bug in the python distutils module.\n\n - Install the localization files\n\n - (F17-only) Update from upstream 2.5.0 to 2.5.1\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=963260\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107959.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?359d5337\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bzr package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bzr\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"bzr-2.5.1-11.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bzr\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:20:29", "bulletinFamily": "scanner", "description": "- Add patch to fix CVE-2013-2098 CVE-2013-2099 (bug\n #96627)\n\n - Drop requires python-simplejson, not needed for modern\n python\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2015-10-19T00:00:00", "published": "2014-12-22T00:00:00", "id": "FEDORA_2014-16477.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=80134", "title": "Fedora 19 : python-tornado-2.2.1-7.fc19 (2014-16477)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-16477.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80134);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:23:30 $\");\n\n script_cve_id(\"CVE-2013-2099\");\n script_xref(name:\"FEDORA\", value:\"2014-16477\");\n\n script_name(english:\"Fedora 19 : python-tornado-2.2.1-7.fc19 (2014-16477)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Add patch to fix CVE-2013-2098 CVE-2013-2099 (bug\n #96627)\n\n - Drop requires python-simplejson, not needed for modern\n python\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=963260\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146406.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c52b2564\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-tornado package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python-tornado\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"python-tornado-2.2.1-7.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-tornado\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:16:56", "bulletinFamily": "scanner", "description": "Enhancements :\n\n - upstream now ships an experimental OCaml front-end, this\n is not yet enabled\n\n - Add fish-shell command completion\n\n - Allow relative files in <archive> and <file> for local\n feeds. This makes it easy to test feeds before passing\n them to 0repo.\n\nBug fixes :\n\n - Better handling of default=' in <environment> bindings.\n This now specifies that the default should be ',\n overriding any system default.\n\n - Fixed --refresh with 'download' and 'run' for apps.\n\n - Updated ssl_match_hostname based on latest bug-fixes.\n This fix is intended to fix a denial-of-service\n attack, which doesn't really matter to 0install, but\n we might as well have the latest version.\n CVE-2013-2099\n\n - Better error when the <rename> source does not exist.\n\n - Allow selecting local archives even in offline mode.\n\n - Support the use of the system store with recipes. This\n is especially important now that we treat all\n downloads as recipes!\n\n - Removed old zeroinstall-add.desktop file.\n\nChanges for APIs we depend on\n\n - Cope with more PyGObject API changes. Based on patch in\n http://twistedmatrix.com/trac/ticket/6369\n\n - Keep gobject and glib separate. Sometimes we need GLib,\n sometimes we need GObject.\n\n - Updates to avoid PyGIDeprecationWarning.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2018-11-20T00:00:00", "published": "2013-07-15T00:00:00", "id": "FEDORA_2013-12421.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=68887", "title": "Fedora 17 : zeroinstall-injector-2.3-1.fc17 (2013-12421)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-12421.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68887);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/11/20 11:04:17\");\n\n script_cve_id(\"CVE-2013-2099\");\n script_xref(name:\"FEDORA\", value:\"2013-12421\");\n\n script_name(english:\"Fedora 17 : zeroinstall-injector-2.3-1.fc17 (2013-12421)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Enhancements :\n\n - upstream now ships an experimental OCaml front-end, this\n is not yet enabled\n\n - Add fish-shell command completion\n\n - Allow relative files in <archive> and <file> for local\n feeds. This makes it easy to test feeds before passing\n them to 0repo.\n\nBug fixes :\n\n - Better handling of default=' in <environment> bindings.\n This now specifies that the default should be ',\n overriding any system default.\n\n - Fixed --refresh with 'download' and 'run' for apps.\n\n - Updated ssl_match_hostname based on latest bug-fixes.\n This fix is intended to fix a denial-of-service\n attack, which doesn't really matter to 0install, but\n we might as well have the latest version.\n CVE-2013-2099\n\n - Better error when the <rename> source does not exist.\n\n - Allow selecting local archives even in offline mode.\n\n - Support the use of the system store with recipes. This\n is especially important now that we treat all\n downloads as recipes!\n\n - Removed old zeroinstall-add.desktop file.\n\nChanges for APIs we depend on\n\n - Cope with more PyGObject API changes. Based on patch in\n http://twistedmatrix.com/trac/ticket/6369\n\n - Keep gobject and glib separate. Sometimes we need GLib,\n sometimes we need GObject.\n\n - Updates to avoid PyGIDeprecationWarning.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://twistedmatrix.com/trac/ticket/6369\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://twistedmatrix.com/trac/ticket/6369\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=958834\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=966273\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=966274\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-July/111600.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?af358f7b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected zeroinstall-injector package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:zeroinstall-injector\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/07/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"zeroinstall-injector-2.3-1.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zeroinstall-injector\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:21:26", "bulletinFamily": "scanner", "description": "A denial of service flaw was found in the way Python's SSL module\nimplementation performed matching of certain certificate names. A\nremote attacker able to obtain a valid certificate that contained\nmultiple wildcard characters could use this flaw to issue a request to\nvalidate such a certificate, resulting in excessive consumption of\nCPU.", "modified": "2018-04-18T00:00:00", "published": "2015-05-07T00:00:00", "id": "ALA_ALAS-2015-521.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=83272", "title": "Amazon Linux AMI : python-tornado (ALAS-2015-521)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2015-521.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(83272);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2013-2099\");\n script_xref(name:\"ALAS\", value:\"2015-521\");\n\n script_name(english:\"Amazon Linux AMI : python-tornado (ALAS-2015-521)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A denial of service flaw was found in the way Python's SSL module\nimplementation performed matching of certain certificate names. A\nremote attacker able to obtain a valid certificate that contained\nmultiple wildcard characters could use this flaw to issue a request to\nvalidate such a certificate, resulting in excessive consumption of\nCPU.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2015-521.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update python-tornado' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python26-tornado\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python26-tornado-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python27-tornado\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python27-tornado-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/05/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/05/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"python26-tornado-2.2.1-7.7.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python26-tornado-doc-2.2.1-7.7.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python27-tornado-2.2.1-7.7.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"python27-tornado-doc-2.2.1-7.7.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python26-tornado / python26-tornado-doc / python27-tornado / etc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:17:12", "bulletinFamily": "scanner", "description": "Updated bzr packages fix security vulnerabilities :\n\nA denial of service flaw was found in the way SSL module\nimplementation of Python 3 performed matching of the certificate's\nname in the case it contained many '*' wildcard characters. A remote\nattacker, able to obtain valid certificate with its name containing a\nlot of '*' wildcard characters could use this flaw to cause denial of\nservice (excessive CPU consumption) by issuing request to validate\nsuch a certificate for / to an application using the Python's\nssl.match_hostname() functionality (CVE-2013-2099).", "modified": "2019-01-02T00:00:00", "published": "2013-09-11T00:00:00", "id": "MANDRIVA_MDVSA-2013-229.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=69842", "title": "Mandriva Linux Security Advisory : bzr (MDVSA-2013:229)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2013:229. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69842);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/01/02 16:37:54\");\n\n script_cve_id(\"CVE-2013-2099\");\n script_bugtraq_id(59877);\n script_xref(name:\"MDVSA\", value:\"2013:229\");\n\n script_name(english:\"Mandriva Linux Security Advisory : bzr (MDVSA-2013:229)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Mandriva Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated bzr packages fix security vulnerabilities :\n\nA denial of service flaw was found in the way SSL module\nimplementation of Python 3 performed matching of the certificate's\nname in the case it contained many '*' wildcard characters. A remote\nattacker, able to obtain valid certificate with its name containing a\nlot of '*' wildcard characters could use this flaw to cause denial of\nservice (excessive CPU consumption) by issuing request to validate\nsuch a certificate for / to an application using the Python's\nssl.match_hostname() functionality (CVE-2013-2099).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2013-0252.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bzr package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:bzr\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/09/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"bzr-2.5.1-4.1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:17:00", "bulletinFamily": "scanner", "description": "Fix potential DOS with specially crafted malicious SSL certs. Backing\nout rename of pip binary to fix #958377 and updating package summary\nto match upstream's description. Backing out rename of pip binary to\nfix #958377 and updating package summary to match upstream's\ndescription.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2015-10-19T00:00:00", "published": "2013-07-26T00:00:00", "id": "FEDORA_2013-13140.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=69062", "title": "Fedora 18 : python-pip-1.3.1-4.fc18 (2013-13140)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-13140.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69062);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 21:12:40 $\");\n\n script_cve_id(\"CVE-2013-2099\");\n script_xref(name:\"FEDORA\", value:\"2013-13140\");\n\n script_name(english:\"Fedora 18 : python-pip-1.3.1-4.fc18 (2013-13140)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix potential DOS with specially crafted malicious SSL certs. Backing\nout rename of pip binary to fix #958377 and updating package summary\nto match upstream's description. Backing out rename of pip binary to\nfix #958377 and updating package summary to match upstream's\ndescription.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=963260\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112579.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?dc36b100\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-pip package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python-pip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"python-pip-1.3.1-4.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-pip\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:16:56", "bulletinFamily": "scanner", "description": "Enhancements :\n\n - upstream now ships an experimental OCaml front-end, this\n is not yet enabled\n\n - Add fish-shell command completion\n\n - Allow relative files in <archive> and <file> for local\n feeds. This makes it easy to test feeds before passing\n them to 0repo.\n\nBug fixes :\n\n - Better handling of default=' in <environment> bindings.\n This now specifies that the default should be ',\n overriding any system default.\n\n - Fixed --refresh with 'download' and 'run' for apps.\n\n - Updated ssl_match_hostname based on latest bug-fixes.\n This fix is intended to fix a denial-of-service\n attack, which doesn't really matter to 0install, but\n we might as well have the latest version.\n CVE-2013-2099\n\n - Better error when the <rename> source does not exist.\n\n - Allow selecting local archives even in offline mode.\n\n - Support the use of the system store with recipes. This\n is especially important now that we treat all\n downloads as recipes!\n\n - Removed old zeroinstall-add.desktop file.\n\nChanges for APIs we depend on\n\n - Cope with more PyGObject API changes. Based on patch in\n http://twistedmatrix.com/trac/ticket/6369\n\n - Keep gobject and glib separate. Sometimes we need GLib,\n sometimes we need GObject.\n\n - Updates to avoid PyGIDeprecationWarning.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2018-11-20T00:00:00", "published": "2013-07-15T00:00:00", "id": "FEDORA_2013-12414.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=68886", "title": "Fedora 19 : zeroinstall-injector-2.3-1.fc19 (2013-12414)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-12414.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68886);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/11/20 11:04:17\");\n\n script_cve_id(\"CVE-2013-2099\");\n script_xref(name:\"FEDORA\", value:\"2013-12414\");\n\n script_name(english:\"Fedora 19 : zeroinstall-injector-2.3-1.fc19 (2013-12414)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Enhancements :\n\n - upstream now ships an experimental OCaml front-end, this\n is not yet enabled\n\n - Add fish-shell command completion\n\n - Allow relative files in <archive> and <file> for local\n feeds. This makes it easy to test feeds before passing\n them to 0repo.\n\nBug fixes :\n\n - Better handling of default=' in <environment> bindings.\n This now specifies that the default should be ',\n overriding any system default.\n\n - Fixed --refresh with 'download' and 'run' for apps.\n\n - Updated ssl_match_hostname based on latest bug-fixes.\n This fix is intended to fix a denial-of-service\n attack, which doesn't really matter to 0install, but\n we might as well have the latest version.\n CVE-2013-2099\n\n - Better error when the <rename> source does not exist.\n\n - Allow selecting local archives even in offline mode.\n\n - Support the use of the system store with recipes. This\n is especially important now that we treat all\n downloads as recipes!\n\n - Removed old zeroinstall-add.desktop file.\n\nChanges for APIs we depend on\n\n - Cope with more PyGObject API changes. Based on patch in\n http://twistedmatrix.com/trac/ticket/6369\n\n - Keep gobject and glib separate. Sometimes we need GLib,\n sometimes we need GObject.\n\n - Updates to avoid PyGIDeprecationWarning.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://twistedmatrix.com/trac/ticket/6369\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://twistedmatrix.com/trac/ticket/6369\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=958834\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=966273\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=966274\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-July/111607.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?20cd3c5f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected zeroinstall-injector package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:zeroinstall-injector\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/07/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"zeroinstall-injector-2.3-1.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"zeroinstall-injector\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:17:00", "bulletinFamily": "scanner", "description": "Fix potential DOS with specially crafted malicious SSL certs. Backing\nout rename of pip binary to fix #958377 and updating package summary\nto match upstream's description. Backing out rename of pip binary to\nfix #958377 and updating package summary to match upstream's\ndescription.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2015-10-19T00:00:00", "published": "2013-07-26T00:00:00", "id": "FEDORA_2013-13213.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=69063", "title": "Fedora 17 : python-pip-1.3.1-4.fc17 (2013-13213)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-13213.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69063);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 21:12:40 $\");\n\n script_cve_id(\"CVE-2013-2099\");\n script_xref(name:\"FEDORA\", value:\"2013-13213\");\n\n script_name(english:\"Fedora 17 : python-pip-1.3.1-4.fc17 (2013-13213)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix potential DOS with specially crafted malicious SSL certs. Backing\nout rename of pip binary to fix #958377 and updating package summary\nto match upstream's description. Backing out rename of pip binary to\nfix #958377 and updating package summary to match upstream's\ndescription.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=963260\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112590.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?74a3b6bc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-pip package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python-pip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"python-pip-1.3.1-4.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-pip\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:16:22", "bulletinFamily": "scanner", "description": "- Fixes CVE-2013-2099, maliciously crafted SSL certificate\n can cause a denial of service.\n\n - Builds the C extensions from the Cython source instead\n of the pregenerated C files.\n\n - Build without strict-aliasing on Fedora versions which\n have a bug in the python distutils module.\n\n - Install the localization files\n\n - (F17-only) Update from upstream 2.5.0 to 2.5.1\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2018-12-05T00:00:00", "published": "2013-07-12T00:00:00", "id": "FEDORA_2013-9620.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=67369", "title": "Fedora 18 : bzr-2.5.1-11.fc18 (2013-9620)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-9620.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(67369);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/12/05 20:31:21\");\n\n script_cve_id(\"CVE-2013-2099\");\n script_bugtraq_id(59877, 60197);\n script_xref(name:\"FEDORA\", value:\"2013-9620\");\n\n script_name(english:\"Fedora 18 : bzr-2.5.1-11.fc18 (2013-9620)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Fixes CVE-2013-2099, maliciously crafted SSL certificate\n can cause a denial of service.\n\n - Builds the C extensions from the Cython source instead\n of the pregenerated C files.\n\n - Build without strict-aliasing on Fedora versions which\n have a bug in the python distutils module.\n\n - Install the localization files\n\n - (F17-only) Update from upstream 2.5.0 to 2.5.1\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=963260\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107957.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2755575e\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected bzr package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:bzr\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"bzr-2.5.1-11.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bzr\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:20:35", "bulletinFamily": "scanner", "description": "Updated cloud-init packages that fix one security issue, several bugs,\nand add various enhancements are now available for Red Hat Common for\nRed Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Low security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in\nthe References section.\n\nThe cloud-init packages provide a set of init scripts for cloud\ninstances. Cloud instances need special scripts to run during\ninitialization to retrieve and install ssh keys and to let the user\nrun various scripts.\n\nA denial of service flaw was found in the way Python's SSL module\nimplementation performed matching of certain certificate names. A\nremote attacker able to obtain a valid certificate that contained\nmultiple wildcard characters could use this flaw to issue a request to\nvalidate such a certificate, resulting in excessive consumption of\nCPU. (CVE-2013-2099)\n\nThis issue was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nThe cloud-init packages have been upgraded to upstream version 0.7.5,\nwhich provides a number of bug fixes and enhancements over the\nprevious version. (BZ#1111709, BZ#1119334)\n\nAll cloud-init users are advised to upgrade to these updated packages,\nwhich correct these issues and add these enhancements.", "modified": "2018-11-10T00:00:00", "published": "2015-01-14T00:00:00", "id": "REDHAT-RHSA-2015-0042.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=80506", "title": "RHEL 6 : cloud-init (RHSA-2015:0042)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0042. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80506);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/10 11:49:54\");\n\n script_cve_id(\"CVE-2013-2099\");\n script_bugtraq_id(59877);\n script_xref(name:\"RHSA\", value:\"2015:0042\");\n\n script_name(english:\"RHEL 6 : cloud-init (RHSA-2015:0042)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated cloud-init packages that fix one security issue, several bugs,\nand add various enhancements are now available for Red Hat Common for\nRed Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Low security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in\nthe References section.\n\nThe cloud-init packages provide a set of init scripts for cloud\ninstances. Cloud instances need special scripts to run during\ninitialization to retrieve and install ssh keys and to let the user\nrun various scripts.\n\nA denial of service flaw was found in the way Python's SSL module\nimplementation performed matching of certain certificate names. A\nremote attacker able to obtain a valid certificate that contained\nmultiple wildcard characters could use this flaw to issue a request to\nvalidate such a certificate, resulting in excessive consumption of\nCPU. (CVE-2013-2099)\n\nThis issue was discovered by Florian Weimer of Red Hat Product\nSecurity.\n\nThe cloud-init packages have been upgraded to upstream version 0.7.5,\nwhich provides a number of bug fixes and enhancements over the\nprevious version. (BZ#1111709, BZ#1119334)\n\nAll cloud-init users are advised to upgrade to these updated packages,\nwhich correct these issues and add these enhancements.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0042\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2099\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cloud-init\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-backports\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-backports-ssl_match_hostname\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-boto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-jsonpatch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-jsonpointer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-six\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-urllib3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0042\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"cloud-init-0.7.5-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"cloud-init-0.7.5-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"python-backports-1.0-3.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"python-backports-1.0-3.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"python-backports-1.0-3.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"python-backports-ssl_match_hostname-3.4.0.2-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"python-boto-2.25.0-2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"python-jsonpatch-1.2-2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"python-jsonpointer-1.0-2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"python-six-1.6.1-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"python-urllib3-1.5-5.1.2.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cloud-init / python-backports / python-backports-ssl_match_hostname / etc\");\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:49", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2013:229\r\n http://www.mandriva.com/en/support/security/\r\n _______________________________________________________________________\r\n\r\n Package : bzr\r\n Date : September 10, 2013\r\n Affected: Business Server 1.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Updated bzr packages fix security vulnerabilities:\r\n \r\n A denial of service flaw was found in the way SSL module implementation\r\n of Python 3 performed matching of the certificate's name in the case\r\n it contained many '*' wildcard characters. A remote attacker, able to\r\n obtain valid certificate with its name containing a lot of '*' wildcard\r\n characters could use this flaw to cause denial of service (excessive\r\n CPU consumption) by issuing request to validate such a certificate\r\n for / to an application using the Python's ssl.match_hostname()\r\n functionality (CVE-2013-2099).\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2099\r\n http://advisories.mageia.org/MGASA-2013-0252.html\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Mandriva Business Server 1/X86_64:\r\n 563a17f7f5cb219760291c5266f2af4e mbs1/x86_64/bzr-2.5.1-4.1.mbs1.x86_64.rpm \r\n 7503fdbb4f4fb3eb5d2ecc1e72676390 mbs1/SRPMS/bzr-2.5.1-4.1.mbs1.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/en/support/security/advisories/\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 (GNU/Linux)\r\n\r\niD8DBQFSLt8umqjQ0CJFipgRAnhqAJ9CrVGqwnpYXyI7sEJir+7RO5I+kACg8G4n\r\nJy+yOzVgUFV4VpXnnRIsOWo=\r\n=cEfT\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2013-09-11T00:00:00", "published": "2013-09-11T00:00:00", "id": "SECURITYVULNS:DOC:29809", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29809", "title": "[ MDVSA-2013:229 ] bzr", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:52", "bulletinFamily": "software", "description": "SSL certificates parsing DoS, protection bypass.", "modified": "2013-09-11T00:00:00", "published": "2013-09-11T00:00:00", "id": "SECURITYVULNS:VULN:13283", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13283", "title": "python libraries security vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2018-12-11T19:42:42", "bulletinFamily": "unix", "description": "Red Hat Storage is software-only, scale-out storage that provides flexible\nand affordable unstructured data storage for an enterprise. GlusterFS, a\nkey building block of Red Hat Storage, is based on a stackable user-space\ndesign and can deliver exceptional performance for diverse workloads.\nGlusterFS aggregates various storage servers over network interconnections\ninto one large, parallel network file system.\n\nA denial of service flaw was found in the way Python's SSL module\nimplementation performed matching of certain certificate names. A remote\nattacker able to obtain a valid certificate that contained multiple\nwildcard characters could use this flaw to issue a request to validate such\na certificate, resulting in excessive consumption of CPU. (CVE-2013-2099)\n\nThis issue was discovered by Florian Weimer of Red Hat Product Security.\n\nThis update also fixes several bugs and adds an enhancement. Space\nprecludes documenting all of these changes in this advisory. Users are\ndirected to the Red Hat Storage 2.1 Technical Notes, linked to in the\nReferences section, for information on the most significant of these\nchanges.\n\nWith this update, a migration script 'migrate-rhs-classic-to-rhsm', that\napplies to both Red Hat Storage Server and Red Hat Storage Console is\nprovided, that enables you to have the system prepared for upgrade from the\nlatest release of RHS 2.x to RHS 3.0. From the Red Hat Storage 3.0 release\nonwards, there will be a significant change made in the subscription and\ndelivery mechanism from the previous Red Hat Network Classic to the new Red\nHat Subscription Manager, and this script assists in the smooth migration.\n\nUsers of Red Hat Storage are advised to upgrade to these updated packages,\nwhich correct these issues and add these enhancements.\n\nNote: After upgrading, it is recommend that you refer to the Knowledge Base\narticles linked to in the References section which outlines an issue with\nrebalance and file creation error that has been identified by Red Hat.\nThis issue will be fixed by a subsequent update.\n", "modified": "2018-06-07T09:00:46", "published": "2014-09-18T04:00:00", "id": "RHSA-2014:1263", "href": "https://access.redhat.com/errata/RHSA-2014:1263", "type": "redhat", "title": "(RHSA-2014:1263) Low: Red Hat Storage 2.1 security, bug fix, and enhancement update", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-12-11T19:43:05", "bulletinFamily": "unix", "description": "The cloud-init packages provide a set of init scripts for cloud instances.\nCloud instances need special scripts to run during initialization to\nretrieve and install ssh keys and to let the user run various scripts.\n\nA denial of service flaw was found in the way Python's SSL module\nimplementation performed matching of certain certificate names. A remote\nattacker able to obtain a valid certificate that contained multiple\nwildcard characters could use this flaw to issue a request to validate such\na certificate, resulting in excessive consumption of CPU. (CVE-2013-2099)\n\nThis issue was discovered by Florian Weimer of Red Hat Product Security.\n\nThe cloud-init packages have been upgraded to upstream version 0.7.5, which\nprovides a number of bug fixes and enhancements over the previous version.\n(BZ#1111709, BZ#1119334)\n\nAll cloud-init users are advised to upgrade to these updated packages,\nwhich correct these issues and add these enhancements.", "modified": "2018-06-07T09:03:10", "published": "2015-01-13T22:52:12", "id": "RHSA-2015:0042", "href": "https://access.redhat.com/errata/RHSA-2015:0042", "type": "redhat", "title": "(RHSA-2015:0042) Low: cloud-init security, bug fix, and enhancement update", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-12-11T21:42:35", "bulletinFamily": "unix", "description": "Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. The python27 packages provide a stable release of Python 2.7 with a number of additional utilities and database connectors for MySQL and PostgreSQL.\n\nSecurity Fix(es):\n\nThe following fix was applied to the python component:\n\n* The Python standard library HTTP client modules (such as httplib or urllib) did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data. (CVE-2014-9365)\n\nNote: The Python standard library was updated to make it possible to enable certificate verification by default. However, for backwards compatibility, verification remains disabled by default. Future updates may change this default. Refer to the Knowledgebase article 2039753 linked to in the References section for further details about this change. (BZ#1311044, BZ#1319774)\n\nThe following fix was applied to the python-pymongo component:\n\n* A denial of service flaw was found in the way Python's SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate, resulting in excessive consumption of CPU. (CVE-2013-2099)\n\nThe following fix was applied to the python-pymongo and python-virtualenv components:\n\n* Multiple flaws were found in the way Python's SSL module performed matching of certificate names containing wildcards. A remote attacker able to obtain a valid certificate that contained certain names with wildcards could have them incorrectly accepted by Python SSL clients, not following the RFC 6125 recommendations. (CVE-2013-7440)\n\nThe CVE-2013-2099 issue was discovered by Florian Weimer (Red Hat Product Security).\n\nBug Fix(es) and Enhancement(s):\n\nThe python27 Software\u00a0Collection has been updated to a later version, which provides a number of bug fixes and enhancements over the previous version. Among others: \n\n* The python27-PyYAML package has been added, which contains a Python YAML module. PyYAML is a YAML parser and emitter for Python; it is applicable for a broad range of tasks from complex configuration files to object serialization and persistance. \n\n* Network security enhancements, described in the Python Enhancent Proposal 466, have been backported to the Python standard library. The security enhancements include, for example, new features in the ssl module, such as support for Server Name Indication (SNI) as well as support for new TLSv1.x protocols, new hash algorithms in the hashlib module, and much more. \n\n* The python27-python-pip package has been upgraded to version 7.1.0. \n\n* The python27-python-virtualenv package has been upgraded to verion 13.1.0. \n\n* The python27-python-pymongo package has been upgraded to version 3.2.1. \n\n(BZ#1301481, BZ#1297784, BZ#1111464, BZ#1319774)", "modified": "2018-06-13T01:28:25", "published": "2016-05-31T12:06:04", "id": "RHSA-2016:1166", "href": "https://access.redhat.com/errata/RHSA-2016:1166", "type": "redhat", "title": "(RHSA-2016:1166) Moderate: python27 security, bug fix, and enhancement update", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2018-10-02T14:29:59", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120059", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120059", "title": "Amazon Linux Local Check: ALAS-2015-521", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2015-521.nasl 6600 2017-07-07 09:58:31Z teissa$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120059\");\n script_version(\"$Revision: 11703 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:16:29 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 10:05:31 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2015-521\");\n script_tag(name:\"insight\", value:\"A denial of service flaw was found in the way Python's SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate, resulting in excessive consumption of CPU.\");\n script_tag(name:\"solution\", value:\"Run yum update python-tornado to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2015-521.html\");\n script_cve_id(\"CVE-2013-2099\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"python27-tornado\", rpm:\"python27-tornado~2.2.1~7.7.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"python26-tornado\", rpm:\"python26-tornado~2.2.1~7.7.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"python27-tornado-doc\", rpm:\"python27-tornado-doc~2.2.1~7.7.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"python26-tornado-doc\", rpm:\"python26-tornado-doc~2.2.1~7.7.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"python-tornado\", rpm:\"python-tornado~2.2.1~7.7.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-11-19T13:04:43", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2013-10-03T00:00:00", "id": "OPENVAS:1361412562310841589", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841589", "title": "Ubuntu Update for python2.7 USN-1983-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1983_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# Ubuntu Update for python2.7 USN-1983-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841589\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-03 10:21:50 +0530 (Thu, 03 Oct 2013)\");\n script_cve_id(\"CVE-2013-2099\", \"CVE-2013-4238\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_name(\"Ubuntu Update for python2.7 USN-1983-1\");\n\n\n script_tag(name:\"affected\", value:\"python2.7 on Ubuntu 13.04,\n Ubuntu 12.10,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"insight\", value:\"Florian Weimer discovered that Python incorrectly handled matching multiple\nwildcards in ssl certificate hostnames. An attacker could exploit this to\ncause Python to consume resources, resulting in a denial of service. This\nissue only affected Ubuntu 13.04. (CVE-2013-2099)\n\nRyan Sleevi discovered that Python did not properly handle certificates\nwith NULL characters in the Subject Alternative Name field. An attacker\ncould exploit this to perform a man in the middle attack to view sensitive\ninformation or alter encrypted communications. (CVE-2013-4238)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"USN\", value:\"1983-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1983-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python2.7'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(12\\.04 LTS|12\\.10|13\\.04)\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python2.7\", ver:\"2.7.3-0ubuntu3.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python2.7-minimal\", ver:\"2.7.3-0ubuntu3.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python2.7\", ver:\"2.7.3-5ubuntu4.3\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python2.7-minimal\", ver:\"2.7.3-5ubuntu4.3\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU13.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python2.7\", ver:\"2.7.4-2ubuntu3.2\", rls:\"UBUNTU13.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python2.7-minimal\", ver:\"2.7.4-2ubuntu3.2\", rls:\"UBUNTU13.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:45:33", "bulletinFamily": "scanner", "description": "Check the version of python-pymongo", "modified": "2017-07-10T00:00:00", "published": "2016-02-13T00:00:00", "id": "OPENVAS:1361412562310807261", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807261", "title": "Fedora Update for python-pymongo FEDORA-2016-52", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for python-pymongo FEDORA-2016-52\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807261\");\n script_version(\"$Revision: 6631 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:36:10 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-02-13 06:33:22 +0100 (Sat, 13 Feb 2016)\");\n script_cve_id(\"CVE-2013-2099\", \"CVE-2013-7440\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for python-pymongo FEDORA-2016-52\");\n script_tag(name: \"summary\", value: \"Check the version of python-pymongo\");\n \n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\n of detect NVT and check if the version is vulnerable or not.\");\n \n script_tag(name: \"insight\", value: \"The Python driver for MongoDB.\");\n\n script_tag(name: \"affected\", value: \"python-pymongo on Fedora 22\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n\n script_xref(name: \"FEDORA\", value: \"2016-52\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2016-February/177173.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"python-pymongo\", rpm:\"python-pymongo~2.5.2~8.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-01-24T11:09:47", "bulletinFamily": "scanner", "description": "Check for the Version of bzr", "modified": "2018-01-24T00:00:00", "published": "2013-06-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=865686", "id": "OPENVAS:865686", "title": "Fedora Update for bzr FEDORA-2013-9620", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bzr FEDORA-2013-9620\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"bzr on Fedora 18\";\ntag_insight = \"Bazaar is a distributed revision control system that is powerful, friendly,\n and scalable. It is the successor of Baz-1.x which, in turn, was\n a user-friendly reimplementation of GNU Arch.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(865686);\n script_version(\"$Revision: 8509 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-24 07:57:46 +0100 (Wed, 24 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-07 10:02:35 +0530 (Fri, 07 Jun 2013)\");\n script_cve_id(\"CVE-2013-2099\", \"CVE-2013-2098\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:C/I:P/A:P\");\n script_name(\"Fedora Update for bzr FEDORA-2013-9620\");\n\n script_xref(name: \"FEDORA\", value: \"2013-9620\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107957.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of bzr\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"bzr\", rpm:\"bzr~2.5.1~11.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:57:21", "bulletinFamily": "scanner", "description": "Check for the Version of python-pip", "modified": "2018-04-06T00:00:00", "published": "2013-08-20T00:00:00", "id": "OPENVAS:1361412562310866701", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310866701", "title": "Fedora Update for python-pip FEDORA-2013-13216", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for python-pip FEDORA-2013-13216\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.866701\");\n script_version(\"$Revision: 9353 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:14:20 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-08-20 15:23:25 +0530 (Tue, 20 Aug 2013)\");\n script_cve_id(\"CVE-2013-2098\", \"CVE-2013-2099\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for python-pip FEDORA-2013-13216\");\n\n tag_insight = \"Pip is a replacement for easy_install\nhttp://peak.telecommunity.com/DevCenter/EasyInstall. It uses mostly the\nsame techniques for finding packages, so packages that were made\neasy_installable should be pip-installable as well.\n\";\n\n tag_affected = \"python-pip on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-13216\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112563.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of python-pip\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"python-pip\", rpm:\"python-pip~1.3.1~4.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:54:48", "bulletinFamily": "scanner", "description": "Check the version of python-tornado", "modified": "2017-07-13T00:00:00", "published": "2014-12-17T00:00:00", "id": "OPENVAS:1361412562310868609", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868609", "title": "Fedora Update for python-tornado FEDORA-2014-16390", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for python-tornado FEDORA-2014-16390\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868609\");\n script_version(\"$Revision: 6715 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-13 11:57:40 +0200 (Thu, 13 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-12-17 05:59:57 +0100 (Wed, 17 Dec 2014)\");\n script_cve_id(\"CVE-2013-2098\", \"CVE-2013-2099\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Update for python-tornado FEDORA-2014-16390\");\n script_tag(name: \"summary\", value: \"Check the version of python-tornado\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"Tornado is an open source version of the scalable, non-blocking web\nserver and tools.\n\nThe framework is distinct from most mainstream web server frameworks\n(and certainly most Python frameworks) because it is non-blocking and\nreasonably fast. Because it is non-blocking and uses epoll, it can\nhandle thousands of simultaneous standing connections, which means it is\nideal for real-time web services.\n\");\n script_tag(name: \"affected\", value: \"python-tornado on Fedora 20\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2014-16390\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146329.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"python-tornado\", rpm:\"python-tornado~2.2.1~7.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-02-06T13:10:22", "bulletinFamily": "scanner", "description": "Check for the Version of python3", "modified": "2018-02-05T00:00:00", "published": "2013-11-26T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=867086", "id": "OPENVAS:867086", "title": "Fedora Update for python3 FEDORA-2013-21415", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for python3 FEDORA-2013-21415\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867086);\n script_version(\"$Revision: 8672 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-02-05 17:39:18 +0100 (Mon, 05 Feb 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-11-26 10:15:19 +0530 (Tue, 26 Nov 2013)\");\n script_cve_id(\"CVE-2013-4238\", \"CVE-2013-2099\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Fedora Update for python3 FEDORA-2013-21415\");\n\n tag_insight = \"Python 3 is a new version of the language that is incompatible with the 2.x\nline of releases. The language is mostly the same, but many details, especially\nhow built-in objects like dictionaries and strings work, have changed\nconsiderably, and a lot of deprecated features have finally been removed.\n\";\n\n tag_affected = \"python3 on Fedora 18\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-21415\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-November/122701.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of python3\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"python3\", rpm:\"python3~3.3.0~5.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-24T11:09:29", "bulletinFamily": "scanner", "description": "Check for the Version of python3.3", "modified": "2018-01-24T00:00:00", "published": "2013-10-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=841576", "id": "OPENVAS:841576", "title": "Ubuntu Update for python3.3 USN-1985-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1985_1.nasl 8509 2018-01-24 06:57:46Z teissa $\n#\n# Ubuntu Update for python3.3 USN-1985-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(841576);\n script_version(\"$Revision: 8509 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-24 07:57:46 +0100 (Wed, 24 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-03 10:20:45 +0530 (Thu, 03 Oct 2013)\");\n script_cve_id(\"CVE-2013-2099\", \"CVE-2013-4238\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_name(\"Ubuntu Update for python3.3 USN-1985-1\");\n\n tag_insight = \"Florian Weimer discovered that Python incorrectly handled matching multiple\nwildcards in ssl certificate hostnames. An attacker could exploit this to\ncause Python to consume resources, resulting in a denial of service.\n(CVE-2013-2099)\n\nRyan Sleevi discovered that Python did not properly handle certificates\nwith NULL characters in the Subject Alternative Name field. An attacker\ncould exploit this to perform a man in the middle attack to view sensitive\ninformation or alter encrypted communications. (CVE-2013-4238)\";\n\n tag_affected = \"python3.3 on Ubuntu 13.04 ,\n Ubuntu 12.10\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"USN\", value: \"1985-1\");\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1985-1/\");\n script_tag(name: \"summary\" , value: \"Check for the Version of python3.3\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python3.3\", ver:\"3.3.0-1ubuntu0.1\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python3.3-minimal\", ver:\"3.3.0-1ubuntu0.1\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU13.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python3.3\", ver:\"3.3.1-1ubuntu5.2\", rls:\"UBUNTU13.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"python3.3-minimal\", ver:\"3.3.1-1ubuntu5.2\", rls:\"UBUNTU13.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:56:25", "bulletinFamily": "scanner", "description": "Check for the Version of python3", "modified": "2018-04-06T00:00:00", "published": "2013-11-26T00:00:00", "id": "OPENVAS:1361412562310867086", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867086", "title": "Fedora Update for python3 FEDORA-2013-21415", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for python3 FEDORA-2013-21415\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867086\");\n script_version(\"$Revision: 9353 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:14:20 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-11-26 10:15:19 +0530 (Tue, 26 Nov 2013)\");\n script_cve_id(\"CVE-2013-4238\", \"CVE-2013-2099\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Fedora Update for python3 FEDORA-2013-21415\");\n\n tag_insight = \"Python 3 is a new version of the language that is incompatible with the 2.x\nline of releases. The language is mostly the same, but many details, especially\nhow built-in objects like dictionaries and strings work, have changed\nconsiderably, and a lot of deprecated features have finally been removed.\n\";\n\n tag_affected = \"python3 on Fedora 18\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-21415\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-November/122701.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of python3\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"python3\", rpm:\"python3~3.3.0~5.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:57:54", "bulletinFamily": "scanner", "description": "Check for the Version of bzr", "modified": "2018-04-06T00:00:00", "published": "2013-06-07T00:00:00", "id": "OPENVAS:1361412562310865700", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865700", "title": "Fedora Update for bzr FEDORA-2013-9628", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for bzr FEDORA-2013-9628\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"bzr on Fedora 17\";\ntag_insight = \"Bazaar is a distributed revision control system that is powerful, friendly,\n and scalable. It is the successor of Baz-1.x which, in turn, was\n a user-friendly reimplementation of GNU Arch.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.865700\");\n script_version(\"$Revision: 9353 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:14:20 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-07 10:03:12 +0530 (Fri, 07 Jun 2013)\");\n script_cve_id(\"CVE-2013-2099\", \"CVE-2013-2098\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:C/I:P/A:P\");\n script_name(\"Fedora Update for bzr FEDORA-2013-9628\");\n\n script_xref(name: \"FEDORA\", value: \"2013-9628\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107959.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of bzr\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"bzr\", rpm:\"bzr~2.5.1~11.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "amazon": [{"lastseen": "2018-10-02T16:55:04", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nA denial of service flaw was found in the way Python's SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate, resulting in excessive consumption of CPU.\n\n \n**Affected Packages:** \n\n\npython-tornado\n\n \n**Issue Correction:** \nRun _yum update python-tornado_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n noarch: \n python27-tornado-2.2.1-7.7.amzn1.noarch \n python26-tornado-2.2.1-7.7.amzn1.noarch \n python27-tornado-doc-2.2.1-7.7.amzn1.noarch \n python26-tornado-doc-2.2.1-7.7.amzn1.noarch \n \n src: \n python-tornado-2.2.1-7.7.amzn1.src \n \n \n", "modified": "2015-05-06T15:14:00", "published": "2015-05-06T15:14:00", "id": "ALAS-2015-521", "href": "https://alas.aws.amazon.com/ALAS-2015-521.html", "title": "Low: python-tornado", "type": "amazon", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:08:59", "bulletinFamily": "unix", "description": "Florian Weimer discovered that Python incorrectly handled matching multiple wildcards in ssl certificate hostnames. An attacker could exploit this to cause Python to consume resources, resulting in a denial of service. (CVE-2013-2099)\n\nRyan Sleevi discovered that Python did not properly handle certificates with NULL characters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2013-4238)", "modified": "2013-10-01T00:00:00", "published": "2013-10-01T00:00:00", "id": "USN-1984-1", "href": "https://usn.ubuntu.com/1984-1/", "title": "Python 3.2 vulnerabilities", "type": "ubuntu", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:08:44", "bulletinFamily": "unix", "description": "Florian Weimer discovered that Python incorrectly handled matching multiple wildcards in ssl certificate hostnames. An attacker could exploit this to cause Python to consume resources, resulting in a denial of service. This issue only affected Ubuntu 13.04. (CVE-2013-2099)\n\nRyan Sleevi discovered that Python did not properly handle certificates with NULL characters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2013-4238)", "modified": "2013-10-01T00:00:00", "published": "2013-10-01T00:00:00", "id": "USN-1983-1", "href": "https://usn.ubuntu.com/1983-1/", "title": "Python 2.7 vulnerabilities", "type": "ubuntu", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:09:53", "bulletinFamily": "unix", "description": "Florian Weimer discovered that Python incorrectly handled matching multiple wildcards in ssl certificate hostnames. An attacker could exploit this to cause Python to consume resources, resulting in a denial of service. (CVE-2013-2099)\n\nRyan Sleevi discovered that Python did not properly handle certificates with NULL characters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2013-4238)", "modified": "2013-10-01T00:00:00", "published": "2013-10-01T00:00:00", "id": "USN-1985-1", "href": "https://usn.ubuntu.com/1985-1/", "title": "Python 3.3 vulnerabilities", "type": "ubuntu", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "debian": [{"lastseen": "2018-10-18T13:48:26", "bulletinFamily": "unix", "description": "Package : bzr\nVersion : 2.6.0~bzr6526-1+deb7u1\nCVE ID : CVE-2013-2099 CVE-2017-14176\nDebian Bug : 709068 874429\n\nCVE-2013-2099\n\n Bazaar bundles SSL certificate checking code from Python, which\n had a bug that could cause a denial of service via resource\n consumption through multiple wildcards in certificate hostnames.\n\nCVE-2017-14176\n\n Adam Collard found that host names in 'bzr+ssh' URLs were not\n parsed correctly by Bazaar, allowing remote attackers to run\n arbitrary code by tricking a user into a maliciously crafted\n URL.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n2.6.0~bzr6526-1+deb7u1.\n\nWe recommend that you upgrade your bzr packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "modified": "2017-09-23T13:40:11", "published": "2017-09-23T13:40:11", "id": "DEBIAN:DLA-1107-1:992AA", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201709/msg00024.html", "title": "[SECURITY] [DLA 1107-1] bzr security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:44", "bulletinFamily": "unix", "description": "### Background\n\nPython is an interpreted, interactive, object-oriented programming language. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Python. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly cause a Denial of Service condition or perform a man-in-the-middle attack to disclose sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Python 3.3 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-lang/python-3.3.2-r1\"\n \n\nAll Python 3.2 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-lang/python-3.2.5-r1\"\n \n\nAll Python 2.6 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-lang/python-2.6.8\"\n \n\nAll Python 2.7 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-lang/python-2.7.3-r1\"", "modified": "2015-06-17T00:00:00", "published": "2014-01-06T00:00:00", "id": "GLSA-201401-04", "href": "https://security.gentoo.org/glsa/201401-04", "type": "gentoo", "title": "Python: Multiple vulnerabilities", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}]}
