6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
Python is vulnerable to denail of service (DoS). Due to a flaw found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects, it caused Python applications using these modules to follow any new URL that they understood, including the “file://” URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed.
bugs.python.org/issue11662
hg.python.org/cpython/file/96a6c128822b/Misc/NEWS
hg.python.org/cpython/file/b2934d98dac1/Misc/NEWS
hg.python.org/cpython/rev/96a6c128822b/
hg.python.org/cpython/rev/b2934d98dac1/
lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html
openwall.com/lists/oss-security/2011/03/24/5
openwall.com/lists/oss-security/2011/03/28/2
openwall.com/lists/oss-security/2011/09/11/1
openwall.com/lists/oss-security/2011/09/13/2
openwall.com/lists/oss-security/2011/09/15/5
secunia.com/advisories/50858
secunia.com/advisories/51024
secunia.com/advisories/51040
securitytracker.com/id?1025488
support.apple.com/kb/HT5002
www.mandriva.com/security/advisories?name=MDVSA-2011:096
www.ubuntu.com/usn/USN-1592-1
www.ubuntu.com/usn/USN-1596-1
www.ubuntu.com/usn/USN-1613-1
www.ubuntu.com/usn/USN-1613-2
access.redhat.com/errata/RHSA-2011:0491
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=690560
bugzilla.redhat.com/show_bug.cgi?id=737366
rhn.redhat.com/errata/RHSA-2009-1625.html
www.djangoproject.com/weblog/2011/sep/09/
www.djangoproject.com/weblog/2011/sep/10/127/