Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

MDKSA-2004:019 - Updated python packages fix buffer overflow vulnerability
From: Mandrake Linux Security Team <security () linux-mandrake com>
Date: 10 Mar 2004 05:07:12 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           python
 Advisory ID:            MDKSA-2004:019
 Date:                   March 9th, 2004

 Affected versions:      9.0, Corporate Server 2.1
 ______________________________________________________________________

 Problem Description:

 A buffer overflow in python 2.2's getaddrinfo() function was
 discovered by Sebastian Schmidt.  If python 2.2 is built without
 IPv6 support, an attacker could configure their name server to let a
 hostname resolve to a special IPv6 address, which could contain a
 memory address where shellcode is placed.  This problem does not
 affect python versions prior to 2.2 or versions 2.2.2+, and it also
 doesn't exist if IPv6 support is enabled.
 
 The updated packages have been patched to correct the problem.  Thanks
 to Sebastian for both the discovery and patch.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0150
 ______________________________________________________________________

 Updated Packages:
  
 Corporate Server 2.1:
 879da513052f8a7f22f46b32c8edd064  corporate/2.1/RPMS/libpython2.2-2.2.1-14.4.C21mdk.i586.rpm
 41aabf6642342583667e7f7614b2b1af  corporate/2.1/RPMS/libpython2.2-devel-2.2.1-14.4.C21mdk.i586.rpm
 79afd48bc89cf1dd3580f9b9d210ab08  corporate/2.1/RPMS/python-2.2.1-14.4.C21mdk.i586.rpm
 0e6280b152a9f65677da9ce35bbfc987  corporate/2.1/RPMS/python-base-2.2.1-14.4.C21mdk.i586.rpm
 9e0eaadd3d9e3a15b95acb17fbde064d  corporate/2.1/RPMS/python-docs-2.2.1-14.4.C21mdk.i586.rpm
 f241bc6291f1d5a46e95a2e5fa7e7791  corporate/2.1/RPMS/tkinter-2.2.1-14.4.C21mdk.i586.rpm
 84625a172626fe08ff13bce7b2030641  corporate/2.1/SRPMS/python-2.2.1-14.4.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 5b523008885552a89c17197f1091c850  x86_64/corporate/2.1/RPMS/libpython2.2-2.2.1-14.4.C21mdk.x86_64.rpm
 44befc507f68059d14f46c758ed57380  x86_64/corporate/2.1/RPMS/libpython2.2-devel-2.2.1-14.4.C21mdk.x86_64.rpm
 0dfefaf01bb9ac8a5cecc444900be1b2  x86_64/corporate/2.1/RPMS/python-2.2.1-14.4.C21mdk.x86_64.rpm
 cd79821fb454279049337f3bd0885479  x86_64/corporate/2.1/RPMS/python-base-2.2.1-14.4.C21mdk.x86_64.rpm
 955bd9c56f666e19e146feb9da0087b7  x86_64/corporate/2.1/RPMS/python-docs-2.2.1-14.4.C21mdk.x86_64.rpm
 651c007f402400e18c51ac97ae3da84e  x86_64/corporate/2.1/RPMS/tkinter-2.2.1-14.4.C21mdk.x86_64.rpm
 84625a172626fe08ff13bce7b2030641  x86_64/corporate/2.1/SRPMS/python-2.2.1-14.4.C21mdk.src.rpm

 Mandrakelinux 9.0:
 9e8ecf81acdf6e00066b020bead51c4a  9.0/RPMS/libpython2.2-2.2.1-14.4.90mdk.i586.rpm
 990622b91606efd81f8fe2b40c8576f3  9.0/RPMS/libpython2.2-devel-2.2.1-14.4.90mdk.i586.rpm
 b91abc21fad8020cbee047ad1bbf0da8  9.0/RPMS/python-2.2.1-14.4.90mdk.i586.rpm
 a08fb0bad8dafca71f0e08a343c95412  9.0/RPMS/python-base-2.2.1-14.4.90mdk.i586.rpm
 3d2be84aab4e0fab2cb86c9e6bacc25f  9.0/RPMS/python-docs-2.2.1-14.4.90mdk.i586.rpm
 a765ef4de6610a6ea880dc17aeab7636  9.0/RPMS/tkinter-2.2.1-14.4.90mdk.i586.rpm
 1ad8d764521ada5597da5f5083dfd1f6  9.0/SRPMS/python-2.2.1-14.4.90mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 A list of FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

 Please be aware that sometimes it takes the mirrors a few hours to
 update.

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesecure.net/en/advisories/

 Mandrakesoft has several security-related mailing list services that
 anyone can subscribe to.  Information on these lists can be obtained by
 visiting:

  http://www.mandrakesecure.net/en/mlist.php

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFATqJ/mqjQ0CJFipgRAtEtAJkB8w2/Qf1eXYE/eGMBh55sKX/MpwCeI+No
P3uOOAxXMBCVPT+J3QDN41E=
=8F0Z
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • MDKSA-2004:019 - Updated python packages fix buffer overflow vulnerability Mandrake Linux Security Team (Mar 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]