Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2002.493 -- Debian Security Advisory DSA 159-2
New Python packages fix problem introduced by security fix
10 September 2002
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python
Vendor: Debian
Operating System: Debian GNU/Linux 2.2 alias potato
Debian GNU/Linux 3.0 alias woody
Impact: Reduced Security
Access Required: Existing Account
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 159-2 security@debian.org
http://www.debian.org/security/ Martin Schulze
September 9th, 2002 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : python
Vulnerability : insecure temporary files
Problem-Type : local
Debian-specific: no
BugTraq ID : 5581
[The mail just sent was formatted like an attachment due to a
misconception on my side. This mail is only the clearsign version. ]
The bugfix we distributed in DSA 159-1 unfortunately caused Python to
sometimes behave improperly when a non-executable file existed earlier
in the path and an executable file of the same name existed later in
the path. Zack Weinberg fixed this in the Python source. For
reference, here's the original advisory text:
Zack Weinberg discovered an insecure use of a temporary file in
os._execvpe from os.py. It uses a predictable name which could
lead execution of arbitrary code.
This problem has been fixed in several versions of Python: For the
current stable distribution (woody) it has been fixed in version
1.5.2-23.2 of Python 1.5, in version 2.1.3-3.2 of Python 2.1 and in
version 2.2.1-4.2 of Python 2.2. For the old stable distribution
(potato) this has been fixed in version 1.5.2-10potato13 for Python
1.5. For the unstable distribution (sid) this has been fixed in
version 1.5.2-25 of Python 1.5, in version 2.1.3-9 of Python 2.1 and
in version 2.2.1-11 of Python 2.2. Python 2.3 is not affected by the
original problem.
We recommend that you upgrade your Python packages.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 2.2 alias potato
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/p/python/python_1.5.2-10potato13.dsc
Size/MD5 checksum: 814 15658c9064507f46d3074af59f7ad218
http://security.debian.org/pool/updates/main/p/python/python_1.5.2-10potato13.diff.gz
Size/MD5 checksum: 85640 bd7d68152dfc35ea8d6b6e30a143a696
http://security.debian.org/pool/updates/main/p/python/python_1.5.2.orig.tar.gz
Size/MD5 checksum: 2533053 e9d677ae6d5a3efc6937627ed8a3e752
Alpha architecture:
http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_alpha.deb
Size/MD5 checksum: 928808 add635f90434d2021887c36707a2f10c
ARM architecture:
http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_arm.deb
Size/MD5 checksum: 849298 f9cd68bfaa75b08e0462055c103c53fd
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_i386.deb
Size/MD5 checksum: 825292 3fd77f5f0f90ee904908c3af612b9268
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_m68k.deb
Size/MD5 checksum: 837688 680297f46cc3ef0214206ece9fd24167
PowerPC architecture:
http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_powerpc.deb
Size/MD5 checksum: 872488 3b4d05433f2ad9e5b0182ade9edc24e5
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/p/python/python-base_1.5.2-10potato13_sparc.deb
Size/MD5 checksum: 854848 f6760252303686618726f6af12287eb6
Debian GNU/Linux 3.0 alias woody
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2.dsc
Size/MD5 checksum: 916 aa7b63a8384f37ce644d9bbc2c594a93
http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2.diff.gz
Size/MD5 checksum: 147675 77e1702b4eaf9fde2316dface2bfb118
http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2.orig.tar.gz
Size/MD5 checksum: 2533570 d9ade0d7613466e0353561d277ff02fe
http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2.dsc
Size/MD5 checksum: 1283 9cf0222820b3730f885833949ee2752c
http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2.diff.gz
Size/MD5 checksum: 70289 23bd09269b47d0c55815d738870f9f26
http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3.orig.tar.gz
Size/MD5 checksum: 6194246 1ae739aa5824de263923df3516eeaf80
http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2.dsc
Size/MD5 checksum: 1150 a4f837cbefd09fa2fb27b799811aacb1
http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2.diff.gz
Size/MD5 checksum: 91722 d3ede617d5b8ddb4dd81e7735640000a
http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1.orig.tar.gz
Size/MD5 checksum: 6536167 88aa07574673ccfaf35904253c78fc7d
Alpha architecture:
http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_alpha.deb
Size/MD5 checksum: 993478 b9b7799ff765a425926b2c56de13443c
http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_alpha.deb
Size/MD5 checksum: 1804304 663466bd39741650c3dd9a49ca89d59a
http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_alpha.deb
Size/MD5 checksum: 2139238 6b967a140b2a51d442cfb84891300414
ARM architecture:
http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_arm.deb
Size/MD5 checksum: 893374 f0c4f0f1c13146b226c9192aaa59e62b
http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_arm.deb
Size/MD5 checksum: 1646606 4ad1516f1afae6f106c0c40a37d6fcdf
http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_arm.deb
Size/MD5 checksum: 1952210 6c191ffb5b2d77c52c2cadbd20d1298c
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_i386.deb
Size/MD5 checksum: 865938 d3cf0730cc2529807ce59e68395e6396
http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_i386.deb
Size/MD5 checksum: 1592166 059df3cfa844b25d292fdf9c1808c8d4
http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_i386.deb
Size/MD5 checksum: 1888508 179880aa560f0b9ecf45cca8c57eb451
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_ia64.deb
Size/MD5 checksum: 1123834 0fe1e81eaeb6e51d73c4c86531c5c5f0
http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_ia64.deb
Size/MD5 checksum: 2080790 88d771d8ea3f9289ea5b552ea9a01a99
http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_ia64.deb
Size/MD5 checksum: 2489548 5d6abd03f4716986bd0ce4599a261297
HP Precision architecture:
http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_hppa.deb
Size/MD5 checksum: 983286 c4b39bb69d263d95832c2eb9cd34d11d
http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_hppa.deb
Size/MD5 checksum: 1832650 bda1279f0bdb2056c30afe9913415bbf
http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_hppa.deb
Size/MD5 checksum: 2356192 64fbb9fd51ea7f53e80ff32e11e89b80
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_m68k.deb
Size/MD5 checksum: 880196 a61ba2de8d3056c252de513cf7b5d8ea
http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_m68k.deb
Size/MD5 checksum: 1608796 da4e546766c589378e6117778ff9056a
http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_m68k.deb
Size/MD5 checksum: 1894026 0ba9078d8e655ac3e2cb06b3c4761103
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_mips.deb
Size/MD5 checksum: 893284 f02223e7008b0395edad33a78ae030ac
http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_mips.deb
Size/MD5 checksum: 1661254 2bf07b8f8aa5383873128029cb1a1d12
http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_mips.deb
Size/MD5 checksum: 1952322 142f9fe7a1d68b076a44f70d003ba677
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_mipsel.deb
Size/MD5 checksum: 890812 ab02be8c8dac1dadafa0ad85a1e2d627
http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_mipsel.deb
Size/MD5 checksum: 1657988 f05738ac39f731c38ae19b7223603e08
http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_mipsel.deb
Size/MD5 checksum: 1947426 ccce0e16862734b23adc9bd4550c31fe
PowerPC architecture:
http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_powerpc.deb
Size/MD5 checksum: 913446 9a540b7ded9fbae1402f5afe14f359fc
http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_powerpc.deb
Size/MD5 checksum: 1681254 314a5cf6599d88bce41c331ebe945059
http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_powerpc.deb
Size/MD5 checksum: 1998856 11416c5e75b762bd33085d8966b9a126
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_s390.deb
Size/MD5 checksum: 897150 7ffb4636cf3aa63060b107b2b21c2e31
http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_s390.deb
Size/MD5 checksum: 1647976 e3ae48fcfc0e8960a3f78ba3b30e0a6c
http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_s390.deb
Size/MD5 checksum: 1929358 05fe107035d278bbc4ba84f0503449d1
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/p/python1.5/python1.5_1.5.2-23.2_sparc.deb
Size/MD5 checksum: 963064 6e271de84f9631e9994ae94b5f37e8a3
http://security.debian.org/pool/updates/main/p/python2.1/python2.1_2.1.3-3.2_sparc.deb
Size/MD5 checksum: 1730934 b0b2279b6b86fe9dc9372934accc6f86
http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.2_sparc.deb
Size/MD5 checksum: 2036598 4c96e6318184cf954299e5c7f7a8ba4b
Please note that all python source packages produce more binary
packages than the ones listed above. They are not relevant for the
fixed problems, though.
These files will probably be moved into the stable distribution on
its next revision.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9fL7bW5ql+IAeqTIRArsdAJ9/fnpXoqvOPPjvIBTOrzLYi5gvZgCfY+mf
XgSlnEIwGp4jaXLdVQY5VyE=
=iK9B
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPX4H7Ch9+71yA2DNAQFoOQQAiNDHmTTAXr1kfIYbzWY5Oi76IuD4Ug5o
gWlSmrcH+prfKhaO5NVhq6j9ua6PIxOmm4OAe6ly8CckZx8oo3M6Ae+tfPFi3CQM
a1rEwKWJp3mbkrouoj6YAqy+2Topj7rwcRfctAroS0rskgPzTKJWns2BejEZmfX8
mqR0Yg0a8ko=
=q9gn
-----END PGP SIGNATURE-----