Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2005.0165 -- RHSA-2005:108-01 Important: python security update 18 February 2005 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python Publisher: Red Hat Operating System: Red Hat Enterprise Linux AS/ES/WS 4 Red Hat Desktop version 4 Linux variants UNIX variants Windows Mac OS Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CAN-2005-0089 Ref: ESB-2005.0107 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2005-108.html Comment: This Red Hat advisory is for Enterprise Linux version 4 only. The same vulnerability may exist in other versions, and administrators are advised to check the vendor's web site for further details. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Important: python security update Advisory ID: RHSA-2005:108-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-108.html Issue date: 2005-02-15 Updated on: 2005-02-15 Product: Red Hat Enterprise Linux CVE Names: CAN-2005-0089 - - --------------------------------------------------------------------- 1. Summary: Updated Python packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Problem description: Python is an interpreted, interactive, object-oriented programming language. An object traversal bug was found in the Python SimpleXMLRPCServer. This bug could allow a remote untrusted user to do unrestricted object traversal and allow them to access or change function internals using the im_* and func_* attributes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0089 to this issue. Users of Python are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/): 146649 - CAN-2005-0089 python SimpleXMLRPCServer security issue 6. RPMs required: Red Hat Enterprise Linux AS version 4: SRPMS: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/python-2.3.4-14.1.src.rpm d189468154d7cf63aa6af6678cb8613d python-2.3.4-14.1.src.rpm i386: 2712b8f9d2912600d8f646d35f689996 python-2.3.4-14.1.i386.rpm be88db797f56d1a501ed3732757b657d python-devel-2.3.4-14.1.i386.rpm 20a88af26a767018c87e39032552a57a python-docs-2.3.4-14.1.i386.rpm 05a2588346ef5950ae83b76f140cd029 python-tools-2.3.4-14.1.i386.rpm 689f7fc46cf2e5e2107653f5f338f471 tkinter-2.3.4-14.1.i386.rpm ia64: 6ba1f92092692ce7dc000f2396444430 python-2.3.4-14.1.ia64.rpm f45375f74a80c5a541c5c6f8c511c6ed python-devel-2.3.4-14.1.ia64.rpm aea178005376626a739f9e9deb46d85e python-docs-2.3.4-14.1.ia64.rpm 68884aa4b76210190f984b0a644b7bcc python-tools-2.3.4-14.1.ia64.rpm 1182fdc4661ee0aaa6187a4adcf88309 tkinter-2.3.4-14.1.ia64.rpm ppc: ef9131d7daa839fb8b80051c0a248ec8 python-2.3.4-14.1.ppc.rpm 974938aea5959d3b9d7dfe17bee28bc8 python-devel-2.3.4-14.1.ppc.rpm 29b6d4fc9a8e46a5dd4ea76eb0262ec5 python-docs-2.3.4-14.1.ppc.rpm ad59f7d118c70b89c522a28054df5abd python-tools-2.3.4-14.1.ppc.rpm 85e2c0aec90cd30f2b6a0bb4f711f06e tkinter-2.3.4-14.1.ppc.rpm s390: c2c5d0e3a66dcfd17ebaffdadbb84d8a python-2.3.4-14.1.s390.rpm 1192f7711e7296bd55e407afe275dea2 python-devel-2.3.4-14.1.s390.rpm baaccfd176d523a9019befc6ca3e4546 python-docs-2.3.4-14.1.s390.rpm 757b1117779443567ae9f9ba5470397d python-tools-2.3.4-14.1.s390.rpm 8ab54fcc6429685ca89a004255da2302 tkinter-2.3.4-14.1.s390.rpm s390x: 7364a75ad005e960d90c68c26db1b9d6 python-2.3.4-14.1.s390x.rpm 57ed41904fd90af8020cb2a12c6b9efa python-devel-2.3.4-14.1.s390x.rpm 5c001929d0620a477310cfcc611b57bf python-docs-2.3.4-14.1.s390x.rpm 4ec4346b001bd2b2568ac7b3d2fc18ba python-tools-2.3.4-14.1.s390x.rpm cd2d59c73aa0dee5c8140b653b74792c tkinter-2.3.4-14.1.s390x.rpm x86_64: ba4668c9e17ec0a36950f84a6e4d6ed9 python-2.3.4-14.1.x86_64.rpm 51c6c2801c10e1ab406303446b2b2f11 python-devel-2.3.4-14.1.x86_64.rpm 5f32fc6f75760f31ca259534af097eb2 python-docs-2.3.4-14.1.x86_64.rpm fdabec76f02d3616b5a540f0402c5237 python-tools-2.3.4-14.1.x86_64.rpm 26bb9a58781a462848dc632bfd08eb81 tkinter-2.3.4-14.1.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: SRPMS: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/python-2.3.4-14.1.src.rpm d189468154d7cf63aa6af6678cb8613d python-2.3.4-14.1.src.rpm i386: 2712b8f9d2912600d8f646d35f689996 python-2.3.4-14.1.i386.rpm be88db797f56d1a501ed3732757b657d python-devel-2.3.4-14.1.i386.rpm 20a88af26a767018c87e39032552a57a python-docs-2.3.4-14.1.i386.rpm 05a2588346ef5950ae83b76f140cd029 python-tools-2.3.4-14.1.i386.rpm 689f7fc46cf2e5e2107653f5f338f471 tkinter-2.3.4-14.1.i386.rpm x86_64: ba4668c9e17ec0a36950f84a6e4d6ed9 python-2.3.4-14.1.x86_64.rpm 51c6c2801c10e1ab406303446b2b2f11 python-devel-2.3.4-14.1.x86_64.rpm 5f32fc6f75760f31ca259534af097eb2 python-docs-2.3.4-14.1.x86_64.rpm fdabec76f02d3616b5a540f0402c5237 python-tools-2.3.4-14.1.x86_64.rpm 26bb9a58781a462848dc632bfd08eb81 tkinter-2.3.4-14.1.x86_64.rpm Red Hat Enterprise Linux ES version 4: SRPMS: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/python-2.3.4-14.1.src.rpm d189468154d7cf63aa6af6678cb8613d python-2.3.4-14.1.src.rpm i386: 2712b8f9d2912600d8f646d35f689996 python-2.3.4-14.1.i386.rpm be88db797f56d1a501ed3732757b657d python-devel-2.3.4-14.1.i386.rpm 20a88af26a767018c87e39032552a57a python-docs-2.3.4-14.1.i386.rpm 05a2588346ef5950ae83b76f140cd029 python-tools-2.3.4-14.1.i386.rpm 689f7fc46cf2e5e2107653f5f338f471 tkinter-2.3.4-14.1.i386.rpm ia64: 6ba1f92092692ce7dc000f2396444430 python-2.3.4-14.1.ia64.rpm f45375f74a80c5a541c5c6f8c511c6ed python-devel-2.3.4-14.1.ia64.rpm aea178005376626a739f9e9deb46d85e python-docs-2.3.4-14.1.ia64.rpm 68884aa4b76210190f984b0a644b7bcc python-tools-2.3.4-14.1.ia64.rpm 1182fdc4661ee0aaa6187a4adcf88309 tkinter-2.3.4-14.1.ia64.rpm x86_64: ba4668c9e17ec0a36950f84a6e4d6ed9 python-2.3.4-14.1.x86_64.rpm 51c6c2801c10e1ab406303446b2b2f11 python-devel-2.3.4-14.1.x86_64.rpm 5f32fc6f75760f31ca259534af097eb2 python-docs-2.3.4-14.1.x86_64.rpm fdabec76f02d3616b5a540f0402c5237 python-tools-2.3.4-14.1.x86_64.rpm 26bb9a58781a462848dc632bfd08eb81 tkinter-2.3.4-14.1.x86_64.rpm Red Hat Enterprise Linux WS version 4: SRPMS: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/python-2.3.4-14.1.src.rpm d189468154d7cf63aa6af6678cb8613d python-2.3.4-14.1.src.rpm i386: 2712b8f9d2912600d8f646d35f689996 python-2.3.4-14.1.i386.rpm be88db797f56d1a501ed3732757b657d python-devel-2.3.4-14.1.i386.rpm 20a88af26a767018c87e39032552a57a python-docs-2.3.4-14.1.i386.rpm 05a2588346ef5950ae83b76f140cd029 python-tools-2.3.4-14.1.i386.rpm 689f7fc46cf2e5e2107653f5f338f471 tkinter-2.3.4-14.1.i386.rpm ia64: 6ba1f92092692ce7dc000f2396444430 python-2.3.4-14.1.ia64.rpm f45375f74a80c5a541c5c6f8c511c6ed python-devel-2.3.4-14.1.ia64.rpm aea178005376626a739f9e9deb46d85e python-docs-2.3.4-14.1.ia64.rpm 68884aa4b76210190f984b0a644b7bcc python-tools-2.3.4-14.1.ia64.rpm 1182fdc4661ee0aaa6187a4adcf88309 tkinter-2.3.4-14.1.ia64.rpm x86_64: ba4668c9e17ec0a36950f84a6e4d6ed9 python-2.3.4-14.1.x86_64.rpm 51c6c2801c10e1ab406303446b2b2f11 python-devel-2.3.4-14.1.x86_64.rpm 5f32fc6f75760f31ca259534af097eb2 python-docs-2.3.4-14.1.x86_64.rpm fdabec76f02d3616b5a540f0402c5237 python-tools-2.3.4-14.1.x86_64.rpm 26bb9a58781a462848dc632bfd08eb81 tkinter-2.3.4-14.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://www.python.org/security/PSF-2005-001/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0089 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2005 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFCEc6FXlSAg2UNWIIRAmm9AJ9aL7Sswi3F/oxjWHMv8sHPB425KQCfUAR8 bjnPw/Kk5h6q6PANnBQC5h8= =YvZd - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQhUvPSh9+71yA2DNAQLudQP9HzKUoVB+xceXQiaybpSFsJwmdjgz2pZg GUPR4hIyfqt/UEHZXdGmE3UbMNZqYgG8WHBInCZ5uj/wA7zlADFJbpAB+biPDN4y 1IO0JKbc6uo550KzL72cuhZCLlxyicPWFMMcc2S2pzQ/B+fEx+puPgROLMNqAh0t XbgSi1hrlMc= =w2T4 -----END PGP SIGNATURE-----