Debian Security Advisory
DLA-25-2 python2.6 -- LTS security update
- Date Reported:
- 31 Jul 2014
- Affected Packages:
- python2.6
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2011-1015, CVE-2011-1521, CVE-2011-4940, CVE-2011-4944, CVE-2012-0845, CVE-2012-1150, CVE-2013-4238, CVE-2014-1912.
- More information:
-
A regression has been identified in the python2.6 update of DLA-25-1, which may cause python applications to abort if they were running during the upgrade but they had not already imported the 'os' module, and do so after the upgrade. This update fixes this upgrade scenario.
For reference, the original advisory text follows.
Multiple vulnerabilities were discovered in python2.6. The more relevant are:
- CVE-2013-4238
Incorrect handling of NUL bytes in certificate hostnames may allow server spoofing via specially-crafted certificates signed by a trusted Certification Authority.
- CVE-2014-1912
Buffer overflow in socket.recvfrom_into leading to application crash and possibly code execution.
For Debian 6
Squeeze
, these issues have been fixed in python2.6 version 2.6.6-8+deb6u2 - CVE-2013-4238