Debian Security Advisory

DLA-25-2 python2.6 -- LTS security update

Date Reported:
31 Jul 2014
Affected Packages:
python2.6
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2011-1015, CVE-2011-1521, CVE-2011-4940, CVE-2011-4944, CVE-2012-0845, CVE-2012-1150, CVE-2013-4238, CVE-2014-1912.
More information:

A regression has been identified in the python2.6 update of DLA-25-1, which may cause python applications to abort if they were running during the upgrade but they had not already imported the 'os' module, and do so after the upgrade. This update fixes this upgrade scenario.

For reference, the original advisory text follows.

Multiple vulnerabilities were discovered in python2.6. The more relevant are:

  • CVE-2013-4238

    Incorrect handling of NUL bytes in certificate hostnames may allow server spoofing via specially-crafted certificates signed by a trusted Certification Authority.

  • CVE-2014-1912

    Buffer overflow in socket.recvfrom_into leading to application crash and possibly code execution.

For Debian 6 Squeeze, these issues have been fixed in python2.6 version 2.6.6-8+deb6u2