[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 522-1] python2.7 security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : python2.7
Version        : 2.7.3-6+deb7u3
CVE ID         : CVE-2016-0772 CVE-2016-5636 CVE-2016-5699

   * CVE-2016-0772
     A vulnerability in smtplib allowing MITM attacker to perform a
     startTLS stripping attack. smtplib does not seem to raise an
     exception when the remote end (smtp server) is capable of
     negotiating starttls but fails to respond with 220 (ok) to an
     explicit call of SMTP.starttls(). This may allow a malicious
     MITM to perform a startTLS stripping attack if the client code
     does not explicitly check the response code for startTLS.
   * CVE-2016-5636
     Issue #26171: Fix possible integer overflow and heap corruption
     in zipimporter.get_data().
   * CVE-2016-5699
     Protocol injection can occur not only if an application sets a
     header based on user-supplied values, but also if the application
     ever tries to fetch a URL specified by an attacker (SSRF case) OR
     if the application ever accesses any malicious web server
     (redirection case).

For Debian 7 "Wheezy", these problems have been fixed in version
2.7.3-6+deb7u3.

We recommend that you upgrade your python2.7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJXaaH8XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHzPMP/iLvs3GvfmheFkGJNYO45UrE
OLNOGQ4JsKuoXr4UJrA4NWtcimNhmX/ins586h9XdE5q6za5+y9YGOKjPChPWcLk
weWHtQ3J6u4F6QA2Lu2v5Ztakdjbg0d6CfZrg69zVXumdXK8nsvmSEyCpw+VQ9Go
VfqUcVawZq73QZ75KHy4VICw1KnwfS/pBuKQSiewsxsFCU3Rux125n8EW4bu+iRA
O4bPe14rt+v7q7sULdReVDsrYZwS/qzVQpmgOa4XgD75VmgCfvPJaws1UInC6L63
SLtAatu0chEtqI7lTmVhTU7x/EbBHYR1KuBmIpm1GVcQmljtxL4cmFdWwm83JqCr
cEM3/2ouvqT8aFxLI/+aoW5n/zUbW+PJIb3GvH03lS9jUYanwAUofciVJ13KKa3H
UQtUJ4L1fmlEGB+CsiU9J27aYFjkcxQ6V/55oaJnkzM4XCah9UGjcHSkobb1EGrV
YSfBjemGqPp3T7iVUjqevFTaF3UgdD85gChHC5DnZeEAywb84cf01emuHyyB6IQ2
b4dXMfFGySKGrbqQMCeH8sHshjCgokx8KDIdYUvzogM8+Bhb10FXkm01z2tZwgWo
TOiugHZoyVEz5Iuifh6Un9HPsJNsNjZPZ/Ie5tlSv/qTUBP2269gU1O8SB1FfDQM
367B7gJla1F0gwv0Wopt
=1ZT8
-----END PGP SIGNATURE-----


Reply to: