Date: Mon, 23 Dec 2013 16:41:52 -0700 From: Vincent Danen <vdanen@...hat.com> To: OSS Security List <oss-security@...ts.openwall.com> Cc: Christian Heimes <christian@...imes.de>, psrt@...hon.org Subject: CVE issues with recent python flaws So I've been detangling some python issues that we were alerted to around this time last year, along with some other vendors. The work, and CVEs that were assigned (not sure by whom), are all public and since there are some issues that probably warrant a few more CVEs, I'm bringing this up on the list here (and also because no real announcements ever came out of the python camp regarding these). It's all noted in our bug (https://bugzilla.redhat.com/show_bug.cgi?id=1046174): * httplib  (fixed in 2.7.4 , 2.6.9 , and 3.3.3 ) * ftplib  (fixed in 2.7.6 , 2.6.9 , 3.3.3 ) * imaplib  (not yet fixed in 2.7.x, fixed in 2.6.9 , 3.3.3 ) * nntplib  (fixed in 2.7.6 , 2.6.9 , 3.3.3 ) * poplib  (not yet fixed in 2.7.x, fixed in 2.6.9 , 3.3.3 ) * smtplib  (not yet fixed in 2.7.x, fixed in 2.6.9 , not yet fixed in 3.3.x)  http://bugs.python.org/issue16037  http://hg.python.org/cpython/rev/8a22a2804a66/  http://hg.python.org/cpython/rev/582e5072ff89  http://hg.python.org/cpython/rev/e445d02e5306/  http://bugs.python.org/issue16038  http://hg.python.org/cpython/rev/44ac81e6d584/  http://hg.python.org/cpython/rev/8b19e7d0be45/  http://hg.python.org/cpython/rev/38db4d0726bd/  http://bugs.python.org/issue16039  http://hg.python.org/cpython/rev/4190568ceda0/  http://hg.python.org/cpython/rev/4b0364fc5711/  http://bugs.python.org/issue16040  http://hg.python.org/cpython/rev/36680a7c0e22/  http://hg.python.org/cpython/rev/731abf7834c4/  http://hg.python.org/cpython/rev/fc88bd80d925/  http://bugs.python.org/issue16041  http://hg.python.org/cpython/rev/7214e3324a45/  http://hg.python.org/cpython/rev/68029048c9c6/  http://bugs.python.org/issue16042  http://hg.python.org/cpython/rev/8a6def3add5b/ One CVE (CVE-2013-1752) as assigned to all of these, which would have been perfectly reasonable if they had _all_ been fixed simultaneously (or at least in the same version). My post here is two-fold: a) to let other vendors know about these issues so they can update/patch their own packages, and b) to see if MITRE wants to do anything with regards to the CVE assignments for these issues as it seems like we might need 3-4 CVEs here as only nntplib and ftplib carry the same fixed-in-versions across the board. -- Vincent Danen / Red Hat Security Response Team [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ