Date: 21 April 2008
References: AU-2007.0028 ESB-2008.0189 ESB-2009.0147 ESB-2009.1096
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0406 -- [Win][UNIX/Linux][Debian]
New python2.4 packages fix several vulnerabilities
21 April 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python2.4
Publisher: Debian
Operating System: Debian GNU/Linux 4.0
UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Execute Arbitrary Code/Commands
Access Confidential Data
Access: Remote/Unauthenticated
CVE Names: CVE-2008-1887 CVE-2008-1721 CVE-2008-1679
CVE-2007-4965 CVE-2007-2052
Ref: ESB-2008.0189
AU-2007.0028
Original Bulletin: http://www.debian.org/security/2008/dsa-1551
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running python check for an updated version of the software for
their operating system
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1551-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
April 19, 2008 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : python2.4
Vulnerability : several
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2007-2052 CVE-2007-4965 CVE-2008-1679 CVE-2008-1721 CVE-2008-1887
Several vulnerabilities have been discovered in the interpreter for the
Python language. The Common Vulnerabilities and Exposures project identifies
the following problems:
CVE-2007-2052
Piotr Engelking discovered that the strxfrm() function of the locale
module miscalculates the length of an internal buffer, which may
result in a minor information disclosure.
CVE-2007-4965
It was discovered that several integer overflows in the imageop
module may lead to the execution of arbitrary code, if a user is
tricked into processing malformed images. This issue is also
tracked as CVE-2008-1679 due to an initially incomplete patch.
CVE-2008-1721
Justin Ferguson discovered that a buffer overflow in the zlib
module may lead to the execution of arbitrary code.
CVE-2008-1887
Justin Ferguson discovered that insufficient input validation in
PyString_FromStringAndSize() may lead to the execution of arbitrary
code.
For the stable distribution (etch), these problems have been fixed in
version 2.4.4-3+etch1.
For the unstable distribution (sid), these problems have been fixed in
version 2.4.5-2.
We recommend that you upgrade your python2.4 packages.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian 4.0 (stable)
- - -------------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1.diff.gz
Size/MD5 checksum: 195434 8b86b3dc4c5a86a9ad8682fee56f30ca
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4.orig.tar.gz
Size/MD5 checksum: 9508940 f74ef9de91918f8927e75e8c3024263a
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1.dsc
Size/MD5 checksum: 1201 585773fd24634e05bb56b8cc85215c65
Architecture independent packages:
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-examples_2.4.4-3+etch1_all.deb
Size/MD5 checksum: 589642 63092c4cd1ea78c0993345be25a162b8
http://security.debian.org/pool/updates/main/p/python2.4/idle-python2.4_2.4.4-3+etch1_all.deb
Size/MD5 checksum: 60864 21664a3f029087144046b6c175e88736
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_alpha.deb
Size/MD5 checksum: 2968890 60a29f058a96e21d278a738fbb8067bf
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_alpha.deb
Size/MD5 checksum: 1848176 ddb7c47970f277baa00e6c080e4530bd
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_alpha.deb
Size/MD5 checksum: 5226532 5aa6daa859acdfdfcb7445586f4a0eb6
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_alpha.deb
Size/MD5 checksum: 963606 38c08ee31ae6189631e503ad3d76fa87
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_amd64.deb
Size/MD5 checksum: 2967058 6f06a90e94a6068b126413111185aff5
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_amd64.deb
Size/MD5 checksum: 1635936 d5f98666609c652224b5552f5bb6b7a9
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_amd64.deb
Size/MD5 checksum: 966196 7436b29b52acd99872d79b595f489ace
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_amd64.deb
Size/MD5 checksum: 5587046 82444f4d11055f259d0899a0f8574b37
arm architecture (ARM)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_arm.deb
Size/MD5 checksum: 2881272 408ac2b8cd6180975109364b26ae1c95
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_arm.deb
Size/MD5 checksum: 901442 88d59caa6744da5c62a802124087d09c
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_arm.deb
Size/MD5 checksum: 1500512 3113ad3590f5969703ce426a23ca67dd
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_arm.deb
Size/MD5 checksum: 5351974 4f77de8e3dd9c12aa1e06a57cee82dac
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_hppa.deb
Size/MD5 checksum: 3073066 1b4498c26a825c27c6d9765ed8a2e33e
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_hppa.deb
Size/MD5 checksum: 5521834 68a5524fdb007cacc29a38865a43781d
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_hppa.deb
Size/MD5 checksum: 1798220 6c9ce4754c024fbd1674a63c5ba0f06a
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_hppa.deb
Size/MD5 checksum: 1017646 b8dd6490a43da08aa36c43712c360ff8
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_i386.deb
Size/MD5 checksum: 2849512 2598cb802b7f5e1aac6404b801a0a7f0
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_i386.deb
Size/MD5 checksum: 1508782 b8ffe50ecf5dfe173765dc5b263b7737
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_i386.deb
Size/MD5 checksum: 5176966 f6892dc5e598f1811bfc32ea81a863d6
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_i386.deb
Size/MD5 checksum: 900670 7956a1cf96b4b59de2d9e4972e04fff2
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_ia64.deb
Size/MD5 checksum: 3371938 88e170459b0762e1db775753f6d69bb5
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_ia64.deb
Size/MD5 checksum: 2269496 2c1ef318f92b9d4b1c202ad77c8c4462
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_ia64.deb
Size/MD5 checksum: 1289496 d6fba2d2ea64736cf614b0b3b1ced9bf
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_ia64.deb
Size/MD5 checksum: 6059106 e1008e68d3d775590b2a29bd7bec7b6c
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_mips.deb
Size/MD5 checksum: 2906992 e6e43c336e1095e3fe7f5985e500bf55
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_mips.deb
Size/MD5 checksum: 1725610 a9e2b6b11b1d9185885a9f99ed2d03b8
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_mips.deb
Size/MD5 checksum: 5646190 5c420d1aa984c190b121c8494c6fca5a
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_mips.deb
Size/MD5 checksum: 956712 4949e953435f72cf9d06bb8684170175
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_mipsel.deb
Size/MD5 checksum: 1717120 30986065ecf6810f46294c8ca196b538
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_mipsel.deb
Size/MD5 checksum: 939320 89571b10c2635774f65921083344a911
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_mipsel.deb
Size/MD5 checksum: 5507492 a06d9728ef16072ee50b3a1fcf7d08a8
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_mipsel.deb
Size/MD5 checksum: 2863620 90b6a4b2c498acb4a46e205d36cf8ec9
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_powerpc.deb
Size/MD5 checksum: 1639780 4b7c83795b6d07c3a4050d5db977c577
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_powerpc.deb
Size/MD5 checksum: 5778968 7e97b8f62daf0f91e48bf6af20552b51
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_powerpc.deb
Size/MD5 checksum: 2956174 8e55e492ee8aa6e4787e77b161a245e5
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_powerpc.deb
Size/MD5 checksum: 978078 9212e583942704f71a07478baa4d6446
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch1_s390.deb
Size/MD5 checksum: 973904 3cc580a21934a7f5fac203235386e250
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch1_s390.deb
Size/MD5 checksum: 2976776 efb7a2dc81b69a45ead47986d3b8fce5
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch1_s390.deb
Size/MD5 checksum: 1646932 146ee8341c514308b15ca151753b3ca8
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch1_s390.deb
Size/MD5 checksum: 5667818 9b4543d9a0e5f51e8d9b790f6c3b43c8
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFICiFUXm3vHE4uyloRAngQAKCJJPkv3wrtkymZDNanh9AQoGeRxACgqrLd
GsESR3yK0RopGIWWi6Ed91I=
=rgLC
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSAvYlCh9+71yA2DNAQK0/AP6Arhx7n0PRaYA6Qg337nCmtmhX0Vhe/3n
5xc4Rh1Lck2ceGVx1/ryfMCWR+/6Aghg0kaidOZuaEv8d7Ait9bb8cXkpsXQnMAF
aGFszFx6tHUdk5n2Xa5Ii78EM+h0ucRtNo5lrYI23MsIfGyN/IUNdKMTPtkZTMaD
TLurytdeNfA=
=0fhb
-----END PGP SIGNATURE-----
|