Date: 20 November 2008
References: ESB-2008.0774 ESB-2009.0147 ESB-2009.1096 ESB-2010.0198
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.1059 -- [Debian]
New python2.4 packages fix several vulnerabilities
20 November 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python2.4
Publisher: Debian
Operating System: Debian
Impact: Execute Arbitrary Code/Commands
Provide Misleading Information
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2008-3144 CVE-2008-3143 CVE-2008-3142
CVE-2008-2315
Ref: ESB-2008.0774
Original Bulletin: http://www.debian.org/security/2008/dsa-1667
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1667-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
November 19, 2008 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : python2.4
Vulnerability : several
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2008-2315 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144
Several vulnerabilities have been discovered in the interpreter for the
Python language. The Common Vulnerabilities and Exposures project
identifies the following problems:
CVE-2008-2315
David Remahl discovered several integer overflows in the
stringobject, unicodeobject, bufferobject, longobject,
tupleobject, stropmodule, gcmodule, and mmapmodule modules.
CVE-2008-3142
Justin Ferguson discovered that incorrect memory allocation in
the unicode_resize() function can lead to buffer overflows.
CVE-2008-3143
Several integer overflows were discovered in various Python core
modules.
CVE-2008-3144
Several integer oberflows were discovered in the PyOS_vsnprintf()
function.
For the stable distribution (etch), these problems have been fixed in
version 2.4.4-3+etch2.
For the unstable distribution (sid) and the upcoming stable
distribution (lenny), these problems have been fixed in
version 2.4.5-5.
We recommend that you upgrade your python2.4 packages.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4.orig.tar.gz
Size/MD5 checksum: 9508940 f74ef9de91918f8927e75e8c3024263a
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2.dsc
Size/MD5 checksum: 1201 0b3898b3477ae37a81d28f9539c50de6
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2.diff.gz
Size/MD5 checksum: 205713 ac023a02c39a7e70b10c268e7169cbc7
Architecture independent packages:
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-examples_2.4.4-3+etch2_all.deb
Size/MD5 checksum: 589678 9c6aef28fb1ff9a804fa1a147ce69d9e
http://security.debian.org/pool/updates/main/p/python2.4/idle-python2.4_2.4.4-3+etch2_all.deb
Size/MD5 checksum: 60906 f03f5452778817758dfce037ba571001
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_alpha.deb
Size/MD5 checksum: 965736 6f3adc06d80c3fdeda48e3bc0b12e5d9
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_alpha.deb
Size/MD5 checksum: 5238160 680f07c3e87cb20b05b37745cf80f39a
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_alpha.deb
Size/MD5 checksum: 2970930 e9f0951b39f36de2bd288aa34ca0dbc4
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_alpha.deb
Size/MD5 checksum: 1850704 3ccfc06ca31ae9f7f6cb631e8ee3a000
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_amd64.deb
Size/MD5 checksum: 967804 0b594b7a4e03004672043d5c58019f80
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_amd64.deb
Size/MD5 checksum: 1637308 bcb8e0ccd455c2487ee2721d3d84aca1
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_amd64.deb
Size/MD5 checksum: 5592228 441466ec5cbe0a3bf5b7d55a6fed7d8b
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_amd64.deb
Size/MD5 checksum: 2968524 145a0af7bfaaae7d9ad2203241ec4ee8
arm architecture (ARM)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_arm.deb
Size/MD5 checksum: 5358352 bb915c2a61cdc006db13a8d0c440c56d
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_arm.deb
Size/MD5 checksum: 1502304 84153862216da31338aba857c90871d4
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_arm.deb
Size/MD5 checksum: 902236 6427dc210675b5cce39ab5f928b298db
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_arm.deb
Size/MD5 checksum: 2882452 b6bf0e5f6b4ea813a5bccc567b6e408e
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_hppa.deb
Size/MD5 checksum: 3076702 001c94d6dba8fb9ba08d29ca5ceca65f
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_hppa.deb
Size/MD5 checksum: 1799642 95b811cadf540cc3b3f31a0134d18661
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_hppa.deb
Size/MD5 checksum: 1020124 9c8431097766633b45cfa35bf71761f5
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_hppa.deb
Size/MD5 checksum: 5529414 67fb9036f49688d82b6ee93addc3c3fe
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_i386.deb
Size/MD5 checksum: 901636 b198116fc5425e7fd48dba6d992a0c06
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_i386.deb
Size/MD5 checksum: 2850824 4c7b173a4ebb3444201fe3f45f9e9fd2
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_i386.deb
Size/MD5 checksum: 1511532 4fd6d3f340893f233f674a73642330b0
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_i386.deb
Size/MD5 checksum: 5185158 da92623d224f45bd929b778864f98991
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_ia64.deb
Size/MD5 checksum: 3373186 bf8c76edf3d0c95deaa7bdf81a178a83
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_ia64.deb
Size/MD5 checksum: 6069872 e4dfd4adc2e602334f0896f7424f0575
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_ia64.deb
Size/MD5 checksum: 2271712 46e48abc5e37875a427752c82d8a0f7b
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_ia64.deb
Size/MD5 checksum: 1290446 9c85ea026775b8a4789a3e46816d0d5e
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_mips.deb
Size/MD5 checksum: 957252 d38814f00e5f99329484248c184b24b3
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_mips.deb
Size/MD5 checksum: 5660920 84bacdccb5955980efe7a6b59e5238fa
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_mips.deb
Size/MD5 checksum: 1726146 c4312205f75f0bf6393ff2c7bd70fd2f
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_mips.deb
Size/MD5 checksum: 2907332 db94b5cd8acca9f475f5f6965a66761a
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_mipsel.deb
Size/MD5 checksum: 2864392 a17779986991285abab3391244d9c1e3
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_mipsel.deb
Size/MD5 checksum: 5511232 b92e2004fb01967d4f7014970171e9a9
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_mipsel.deb
Size/MD5 checksum: 1717876 a98897dc330a1a6effa05ff29af9bfab
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_mipsel.deb
Size/MD5 checksum: 939778 6aeb1ef0ed1589b20009b0f7428a2dda
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_powerpc.deb
Size/MD5 checksum: 1642534 468c97ebc8403c556c36da596e31d20f
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_powerpc.deb
Size/MD5 checksum: 2958248 bc7f2d52549e520a9843945dd282bfad
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_powerpc.deb
Size/MD5 checksum: 5786768 370c7b6f933f98308416924f13da6f94
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_powerpc.deb
Size/MD5 checksum: 979280 a25aeb78de7b33b8b2cfe316f3f0a834
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_s390.deb
Size/MD5 checksum: 2977268 a4dcf614e277d8c0f70b4737e53aaf5c
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_s390.deb
Size/MD5 checksum: 974928 a3bd80007cd56a79472b42db039ece4f
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_s390.deb
Size/MD5 checksum: 5674618 cb969a4cc4fda848ebee50528d3c570d
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_s390.deb
Size/MD5 checksum: 1648202 72ebac2aefa5ca8c8e2ef9675e0c6052
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/p/python2.4/python2.4_2.4.4-3+etch2_sparc.deb
Size/MD5 checksum: 2902784 21032174db6897e8828e34ce01fa017d
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-minimal_2.4.4-3+etch2_sparc.deb
Size/MD5 checksum: 918976 694c6c564222cff16c9069c6ee8c24bf
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dev_2.4.4-3+etch2_sparc.deb
Size/MD5 checksum: 1586720 bf9d1414434a21b314535fc6df13103b
http://security.debian.org/pool/updates/main/p/python2.4/python2.4-dbg_2.4.4-3+etch2_sparc.deb
Size/MD5 checksum: 5199576 c5bb7eb8ecc15a633d7045d284d3d93d
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkkWV0ACgkQXm3vHE4uyloD4ACg4wZplFaYb8wMXtR+cJGEMv3/
ElgAoOQNvTliC+c5EvAqNoXldGpUvwmX
=23CL
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSSSbDih9+71yA2DNAQI6OAP9ETHl9foiR3wyrIRsbKN8xmWzCsVU6C9E
1LUPRnDHOygVQrL3obt4f3clDEESiktgRzt+DEHZzPmP2oyQhUmngpWqqP/ypS35
1fnyTe3hYoH2jh17OdH+x+ZwMRBKekSSgewHt6N8PwFxwBJJtAB4n1ICnh7UK8yc
IVz+3HZHzTU=
=cQxQ
-----END PGP SIGNATURE-----
|