ALT-PU-2015-1995-1
Closed vulnerabilities
Published: 2020-03-11
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2013-1753
The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.
Severity: MEDIUM (5.0)
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2016-06-07
Modified: 2025-04-12
Modified: 2025-04-12
CVE-2013-7440
The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.
Severity: MEDIUM (4.3)
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Severity: MEDIUM (5.9)
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
References:
- http://seclists.org/oss-sec/2015/q2/483
- http://seclists.org/oss-sec/2015/q2/523
- http://www.securityfocus.com/bid/74707
- https://access.redhat.com/errata/RHSA-2016:1166
- https://bugs.python.org/issue17997
- https://bugzilla.redhat.com/show_bug.cgi?id=1224999
- https://hg.python.org/cpython/rev/10d0edadbcdd
- http://seclists.org/oss-sec/2015/q2/483
- http://seclists.org/oss-sec/2015/q2/523
- http://www.securityfocus.com/bid/74707
- https://access.redhat.com/errata/RHSA-2016:1166
- https://bugs.python.org/issue17997
- https://bugzilla.redhat.com/show_bug.cgi?id=1224999
- https://hg.python.org/cpython/rev/10d0edadbcdd
Published: 2014-12-12
Modified: 2025-04-12
Modified: 2025-04-12
CVE-2014-9365
The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Severity: MEDIUM (5.8)
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
References:
- http://bugs.python.org/issue22417
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
- http://www.openwall.com/lists/oss-security/2014/12/11/1
- http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.securityfocus.com/bid/71639
- https://access.redhat.com/errata/RHSA-2016:1166
- https://access.redhat.com/errata/RHSA-2017:1162
- https://access.redhat.com/errata/RHSA-2017:1868
- https://security.gentoo.org/glsa/201503-10
- https://support.apple.com/kb/HT205031
- https://www.python.org/dev/peps/pep-0476/
- https://www.python.org/downloads/release/python-279/
- http://bugs.python.org/issue22417
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
- http://www.openwall.com/lists/oss-security/2014/12/11/1
- http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.securityfocus.com/bid/71639
- https://access.redhat.com/errata/RHSA-2016:1166
- https://access.redhat.com/errata/RHSA-2017:1162
- https://access.redhat.com/errata/RHSA-2017:1868
- https://security.gentoo.org/glsa/201503-10
- https://support.apple.com/kb/HT205031
- https://www.python.org/dev/peps/pep-0476/
- https://www.python.org/downloads/release/python-279/
Published: 2016-09-02
Modified: 2025-04-12
Modified: 2025-04-12
CVE-2016-5699
CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
Severity: MEDIUM (4.3)
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Severity: MEDIUM (6.1)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
- http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
- http://rhn.redhat.com/errata/RHSA-2016-1626.html
- http://rhn.redhat.com/errata/RHSA-2016-1627.html
- http://rhn.redhat.com/errata/RHSA-2016-1628.html
- http://rhn.redhat.com/errata/RHSA-2016-1629.html
- http://rhn.redhat.com/errata/RHSA-2016-1630.html
- http://www.openwall.com/lists/oss-security/2016/06/14/7
- http://www.openwall.com/lists/oss-security/2016/06/15/12
- http://www.openwall.com/lists/oss-security/2016/06/16/2
- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- http://www.securityfocus.com/bid/91226
- http://www.splunk.com/view/SP-CAAAPSV
- http://www.splunk.com/view/SP-CAAAPUE
- https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-4
- https://hg.python.org/cpython/raw-file/v2.7.10/Misc/NEWS
- https://hg.python.org/cpython/rev/1c45047c5102
- https://hg.python.org/cpython/rev/bf3e1c9b80e9
- https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html
- http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
- http://rhn.redhat.com/errata/RHSA-2016-1626.html
- http://rhn.redhat.com/errata/RHSA-2016-1627.html
- http://rhn.redhat.com/errata/RHSA-2016-1628.html
- http://rhn.redhat.com/errata/RHSA-2016-1629.html
- http://rhn.redhat.com/errata/RHSA-2016-1630.html
- http://www.openwall.com/lists/oss-security/2016/06/14/7
- http://www.openwall.com/lists/oss-security/2016/06/15/12
- http://www.openwall.com/lists/oss-security/2016/06/16/2
- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- http://www.securityfocus.com/bid/91226
- http://www.splunk.com/view/SP-CAAAPSV
- http://www.splunk.com/view/SP-CAAAPUE
- https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-4
- https://hg.python.org/cpython/raw-file/v2.7.10/Misc/NEWS
- https://hg.python.org/cpython/rev/1c45047c5102
- https://hg.python.org/cpython/rev/bf3e1c9b80e9
- https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html
Closed bugs
Добавить поддержку Bluetooth.
Обновить до 2.7.10