Skip to navigation

Security Advisory Moderate: python security update

Advisory: RHSA-2012:0745-1
Type: Security Advisory
Severity: Moderate
Issued on: 2012-06-18
Last updated on: 2012-06-18
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2011-4940
CVE-2011-4944
CVE-2012-1150

Details

Updated python packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Python is an interpreted, interactive, object-oriented programming
language.

A denial of service flaw was found in the implementation of associative
arrays (dictionaries) in Python. An attacker able to supply a large number
of inputs to a Python application (such as HTTP POST request parameters
sent to a web application) that are used as keys when inserting data into
an array could trigger multiple hash function collisions, making array
operations take an excessive amount of CPU time. To mitigate this issue,
randomization has been added to the hash function to reduce the chance of
an attacker successfully causing intentional collisions. (CVE-2012-1150)

Note: The hash randomization is not enabled by default as it may break
applications that incorrectly depend on dictionary ordering. To enable the
protection, the new "PYTHONHASHSEED" environment variable or the Python
interpreter's "-R" command line option can be used. Refer to the python(1)
manual page for details.

The RHSA-2012:0731 expat erratum must be installed with this update, which
adds hash randomization to the Expat library used by the Python pyexpat
module.

A flaw was found in the way the Python SimpleHTTPServer module generated
directory listings. An attacker able to upload a file with a
specially-crafted name to a server could possibly perform a cross-site
scripting (XSS) attack against victims visiting a listing page generated by
SimpleHTTPServer, for a directory containing the crafted file (if the
victims were using certain web browsers). (CVE-2011-4940)

A race condition was found in the way the Python distutils module set file
permissions during the creation of the .pypirc file. If a local user had
access to the home directory of another user who is running distutils, they
could use this flaw to gain access to that user's .pypirc file, which can
contain usernames and passwords for code repositories. (CVE-2011-4944)

Red Hat would like to thank oCERT for reporting CVE-2012-1150. oCERT
acknowledges Julian Wälde and Alexander Klink as the original reporters of
CVE-2012-1150.

All Python users should upgrade to these updated packages, which contain
backported patches to correct these issues.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
python-2.4.3-46.el5_8.2.src.rpm
File outdated by:  RHBA-2013:0045
    MD5: 327971a58b599ce3959cc5b24d4d1f09
SHA-256: c95ac961e23b98656cfa77c50380089dfd5be2d92188492ff9d2e7e4b9878454
 
IA-32:
python-debuginfo-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: f7486fd99bf34d938012a32852543e71
SHA-256: 7c4981efc7ed0ae6d62a3733182bafaa3b5db18f0023c5f37375585e01ce06e0
python-devel-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: 79599c0ab6d49cd068f2e0de4ed03372
SHA-256: 60280aa3531b97320d34e6796a8c19894cd68f2b8b3f0ac0e30d55e02c2bfc33
 
x86_64:
python-debuginfo-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: f7486fd99bf34d938012a32852543e71
SHA-256: 7c4981efc7ed0ae6d62a3733182bafaa3b5db18f0023c5f37375585e01ce06e0
python-debuginfo-2.4.3-46.el5_8.2.x86_64.rpm
File outdated by:  RHBA-2013:0045
    MD5: a063de026f07f8d88c6f227ec7e18b54
SHA-256: ae5a92a06f6c8f83fafabc13ebc3aa7a4fee66b6b414f7c3689beb8dcb9c026d
python-devel-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: 79599c0ab6d49cd068f2e0de4ed03372
SHA-256: 60280aa3531b97320d34e6796a8c19894cd68f2b8b3f0ac0e30d55e02c2bfc33
python-devel-2.4.3-46.el5_8.2.x86_64.rpm
File outdated by:  RHBA-2013:0045
    MD5: f64014b821f52289184c36fc6fe78e34
SHA-256: 80a18007cea4de4338995bd495ee9873bb1bb2617057540c25e522d8615b1a96
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
python-2.4.3-46.el5_8.2.src.rpm
File outdated by:  RHBA-2013:0045
    MD5: 327971a58b599ce3959cc5b24d4d1f09
SHA-256: c95ac961e23b98656cfa77c50380089dfd5be2d92188492ff9d2e7e4b9878454
 
IA-32:
python-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: ee084887856df30e8897b83b2468bb31
SHA-256: 8d0b2ed6be922f253f744b6d5781879edeccec28731b22c94e682addc3015bed
python-debuginfo-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: f7486fd99bf34d938012a32852543e71
SHA-256: 7c4981efc7ed0ae6d62a3733182bafaa3b5db18f0023c5f37375585e01ce06e0
python-devel-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: 79599c0ab6d49cd068f2e0de4ed03372
SHA-256: 60280aa3531b97320d34e6796a8c19894cd68f2b8b3f0ac0e30d55e02c2bfc33
python-libs-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: 33709460761f01e5de067171645910cd
SHA-256: a5afa346e5fdd2b1ddefdd12675bdd9a6a1eae646acb170278f939b930c3ff7a
python-tools-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: 0f96ba0a9a81758a9c036e4445db80b4
SHA-256: 54763beb166833158d03144eec0aae02b4a76dcf7136fd10bc60fb88c76467e1
tkinter-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: b3354e6b84086f00eee9b7c0a8cd9e29
SHA-256: 2bf7ae979334d14fc85054a094989c9dd7690406bf686080848c55c46f2078c1
 
IA-64:
python-2.4.3-46.el5_8.2.ia64.rpm
File outdated by:  RHBA-2013:0045
    MD5: c881ce55eedf26e22b972a3fbd428367
SHA-256: 92d9aca3e98c14a75d88d93d74eac4c5921646841ee6368b514fa1ba1f84f7e2
python-debuginfo-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: f7486fd99bf34d938012a32852543e71
SHA-256: 7c4981efc7ed0ae6d62a3733182bafaa3b5db18f0023c5f37375585e01ce06e0
python-debuginfo-2.4.3-46.el5_8.2.ia64.rpm
File outdated by:  RHBA-2013:0045
    MD5: 6e14d38b8f95ac3bfde05f17cd912105
SHA-256: eb8a7f8f4f7724e2a43418e6fce6a2ad23c406d8f4dea58dd7c20f4d3e504662
python-devel-2.4.3-46.el5_8.2.ia64.rpm
File outdated by:  RHBA-2013:0045
    MD5: 4a4b85ad13b46737bba2a69606e16dd7
SHA-256: fbee76993606471d74987206271e0774ff180bd3d30f5b31aaff3d25c4254c4a
python-libs-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: 33709460761f01e5de067171645910cd
SHA-256: a5afa346e5fdd2b1ddefdd12675bdd9a6a1eae646acb170278f939b930c3ff7a
python-libs-2.4.3-46.el5_8.2.ia64.rpm
File outdated by:  RHBA-2013:0045
    MD5: 8485f0ca50867b7499fd9b8d28147a0a
SHA-256: ed8093de919b4e913d63e5fe438077b441f08bd7aee7f3d0650337dce4a44306
python-tools-2.4.3-46.el5_8.2.ia64.rpm
File outdated by:  RHBA-2013:0045
    MD5: 4aecf2d3095efda5e3e7760415d87c1a
SHA-256: ee2f086bcdabc14a3c52997f089257fa3923c7f65ef2f1fa415fe8f95bd5b3fa
tkinter-2.4.3-46.el5_8.2.ia64.rpm
File outdated by:  RHBA-2013:0045
    MD5: e1b4dddd65ed82d894590f0daf1a8010
SHA-256: 6278fe6506e0a9b6f5d4895bf8b22feb6317aba83f071014af5d98d2fde94793
 
PPC:
python-2.4.3-46.el5_8.2.ppc.rpm
File outdated by:  RHBA-2013:0045
    MD5: 68bfeca95f3c60e7ebc8d6f921e0d4fa
SHA-256: 6efbbf53051dae6627941e29579fb53d7df0527089360e1f42c5ea1337d5461d
python-debuginfo-2.4.3-46.el5_8.2.ppc.rpm
File outdated by:  RHBA-2013:0045
    MD5: 70ee2770eb4b9e9720407f98a0d00c6d
SHA-256: 455f0f4ade98ce3c06efab2b57021d06382a75b587b48010bf705e2b0b0b1b20
python-debuginfo-2.4.3-46.el5_8.2.ppc64.rpm
File outdated by:  RHBA-2013:0045
    MD5: eb215c4707ab0abdf0c6b96be2027aae
SHA-256: 621f3896aebfd6765a179c60a470ae2e31e2c7d03e1a5a9a54dac319a072e115
python-devel-2.4.3-46.el5_8.2.ppc.rpm
File outdated by:  RHBA-2013:0045
    MD5: bd0e0ca8bd0f72f3d4c2eaafeb537442
SHA-256: b03eb41ad9dcc07f7800960fed0d6df8a41dbe7f129a51eacb5245510570f4ec
python-devel-2.4.3-46.el5_8.2.ppc64.rpm
File outdated by:  RHBA-2013:0045
    MD5: ca7642ef1d92d33d832a5d5f6ffead84
SHA-256: 37103ffa42a342f81b4853434c8aabf2e0f121ae4e94dd3c784e0e0cec482a3d
python-libs-2.4.3-46.el5_8.2.ppc.rpm
File outdated by:  RHBA-2013:0045
    MD5: b3caf74174bc5fd96f28fecab9ab2985
SHA-256: 575ecc3842aaf115f047482471c88496e00986454c054982de09891950626889
python-libs-2.4.3-46.el5_8.2.ppc64.rpm
File outdated by:  RHBA-2013:0045
    MD5: 41621f62fb713b2902e0d28cd322c32b
SHA-256: ad56d8542ec234dbd9a5a0b766924c65dba942ce78bb9f678379e0f5ff005a9d
python-tools-2.4.3-46.el5_8.2.ppc.rpm
File outdated by:  RHBA-2013:0045
    MD5: 2f3e308c74d00dc85409ceb31f8c5160
SHA-256: 131247d59f4622ef4943abadcef1558d1bbdd3c9d9584be70659ca42fcec9bcb
tkinter-2.4.3-46.el5_8.2.ppc.rpm
File outdated by:  RHBA-2013:0045
    MD5: 52e0647c5b16f3dbd70a4ce3cb656642
SHA-256: bbc5bc79afa34efc61e369d5d72f8c8350ee893a35b77ab088ce3a52de02ddc8
 
s390x:
python-2.4.3-46.el5_8.2.s390x.rpm
File outdated by:  RHBA-2013:0045
    MD5: ccb01a0a1de1bcef3f3341f196e43630
SHA-256: aced08284a08b738bc2c9d9e3d023024b58ea496a033316bdbde17e788710aa6
python-debuginfo-2.4.3-46.el5_8.2.s390.rpm
File outdated by:  RHBA-2013:0045
    MD5: b9e968ca5914e8f28718ad229bb8ad95
SHA-256: 0e6f79101cc4f6277df9adf7f027d6f1ded156506b6f8a3380c7d21670bd49ee
python-debuginfo-2.4.3-46.el5_8.2.s390x.rpm
File outdated by:  RHBA-2013:0045
    MD5: fd8ffd0e323d5c8ced72da818d0d80e1
SHA-256: 34051c9d915cd7b9446ab8766ee44bbcd528071f6b94c61204829987d48f3719
python-devel-2.4.3-46.el5_8.2.s390.rpm
File outdated by:  RHBA-2013:0045
    MD5: 8e0a8aeabd3de9aecc3d068ff13b7ef3
SHA-256: 775e51c896e77546e2e1a45d05edeab68b24ac8fa2e2a10b3c25d7123a414dd7
python-devel-2.4.3-46.el5_8.2.s390x.rpm
File outdated by:  RHBA-2013:0045
    MD5: 043152d50566b89a402a4b9f8bbc0944
SHA-256: b001357027405f28afac01d2f6841d11bcc74a71ae5e9595f5db26564e5eef65
python-libs-2.4.3-46.el5_8.2.s390x.rpm
File outdated by:  RHBA-2013:0045
    MD5: 388647263b2e0475123f9c53f04f3389
SHA-256: 50ebc44468a8d4cbcde0417a79e662c7e3f1333bf751070602e47dec39e6d7e0
python-tools-2.4.3-46.el5_8.2.s390x.rpm
File outdated by:  RHBA-2013:0045
    MD5: 9ce6d0e0931604ba98d328aaa7d9623e
SHA-256: 656ad10b4ed4b953b6c682891e39b70cfa9b0946abbbfec70a8bc7d33e89416e
tkinter-2.4.3-46.el5_8.2.s390x.rpm
File outdated by:  RHBA-2013:0045
    MD5: 3a054d192049175e5b043b12135c2631
SHA-256: 99da15d7cb61bd5fc952ee4e326334b7ab2159b0bf6a2adb8feedd7287b348a2
 
x86_64:
python-2.4.3-46.el5_8.2.x86_64.rpm
File outdated by:  RHBA-2013:0045
    MD5: ed854ea29f3f43da1d9a3dc19f559a6b
SHA-256: dd2eed9113bdc5255fbd2fc0a0ebcef5a25848955b10ccee0118b6c27e8ec560
python-debuginfo-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: f7486fd99bf34d938012a32852543e71
SHA-256: 7c4981efc7ed0ae6d62a3733182bafaa3b5db18f0023c5f37375585e01ce06e0
python-debuginfo-2.4.3-46.el5_8.2.x86_64.rpm
File outdated by:  RHBA-2013:0045
    MD5: a063de026f07f8d88c6f227ec7e18b54
SHA-256: ae5a92a06f6c8f83fafabc13ebc3aa7a4fee66b6b414f7c3689beb8dcb9c026d
python-devel-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: 79599c0ab6d49cd068f2e0de4ed03372
SHA-256: 60280aa3531b97320d34e6796a8c19894cd68f2b8b3f0ac0e30d55e02c2bfc33
python-devel-2.4.3-46.el5_8.2.x86_64.rpm
File outdated by:  RHBA-2013:0045
    MD5: f64014b821f52289184c36fc6fe78e34
SHA-256: 80a18007cea4de4338995bd495ee9873bb1bb2617057540c25e522d8615b1a96
python-libs-2.4.3-46.el5_8.2.x86_64.rpm
File outdated by:  RHBA-2013:0045
    MD5: 5396e8c8c2e6594ee1a54bd61d607714
SHA-256: 6e8c22ca0bf70a4af1dc23a4efdac89a2a8acf8dc19817e48455407ffe9c9879
python-tools-2.4.3-46.el5_8.2.x86_64.rpm
File outdated by:  RHBA-2013:0045
    MD5: 092540d4895d5c50bda09e381aad9160
SHA-256: e88669b7159ea06c56ae08994869bfb9d3d44126f3a87c80449a51519e8e957b
tkinter-2.4.3-46.el5_8.2.x86_64.rpm
File outdated by:  RHBA-2013:0045
    MD5: b43856f1384f6570dfbc685f9767eaed
SHA-256: c7b68f17aa5d03695db2eb0b67cfaa6fcad506c89ce282af4ee63b458b165fb1
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
python-2.4.3-46.el5_8.2.src.rpm
File outdated by:  RHBA-2013:0045
    MD5: 327971a58b599ce3959cc5b24d4d1f09
SHA-256: c95ac961e23b98656cfa77c50380089dfd5be2d92188492ff9d2e7e4b9878454
 
IA-32:
python-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: ee084887856df30e8897b83b2468bb31
SHA-256: 8d0b2ed6be922f253f744b6d5781879edeccec28731b22c94e682addc3015bed
python-debuginfo-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: f7486fd99bf34d938012a32852543e71
SHA-256: 7c4981efc7ed0ae6d62a3733182bafaa3b5db18f0023c5f37375585e01ce06e0
python-libs-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: 33709460761f01e5de067171645910cd
SHA-256: a5afa346e5fdd2b1ddefdd12675bdd9a6a1eae646acb170278f939b930c3ff7a
python-tools-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: 0f96ba0a9a81758a9c036e4445db80b4
SHA-256: 54763beb166833158d03144eec0aae02b4a76dcf7136fd10bc60fb88c76467e1
tkinter-2.4.3-46.el5_8.2.i386.rpm
File outdated by:  RHBA-2013:0045
    MD5: b3354e6b84086f00eee9b7c0a8cd9e29
SHA-256: 2bf7ae979334d14fc85054a094989c9dd7690406bf686080848c55c46f2078c1
 
x86_64:
python-2.4.3-46.el5_8.2.x86_64.rpm
File outdated by:  RHBA-2013:0045
    MD5: ed854ea29f3f43da1d9a3dc19f559a6b
SHA-256: dd2eed9113bdc5255fbd2fc0a0ebcef5a25848955b10ccee0118b6c27e8ec560
python-debuginfo-2.4.3-46.el5_8.2.x86_64.rpm
File outdated by:  RHBA-2013:0045
    MD5: a063de026f07f8d88c6f227ec7e18b54
SHA-256: ae5a92a06f6c8f83fafabc13ebc3aa7a4fee66b6b414f7c3689beb8dcb9c026d
python-libs-2.4.3-46.el5_8.2.x86_64.rpm
File outdated by:  RHBA-2013:0045
    MD5: 5396e8c8c2e6594ee1a54bd61d607714
SHA-256: 6e8c22ca0bf70a4af1dc23a4efdac89a2a8acf8dc19817e48455407ffe9c9879
python-tools-2.4.3-46.el5_8.2.x86_64.rpm
File outdated by:  RHBA-2013:0045
    MD5: 092540d4895d5c50bda09e381aad9160
SHA-256: e88669b7159ea06c56ae08994869bfb9d3d44126f3a87c80449a51519e8e957b
tkinter-2.4.3-46.el5_8.2.x86_64.rpm
File outdated by:  RHBA-2013:0045
    MD5: b43856f1384f6570dfbc685f9767eaed
SHA-256: c7b68f17aa5d03695db2eb0b67cfaa6fcad506c89ce282af4ee63b458b165fb1
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

750555 - CVE-2012-1150 python: hash table collisions CPU usage DoS (oCERT-2011-003)
758905 - CVE-2011-4944 python: distutils creates ~/.pypirc insecurely
803500 - CVE-2011-4940 python: potential XSS in SimpleHTTPServer's list_directory()


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/