ID CVE-2011-1521
Summary The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.
References
Vulnerable Configurations
  • Python 2.6
    cpe:2.3:a:python:python:2.6
  • Python 2.5.3
    cpe:2.3:a:python:python:2.5.3
  • Python 2.6.1
    cpe:2.3:a:python:python:2.6.1
  • Python 2.3.2
    cpe:2.3:a:python:python:2.3.2
  • Python 2.3.1
    cpe:2.3:a:python:python:2.3.1
  • Python 2.5.2
    cpe:2.3:a:python:python:2.5.2
  • Python 2.4
    cpe:2.3:a:python:python:2.4
  • Python 2.1.2
    cpe:2.3:a:python:python:2.1.2
  • Python 2.1
    cpe:2.3:a:python:python:2.1
  • Python 2.2.1
    cpe:2.3:a:python:python:2.2.1
  • Python 2.2
    cpe:2.3:a:python:python:2.2
  • Python 2.3.4
    cpe:2.3:a:python:python:2.3.4
  • Python Python 2.4.3
    cpe:2.3:a:python:python:2.4.3
  • Python 2.3.5
    cpe:2.3:a:python:python:2.3.5
  • Python 2.3
    cpe:2.3:a:python:python:2.3
  • Python 2.3.3
    cpe:2.3:a:python:python:2.3.3
  • Python 2.2.2
    cpe:2.3:a:python:python:2.2.2
  • Python 2.2.3
    cpe:2.3:a:python:python:2.2.3
  • Python 2.1.1
    cpe:2.3:a:python:python:2.1.1
  • Python 2.7
    cpe:2.3:a:python:python:2.7
  • Python 2.5.1
    cpe:2.3:a:python:python:2.5.1
  • Python 2.5
    cpe:2.3:a:python:python:2.5
  • Python 2.4.4
    cpe:2.3:a:python:python:2.4.4
  • Python 2.4.2
    cpe:2.3:a:python:python:2.4.2
  • Python 2.4.1
    cpe:2.3:a:python:python:2.4.1
  • Python 2.0.1
    cpe:2.3:a:python:python:2.0.1
  • Python 2.0
    cpe:2.3:a:python:python:2.0
  • Python 2.6.4
    cpe:2.3:a:python:python:2.6.4
  • Python 2.3.7
    cpe:2.3:a:python:python:2.3.7
  • Python 2.1.3
    cpe:2.3:a:python:python:2.1.3
  • Python 2.5.4
    cpe:2.3:a:python:python:2.5.4
  • Python 2.4.6
    cpe:2.3:a:python:python:2.4.6
  • Python 2.6.7
    cpe:2.3:a:python:python:2.6.7
  • Python 2.6.6
    cpe:2.3:a:python:python:2.6.6
  • Python 2.6.5
    cpe:2.3:a:python:python:2.6.5
  • Python 2.7.1
    cpe:2.3:a:python:python:2.7.1
  • Python 3.1
    cpe:2.3:a:python:python:3.1
  • Python 3.2-alpha
    cpe:2.3:a:python:python:3.2:alpha
  • Python 3.1.2
    cpe:2.3:a:python:python:3.1.2
  • Python 3.0.1
    cpe:2.3:a:python:python:3.0.1
  • Python 3.1.1
    cpe:2.3:a:python:python:3.1.1
  • Python 3.0
    cpe:2.3:a:python:python:3.0
  • Python 3.1.3
    cpe:2.3:a:python:python:3.1.3
  • Python 3.2
    cpe:2.3:a:python:python:3.2
CVSS
Base: 6.4 (as of 25-05-2011 - 09:28)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_LIBPYTHON2_6-1_0-110506.NASL
    description This update of python fixes a possible denial of service bug or information leakage vulnerability while using user-crafted ftp:// or file:// URLs with urllib(2). - CVE-2011-1521 : CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 54641
    published 2011-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=54641
    title SuSE 11.1 Security Update : Python (SAT Patch Number 4512)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_LIBPYTHON2_6-1_0-110506.NASL
    description This update of python fixes a possible denial of service bug or information leakage vulnerability while using user-crafted ftp:// or file:// URLs with urllib(2). CVE-2011-1521: CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75608
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75608
    title openSUSE Security Update : libpython2_6-1_0 (openSUSE-SU-2011:0484-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_4_LIBPYTHON2_6-1_0-110506.NASL
    description This update of python fixes a possible denial of service bug or information leakage vulnerability while using user-crafted ftp:// or file:// URLs with urllib(2). CVE-2011-1521: CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75916
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75916
    title openSUSE Security Update : libpython2_6-1_0 (openSUSE-SU-2011:0484-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1613-1.NASL
    description It was discovered that Python would prepend an empty string to sys.path under certain circumstances. A local attacker with write access to the current working directory could exploit this to execute arbitrary code. (CVE-2008-5983) It was discovered that the audioop module did not correctly perform input validation. If a user or automated system were tricked into opening a crafted audio file, an attacker could cause a denial of service via application crash. (CVE-2010-1634, CVE-2010-2089) Giampaolo Rodola discovered several race conditions in the smtpd module. A remote attacker could exploit this to cause a denial of service via daemon outage. (CVE-2010-3493) It was discovered that the CGIHTTPServer module did not properly perform input validation on certain HTTP GET requests. A remote attacker could potentially obtain access to CGI script source files. (CVE-2011-1015) Niels Heinen discovered that the urllib and urllib2 modules would process Location headers that specify a redirection to file: URLs. A remote attacker could exploit this to obtain sensitive information or cause a denial of service. (CVE-2011-1521) It was discovered that SimpleHTTPServer did not use a charset parameter in the Content-Type HTTP header. An attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 users. (CVE-2011-4940) It was discovered that Python distutils contained a race condition when creating the ~/.pypirc file. A local attacker could exploit this to obtain sensitive information. (CVE-2011-4944) It was discovered that SimpleXMLRPCServer did not properly validate its input when handling HTTP POST requests. A remote attacker could exploit this to cause a denial of service via excessive CPU utilization. (CVE-2012-0845) It was discovered that the Expat module in Python 2.5 computed hash values without restricting the ability to trigger hash collisions predictably. If a user or application using pyexpat were tricked into opening a crafted XML file, an attacker could cause a denial of service by consuming excessive CPU resources. (CVE-2012-0876) Tim Boddy discovered that the Expat module in Python 2.5 did not properly handle memory reallocation when processing XML files. If a user or application using pyexpat were tricked into opening a crafted XML file, an attacker could cause a denial of service by consuming excessive memory resources. (CVE-2012-1148). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 62619
    published 2012-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62619
    title Ubuntu 8.04 LTS : python2.5 vulnerabilities (USN-1613-1)
  • NASL family Misc.
    NASL id VMWARE_ESXI_5_0_BUILD_608089_REMOTE.NASL
    description The remote VMware ESXi 5.0 host is affected by multiple vulnerabilities : - A denial of service vulnerability exists in the big2_toUtf8() function in file lib/xmltok.c in the libexpat library. A remote attacker can exploit this, via an XML document having malformed UTF-8 sequences, to cause a buffer over-read, thus crashing the application. (CVE-2009-3560) - A denial of service vulnerability exists in the updatePosition() function in file lib/xmltok.c in the libexpat library. A remote attacker can exploit this, via an XML document having malformed UTF-8 sequences, to cause a buffer over-read, thus crashing the application. (CVE-2009-3720) - An integer overflow condition exists in the BZ2_decompress() function in file decompress.c in the bzip2 and libbzip2 library. A remote attacker can exploit this, via a crafted compressed file, to cause a denial of service or the execution of arbitrary code. (CVE-2010-0405) - A denial of service vulnerability exists in the audioop module due to multiple integer overflows conditions in file audioop.c. A remote attacker can exploit this, via a large fragment or argument, to cause a buffer overflow, resulting in an application crash. (CVE-2010-1634) - A denial of service vulnerability exists in the audioop module due to a failure to verify the relationships between size arguments and byte string length. A remote attacker can exploit this, via crafted arguments, to cause memory corruption, resulting in an application crash. (CVE-2010-2089) - A flaw exists in the urllib and urllib2 modules due to processing Location headers that specify redirection to a file. A remote attacker can exploit this, via a crafted URL, to gain sensitive information or cause a denial of service. (CVE-2011-1521) - A privilege escalation vulnerability exists due to an incorrect ACL being used for the VMware Tools folder. An attacker on an adjacent network with access to a guest operating system can exploit this to gain elevated privileges on the guest operating system. (CVE-2012-1518)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 70881
    published 2013-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70881
    title ESXi 5.0 < Build 608089 Multiple Vulnerabilities (remote check)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2011-006.NASL
    description The remote host is running a version of Mac OS X 10.6 that does not have Security Update 2011-006 applied. This update contains numerous security-related fixes for the following components : - Apache - Application Firewall - ATS - BIND - Certificate Trust Policy - CFNetwork - CoreFoundation - CoreMedia - File Systems - IOGraphics - iChat Server - Mailman - MediaKit - PHP - postfix - python - QuickTime - Tomcat - User Documentation - Web Server - X11
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 56481
    published 2011-10-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56481
    title Mac OS X Multiple Vulnerabilities (Security Update 2011-006)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_PYTHON-7506.NASL
    description This update of python fixes a possible denial of service bug or information leakage vulnerability while using user-crafted ftp:// or file:// URLs with urllib(2). CVE-2011-1521: CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 57248
    published 2011-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57248
    title SuSE 10 Security Update : python (ZYPP Patch Number 7506)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_7_2.NASL
    description The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.2. This version contains numerous security-related fixes for the following components : - Apache - Application Firewall - ATS - BIND - Certificate Trust Policy - CFNetwork - CoreMedia - CoreProcesses - CoreStorage - File Systems - iChat Server - Kernel - libsecurity - Open Directory - PHP - python - QuickTime - SMB File Server - X11
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 56480
    published 2011-10-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56480
    title Mac OS X 10.7.x < 10.7.2 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_LIBPYTHON2_6-1_0-110506.NASL
    description This update of python fixes a possible denial of service bug or information leakage vulnerability while using user-crafted ftp:// or file:// URLs with urllib(2). CVE-2011-1521: CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 53885
    published 2011-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53885
    title openSUSE Security Update : libpython2_6-1_0 (openSUSE-SU-2011:0484-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1613-2.NASL
    description USN-1613-1 fixed vulnerabilities in Python 2.5. This update provides the corresponding updates for Python 2.4. It was discovered that Python would prepend an empty string to sys.path under certain circumstances. A local attacker with write access to the current working directory could exploit this to execute arbitrary code. (CVE-2008-5983) It was discovered that the audioop module did not correctly perform input validation. If a user or automated system were tricked into opening a crafted audio file, an attacker could cause a denial of service via application crash. (CVE-2010-1634, CVE-2010-2089) Giampaolo Rodola discovered several race conditions in the smtpd module. A remote attacker could exploit this to cause a denial of service via daemon outage. (CVE-2010-3493) It was discovered that the CGIHTTPServer module did not properly perform input validation on certain HTTP GET requests. A remote attacker could potentially obtain access to CGI script source files. (CVE-2011-1015) Niels Heinen discovered that the urllib and urllib2 modules would process Location headers that specify a redirection to file: URLs. A remote attacker could exploit this to obtain sensitive information or cause a denial of service. (CVE-2011-1521) It was discovered that SimpleHTTPServer did not use a charset parameter in the Content-Type HTTP header. An attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 users. (CVE-2011-4940) It was discovered that Python distutils contained a race condition when creating the ~/.pypirc file. A local attacker could exploit this to obtain sensitive information. (CVE-2011-4944) It was discovered that SimpleXMLRPCServer did not properly validate its input when handling HTTP POST requests. A remote attacker could exploit this to cause a denial of service via excessive CPU utilization. (CVE-2012-0845) It was discovered that the Expat module in Python 2.5 computed hash values without restricting the ability to trigger hash collisions predictably. If a user or application using pyexpat were tricked into opening a crafted XML file, an attacker could cause a denial of service by consuming excessive CPU resources. (CVE-2012-0876) Tim Boddy discovered that the Expat module in Python 2.5 did not properly handle memory reallocation when processing XML files. If a user or application using pyexpat were tricked into opening a crafted XML file, an attacker could cause a denial of service by consuming excessive memory resources. (CVE-2012-1148). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 62620
    published 2012-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62620
    title Ubuntu 8.04 LTS : python2.4 vulnerabilities (USN-1613-2)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1596-1.NASL
    description It was discovered that Python would prepend an empty string to sys.path under certain circumstances. A local attacker with write access to the current working directory could exploit this to execute arbitrary code. (CVE-2008-5983) It was discovered that the audioop module did not correctly perform input validation. If a user or automated system were tricked into opening a crafted audio file, an attacker could cause a denial of service via application crash. (CVE-2010-1634, CVE-2010-2089) Giampaolo Rodola discovered several race conditions in the smtpd module. A remote attacker could exploit this to cause a denial of service via daemon outage. (CVE-2010-3493) It was discovered that the CGIHTTPServer module did not properly perform input validation on certain HTTP GET requests. A remote attacker could potentially obtain access to CGI script source files. (CVE-2011-1015) Niels Heinen discovered that the urllib and urllib2 modules would process Location headers that specify a redirection to file: URLs. A remote attacker could exploit this to obtain sensitive information or cause a denial of service. This issue only affected Ubuntu 11.04. (CVE-2011-1521) It was discovered that SimpleHTTPServer did not use a charset parameter in the Content-Type HTTP header. An attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 users. This issue only affected Ubuntu 11.04. (CVE-2011-4940) It was discovered that Python distutils contained a race condition when creating the ~/.pypirc file. A local attacker could exploit this to obtain sensitive information. (CVE-2011-4944) It was discovered that SimpleXMLRPCServer did not properly validate its input when handling HTTP POST requests. A remote attacker could exploit this to cause a denial of service via excessive CPU utilization. (CVE-2012-0845) It was discovered that Python was susceptible to hash algorithm attacks. An attacker could cause a denial of service under certian circumstances. This update adds the '-R' command line option and honors setting the PYTHONHASHSEED environment variable to 'random' to salt str and datetime objects with an unpredictable value. (CVE-2012-1150). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 62436
    published 2012-10-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62436
    title Ubuntu 10.04 LTS / 11.04 / 11.10 : python2.6 vulnerabilities (USN-1596-1)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2012-0001.NASL
    description a. ESX third-party update for Service Console kernel The ESX Service Console Operating System (COS) kernel is updated to kernel-2.6.18-274.3.1.el5 to fix multiple security issues in the COS kernel. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-0726, CVE-2011-1078, CVE-2011-1079, CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494, CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649, CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182, CVE-2011-1573, CVE-2011-1576, CVE-2011-1593, CVE-2011-1745, CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022, CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525, CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495, CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 to these issues. b. ESX third-party update for Service Console cURL RPM The ESX Service Console (COS) curl RPM is updated to cURL-7.15.5.9 resolving a security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2192 to this issue. c. ESX third-party update for Service Console nspr and nss RPMs The ESX Service Console (COS) nspr and nss RPMs are updated to nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving a security issues. A Certificate Authority (CA) issued fraudulent SSL certificates and Netscape Portable Runtime (NSPR) and Network Security Services (NSS) contain the built-in tokens of this fraudulent Certificate Authority. This update renders all SSL certificates signed by the fraudulent CA as untrusted for all uses. d. ESX third-party update for Service Console rpm RPMs The ESX Service Console Operating System (COS) rpm packages are updated to popt-1.10.2.3-22.el5_7.2, rpm-4.4.2.3-22.el5_7.2, rpm-libs-4.4.2.3-22.el5_7.2 and rpm-python-4.4.2.3-22.el5_7.2 which fixes multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-2059 and CVE-2011-3378 to these issues. e. ESX third-party update for Service Console samba RPMs The ESX Service Console Operating System (COS) samba packages are updated to samba-client-3.0.33-3.29.el5_7.4, samba-common-3.0.33-3.29.el5_7.4 and libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security issues in the Samba client. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0547, CVE-2010-0787, CVE-2011-1678, CVE-2011-2522 and CVE-2011-2694 to these issues. Note that ESX does not include the Samba Web Administration Tool (SWAT) and therefore ESX COS is not affected by CVE-2011-2522 and CVE-2011-2694. f. ESX third-party update for Service Console python package The ESX Service Console (COS) python package is updated to 2.4.3-44 which fixes multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-3720, CVE-2010-3493, CVE-2011-1015 and CVE-2011-1521 to these issues. g. ESXi update to third-party component python The python third-party library is updated to python 2.5.6 which fixes multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-3560, CVE-2009-3720, CVE-2010-1634, CVE-2010-2089, and CVE-2011-1521 to these issues.
    last seen 2019-02-21
    modified 2018-09-06
    plugin id 57749
    published 2012-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57749
    title VMSA-2012-0001 : VMware ESXi and ESX updates to third-party library and ESX Service Console
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1592-1.NASL
    description Niels Heinen discovered that the urllib and urllib2 modules would process Location headers that specify a redirection to file: URLs. A remote attacker could exploit this to obtain sensitive information or cause a denial of service. This issue only affected Ubuntu 11.04. (CVE-2011-1521) It was discovered that SimpleHTTPServer did not use a charset parameter in the Content-Type HTTP header. An attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 users. This issue only affected Ubuntu 11.04. (CVE-2011-4940) It was discovered that Python distutils contained a race condition when creating the ~/.pypirc file. A local attacker could exploit this to obtain sensitive information. (CVE-2011-4944) It was discovered that SimpleXMLRPCServer did not properly validate its input when handling HTTP POST requests. A remote attacker could exploit this to cause a denial of service via excessive CPU utilization. (CVE-2012-0845) It was discovered that Python was susceptible to hash algorithm attacks. An attacker could cause a denial of service under certian circumstances. This update adds the '-R' command line option and honors setting the PYTHONHASHSEED environment variable to 'random' to salt str and datetime objects with an unpredictable value. (CVE-2012-1150). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 62410
    published 2012-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62410
    title Ubuntu 11.04 / 11.10 : python2.7 vulnerabilities (USN-1592-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20110519_PYTHON_ON_SL6_X.NASL
    description Python is an interpreted, interactive, object-oriented programming language. A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the 'file://' URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2011-1521) A race condition was found in the way the Python smtpd module handled new connections. A remote user could use this flaw to cause a Python script using the smtpd module to terminate. (CVE-2010-3493) An information disclosure flaw was found in the way the Python CGIHTTPServer module processed certain HTTP GET requests. A remote attacker could use a specially crafted request to obtain the CGI script's source code. (CVE-2011-1015) This erratum also upgrades Python to upstream version 2.6.6, and includes a number of bug fixes and enhancements. Documentation for these bug fixes and enhancements is available from the Technical Notes document, linked to in the References section. All users of Python are advised to upgrade to these updated packages, which correct these issues, and fix the bugs and add the enhancements noted in the Technical Notes.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61046
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61046
    title Scientific Linux Security Update : python on SL6.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-0554.NASL
    description Updated python packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Python is an interpreted, interactive, object-oriented programming language. A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the 'file://' URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2011-1521) A race condition was found in the way the Python smtpd module handled new connections. A remote user could use this flaw to cause a Python script using the smtpd module to terminate. (CVE-2010-3493) An information disclosure flaw was found in the way the Python CGIHTTPServer module processed certain HTTP GET requests. A remote attacker could use a specially crafted request to obtain the CGI script's source code. (CVE-2011-1015) This erratum also upgrades Python to upstream version 2.6.6, and includes a number of bug fixes and enhancements. Documentation for these bug fixes and enhancements is available from the Technical Notes document, linked to in the References section. All users of Python are advised to upgrade to these updated packages, which correct these issues, and fix the bugs and add the enhancements noted in the Technical Notes.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 54592
    published 2011-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=54592
    title RHEL 6 : python (RHSA-2011:0554)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2011-0492.NASL
    description From Red Hat Security Advisory 2011:0492 : Updated python packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Python is an interpreted, interactive, object-oriented programming language. A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the 'file://' URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2011-1521) A race condition was found in the way the Python smtpd module handled new connections. A remote user could use this flaw to cause a Python script using the smtpd module to terminate. (CVE-2010-3493) An information disclosure flaw was found in the way the Python CGIHTTPServer module processed certain HTTP GET requests. A remote attacker could use a specially crafted request to obtain the CGI script's source code. (CVE-2011-1015) A buffer over-read flaw was found in the way the Python Expat parser handled malformed UTF-8 sequences when processing XML files. A specially crafted XML file could cause Python applications using the Python Expat parser to crash while parsing the file. (CVE-2009-3720) This update makes Python use the system Expat library rather than its own internal copy; therefore, users must have the version of Expat shipped with RHSA-2009:1625 installed, or a later version, to resolve the CVE-2009-3720 issue. All Python users should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68271
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68271
    title Oracle Linux 5 : python (ELSA-2011-0492)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2011-096.NASL
    description Multiple vulnerabilities have been identified and fixed in python : The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI (CVE-2011-1015). A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the file:// URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed (CVE-2011-1521). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149 products_id=490 The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 54611
    published 2011-05-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=54611
    title Mandriva Linux Security Advisory : python (MDVSA-2011:096)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2011-0492.NASL
    description Updated python packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Python is an interpreted, interactive, object-oriented programming language. A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the 'file://' URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2011-1521) A race condition was found in the way the Python smtpd module handled new connections. A remote user could use this flaw to cause a Python script using the smtpd module to terminate. (CVE-2010-3493) An information disclosure flaw was found in the way the Python CGIHTTPServer module processed certain HTTP GET requests. A remote attacker could use a specially crafted request to obtain the CGI script's source code. (CVE-2011-1015) A buffer over-read flaw was found in the way the Python Expat parser handled malformed UTF-8 sequences when processing XML files. A specially crafted XML file could cause Python applications using the Python Expat parser to crash while parsing the file. (CVE-2009-3720) This update makes Python use the system Expat library rather than its own internal copy; therefore, users must have the version of Expat shipped with RHSA-2009:1625 installed, or a later version, to resolve the CVE-2009-3720 issue. All Python users should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 53815
    published 2011-05-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53815
    title CentOS 5 : python (CESA-2011:0492)
  • NASL family Misc.
    NASL id VMWARE_VMSA-2012-0001_REMOTE.NASL
    description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party libraries : - COS kernel - cURL - python - rpm
    last seen 2019-02-21
    modified 2018-08-16
    plugin id 89105
    published 2016-03-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89105
    title VMware ESX / ESXi Service Console and Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0001) (remote check)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-0491.NASL
    description Updated python packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Python is an interpreted, interactive, object-oriented programming language. A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the 'file://' URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2011-1521) Multiple flaws were found in the Python audioop module. Supplying certain inputs could cause the audioop module to crash or, possibly, execute arbitrary code. (CVE-2010-1634, CVE-2010-2089) A race condition was found in the way the Python smtpd module handled new connections. A remote user could use this flaw to cause a Python script using the smtpd module to terminate. (CVE-2010-3493) An information disclosure flaw was found in the way the Python CGIHTTPServer module processed certain HTTP GET requests. A remote attacker could use a specially crafted request to obtain the CGI script's source code. (CVE-2011-1015) A buffer over-read flaw was found in the way the Python Expat parser handled malformed UTF-8 sequences when processing XML files. A specially crafted XML file could cause Python applications using the Python Expat parser to crash while parsing the file. (CVE-2009-3720) This update makes Python use the system Expat library rather than its own internal copy; therefore, users must have the version of Expat shipped with RHSA-2009:1625 installed, or a later version, to resolve the CVE-2009-3720 issue. All Python users should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 53820
    published 2011-05-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53820
    title RHEL 4 : python (RHSA-2011:0491)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_PYTHON-RANDOMISATION-UPDATE-120516.NASL
    description This update to python 2.6.8 fixes the following bugs, among others : - XMLRPC Server DoS. (CVE-2012-0845, bnc#747125) - hash randomization issues. (CVE-2012-1150, bnc#751718) - insecure creation of .pypirc. (CVE-2011-4944, bnc#754447) - SimpleHTTPServer XSS. (CVE-2011-1015, bnc#752375) - functions can accept unicode kwargs. (bnc#744287) - python MainThread lacks ident. (bnc#754547) - TypeError: waitpid() takes no keyword arguments. (bnc#751714) - Source code exposure in CGIHTTPServer module. (CVE-2011-1015, bnc#674646) - Insecure redirect processing in urllib2 (CVE-2011-1521, bnc#682554) The hash randomization fix is by default disabled to keep compatibility with existing python code when it extracts hashes. To enable the hash seed randomization you can use: - pass -R to the python interpreter commandline. - set the environment variable PYTHONHASHSEED=random to enable it for programs. You can also set this environment variable to a fixed hash seed by specifying a integer value between 0 and MAX_UINT. In generally enabling this is only needed when malicious third parties can inject values into your hash tables. The update to 2.6.8 also provides many compatibility fixes with OpenStack.
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 64220
    published 2013-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64220
    title SuSE 11.1 Security Update : libpython2_6-1_0, libpython2_6-1_0-32bit, libpython2_6-1_0-x86, python, etc (SAT Patch Number 6310)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-0492.NASL
    description Updated python packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Python is an interpreted, interactive, object-oriented programming language. A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the 'file://' URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2011-1521) A race condition was found in the way the Python smtpd module handled new connections. A remote user could use this flaw to cause a Python script using the smtpd module to terminate. (CVE-2010-3493) An information disclosure flaw was found in the way the Python CGIHTTPServer module processed certain HTTP GET requests. A remote attacker could use a specially crafted request to obtain the CGI script's source code. (CVE-2011-1015) A buffer over-read flaw was found in the way the Python Expat parser handled malformed UTF-8 sequences when processing XML files. A specially crafted XML file could cause Python applications using the Python Expat parser to crash while parsing the file. (CVE-2009-3720) This update makes Python use the system Expat library rather than its own internal copy; therefore, users must have the version of Expat shipped with RHSA-2009:1625 installed, or a later version, to resolve the CVE-2009-3720 issue. All Python users should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 53821
    published 2011-05-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53821
    title RHEL 5 : python (RHSA-2011:0492)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1314-1.NASL
    description Giampaolo Rodola discovered that the smtpd module in Python 3 did not properly handle certain error conditions. A remote attacker could exploit this to cause a denial of service via daemon outage. This issue only affected Ubuntu 10.04 LTS. (CVE-2010-3493) Niels Heinen discovered that the urllib module in Python 3 would process Location headers that specify a file:// URL. A remote attacker could use this to obtain sensitive information or cause a denial of service via resource consumption. (CVE-2011-1521). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 57345
    published 2011-12-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57345
    title Ubuntu 10.04 LTS / 10.10 / 11.04 : python3.1, python3.2 vulnerabilities (USN-1314-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2011-0491.NASL
    description Updated python packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Python is an interpreted, interactive, object-oriented programming language. A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the 'file://' URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2011-1521) Multiple flaws were found in the Python audioop module. Supplying certain inputs could cause the audioop module to crash or, possibly, execute arbitrary code. (CVE-2010-1634, CVE-2010-2089) A race condition was found in the way the Python smtpd module handled new connections. A remote user could use this flaw to cause a Python script using the smtpd module to terminate. (CVE-2010-3493) An information disclosure flaw was found in the way the Python CGIHTTPServer module processed certain HTTP GET requests. A remote attacker could use a specially crafted request to obtain the CGI script's source code. (CVE-2011-1015) A buffer over-read flaw was found in the way the Python Expat parser handled malformed UTF-8 sequences when processing XML files. A specially crafted XML file could cause Python applications using the Python Expat parser to crash while parsing the file. (CVE-2009-3720) This update makes Python use the system Expat library rather than its own internal copy; therefore, users must have the version of Expat shipped with RHSA-2009:1625 installed, or a later version, to resolve the CVE-2009-3720 issue. All Python users should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 53814
    published 2011-05-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53814
    title CentOS 4 : python (CESA-2011:0491)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2011-0491.NASL
    description From Red Hat Security Advisory 2011:0491 : Updated python packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Python is an interpreted, interactive, object-oriented programming language. A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the 'file://' URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2011-1521) Multiple flaws were found in the Python audioop module. Supplying certain inputs could cause the audioop module to crash or, possibly, execute arbitrary code. (CVE-2010-1634, CVE-2010-2089) A race condition was found in the way the Python smtpd module handled new connections. A remote user could use this flaw to cause a Python script using the smtpd module to terminate. (CVE-2010-3493) An information disclosure flaw was found in the way the Python CGIHTTPServer module processed certain HTTP GET requests. A remote attacker could use a specially crafted request to obtain the CGI script's source code. (CVE-2011-1015) A buffer over-read flaw was found in the way the Python Expat parser handled malformed UTF-8 sequences when processing XML files. A specially crafted XML file could cause Python applications using the Python Expat parser to crash while parsing the file. (CVE-2009-3720) This update makes Python use the system Expat library rather than its own internal copy; therefore, users must have the version of Expat shipped with RHSA-2009:1625 installed, or a later version, to resolve the CVE-2009-3720 issue. All Python users should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68270
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68270
    title Oracle Linux 4 : python (ELSA-2011-0491)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20110505_PYTHON_ON_SL4_X.NASL
    description A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the 'file://' URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2011-1521) Multiple flaws were found in the Python audioop module. Supplying certain inputs could cause the audioop module to crash or, possibly, execute arbitrary code. (CVE-2010-1634, CVE-2010-2089) A race condition was found in the way the Python smtpd module handled new connections. A remote user could use this flaw to cause a Python script using the smtpd module to terminate. (CVE-2010-3493) An information disclosure flaw was found in the way the Python CGIHTTPServer module processed certain HTTP GET requests. A remote attacker could use a specially crafted request to obtain the CGI script's source code. (CVE-2011-1015) A buffer over-read flaw was found in the way the Python Expat parser handled malformed UTF-8 sequences when processing XML files. A specially crafted XML file could cause Python applications using the Python Expat parser to crash while parsing the file. (CVE-2009-3720)
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61033
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61033
    title Scientific Linux Security Update : python on SL4.x, SL5.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_PYTHON-RANDOMISATION-UPDATE-120517.NASL
    description This update to python 2.6.8 fixes the following bugs, among others : - XMLRPC Server DoS. (CVE-2012-0845, bnc#747125) - hash randomization issues. (CVE-2012-1150, bnc#751718) - insecure creation of .pypirc. (CVE-2011-4944, bnc#754447) - SimpleHTTPServer XSS. (CVE-2011-1015, bnc#752375) - functions can accept unicode kwargs. (bnc#744287) - python MainThread lacks ident. (bnc#754547) - TypeError: waitpid() takes no keyword arguments. (bnc#751714) - Source code exposure in CGIHTTPServer module. (CVE-2011-1015, bnc#674646) - Insecure redirect processing in urllib2 (CVE-2011-1521, bnc#682554) The hash randomization fix is by default disabled to keep compatibility with existing python code when it extracts hashes. To enable the hash seed randomization you can use: - pass -R to the python interpreter commandline. - set the environment variable PYTHONHASHSEED=random to enable it for programs. You can also set this environment variable to a fixed hash seed by specifying a integer value between 0 and MAX_UINT. In generally enabling this is only needed when malicious third parties can inject values into your hash tables. The update to 2.6.8 also provides many compatibility fixes with OpenStack.
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 64221
    published 2013-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64221
    title SuSE 11.1 Security Update : libpython2_6-1_0, libpython2_6-1_0-32bit, libpython2_6-1_0-x86, python, etc (SAT Patch Number 6310)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_PYTHON-7509.NASL
    description This update of python fixes a possible denial of service bug or information leakage vulnerability while using user-crafted ftp:// or file:// URLs with urllib(2). CVE-2011-1521: CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 54643
    published 2011-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=54643
    title SuSE 10 Security Update : python (ZYPP Patch Number 7509)
redhat via4
advisories
  • bugzilla
    id 690560
    title CVE-2011-1521 python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes (Issue #11662)
    oval
    AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhsa:tst:20060016001
    • OR
      • AND
        • comment python is earlier than 0:2.3.4-14.10.el4
          oval oval:com.redhat.rhsa:tst:20110491002
        • comment python is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060713003
      • AND
        • comment python-devel is earlier than 0:2.3.4-14.10.el4
          oval oval:com.redhat.rhsa:tst:20110491004
        • comment python-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060713009
      • AND
        • comment python-docs is earlier than 0:2.3.4-14.10.el4
          oval oval:com.redhat.rhsa:tst:20110491006
        • comment python-docs is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060713013
      • AND
        • comment python-tools is earlier than 0:2.3.4-14.10.el4
          oval oval:com.redhat.rhsa:tst:20110491008
        • comment python-tools is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060713007
      • AND
        • comment tkinter is earlier than 0:2.3.4-14.10.el4
          oval oval:com.redhat.rhsa:tst:20110491010
        • comment tkinter is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060713005
    rhsa
    id RHSA-2011:0491
    released 2011-05-05
    severity Moderate
    title RHSA-2011:0491: python security update (Moderate)
  • bugzilla
    id 690560
    title CVE-2011-1521 python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes (Issue #11662)
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhsa:tst:20070055001
    • OR
      • AND
        • comment python is earlier than 0:2.4.3-44.el5
          oval oval:com.redhat.rhsa:tst:20110492002
        • comment python is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091176003
      • AND
        • comment python-devel is earlier than 0:2.4.3-44.el5
          oval oval:com.redhat.rhsa:tst:20110492008
        • comment python-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091176005
      • AND
        • comment python-libs is earlier than 0:2.4.3-44.el5
          oval oval:com.redhat.rhsa:tst:20110492006
        • comment python-libs is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20110027005
      • AND
        • comment python-tools is earlier than 0:2.4.3-44.el5
          oval oval:com.redhat.rhsa:tst:20110492010
        • comment python-tools is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091176009
      • AND
        • comment tkinter is earlier than 0:2.4.3-44.el5
          oval oval:com.redhat.rhsa:tst:20110492004
        • comment tkinter is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091176007
    rhsa
    id RHSA-2011:0492
    released 2011-05-05
    severity Moderate
    title RHSA-2011:0492: python security update (Moderate)
  • bugzilla
    id 690560
    title CVE-2011-1521 python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes (Issue #11662)
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment python-docs is earlier than 0:2.6.6-2.el6
          oval oval:com.redhat.rhsa:tst:20110554005
        • comment python-docs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554006
      • AND
        • comment python is earlier than 0:2.6.6-20.el6
          oval oval:com.redhat.rhsa:tst:20110554007
        • comment python is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554008
      • AND
        • comment python-devel is earlier than 0:2.6.6-20.el6
          oval oval:com.redhat.rhsa:tst:20110554009
        • comment python-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554010
      • AND
        • comment python-libs is earlier than 0:2.6.6-20.el6
          oval oval:com.redhat.rhsa:tst:20110554013
        • comment python-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554014
      • AND
        • comment python-test is earlier than 0:2.6.6-20.el6
          oval oval:com.redhat.rhsa:tst:20110554015
        • comment python-test is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554016
      • AND
        • comment python-tools is earlier than 0:2.6.6-20.el6
          oval oval:com.redhat.rhsa:tst:20110554011
        • comment python-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554012
      • AND
        • comment tkinter is earlier than 0:2.6.6-20.el6
          oval oval:com.redhat.rhsa:tst:20110554017
        • comment tkinter is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110554018
    rhsa
    id RHSA-2011:0554
    released 2011-05-19
    severity Moderate
    title RHSA-2011:0554: python security, bug fix, and enhancement update (Moderate)
rpms
  • python-0:2.3.4-14.10.el4
  • python-devel-0:2.3.4-14.10.el4
  • python-docs-0:2.3.4-14.10.el4
  • python-tools-0:2.3.4-14.10.el4
  • tkinter-0:2.3.4-14.10.el4
  • python-0:2.4.3-44.el5
  • python-devel-0:2.4.3-44.el5
  • python-libs-0:2.4.3-44.el5
  • python-tools-0:2.4.3-44.el5
  • tkinter-0:2.4.3-44.el5
  • python-docs-0:2.6.6-2.el6
  • python-0:2.6.6-20.el6
  • python-devel-0:2.6.6-20.el6
  • python-libs-0:2.6.6-20.el6
  • python-test-0:2.6.6-20.el6
  • python-tools-0:2.6.6-20.el6
  • tkinter-0:2.6.6-20.el6
refmap via4
apple APPLE-SA-2011-10-12-3
confirm
mandriva MDVSA-2011:096
mlist
  • [oss-security] 20110324 CVE Request -- Python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes
  • [oss-security] 20110328 Re: CVE Request -- Python (urllib, urllib2): Improper management of ftp:// and file:// URL schemes
  • [oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws
  • [oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws
  • [oss-security] 20110916 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws
sectrack 1025488
secunia
  • 50858
  • 51024
  • 51040
suse SUSE-SR:2011:009
ubuntu
  • USN-1592-1
  • USN-1596-1
  • USN-1613-1
  • USN-1613-2
vmware via4
description The ESX Service Console Operating System (COS) samba packages are updated to samba-client-3.0.33-3.29.el5_7.4samba-common-3.0.33-3.29.el5_7.4 and libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security issues in the Samba client.
id VMSA-2012-0001
last_updated 2012-03-29T00:00:00
published 2012-01-30T00:00:00
title ESX third party update for Service Console samba RPMs
Last major update 20-02-2014 - 23:41
Published 24-05-2011 - 19:55
Back to Top