Описание
ELSA-2017-1868: python security and bug fix update (MODERATE)
[2.7.5-58.0.1]
- Add Oracle Linux distribution in platform.py [orabug 20812544]
[2.7.5-58]
- Set stream to None in case an _open() fails. Resolves: rhbz#1432003
[2.7.5-57]
- Fix implicit declaration warnings of functions added by patches 147 and 265 Resolves: rhbz#1441237
[2.7.5-56]
- Fix shutil.make_archive ignoring empty directories when creating zip files Resolves: rhbz#1439734
[2.7.5-55]
- Update Python RPM macros with new ones from EPEL7 to simplify packaging Resolves: rhbz#1297522
[2.7.5-54]
- Protect key list during fork() Resolves: rhbz#1268226
[2.7.5-53]
- Fix _ssl.c reference leaks Resolves: rhbz#1272562
[2.7.5-52]
- Workaround Python's threading library issue with non returning wait, for signals with timeout Resolves: rhbz#1368076
[2.7.5-51]
- Enable certificate verification by default Resolves: rhbz#1219110
[2.7.5-50]
- Fix incorrect parsing of certain regular expressions Resolves: rhbz#1373363
[2.7.5-49]
- Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs Resolves: rhbz#1364444
[2.7.5-48]
- Fix for CVE-2016-1000110 HTTPoxy attack Resolves: rhbz#1359164
[2.7.5-47]
- Fix for CVE-2016-5636: possible integer overflow and heap corruption in zipimporter.get_data() Resolves: rhbz#1356364
[2.7.5-46]
- Drop patch 221 that backported sslwrap function since it was introducing regressions
- Refactor patch 227 Resolves: rhbz#1331425
[2.7.5-45]
- Fix for CVE-2016-0772 python: smtplib StartTLS stripping attack (rhbz#1303647) Raise an error when STARTTLS fails (upstream patch)
- Fix for CVE-2016-5699 python: http protocol steam injection attack (rhbz#1303699) Disabled HTTP header injections in httplib (upstream patch) Resolves: rhbz#1346357
[2.7.5-44]
- Fix iteration over files with very long lines Resolves: rhbz#1271760
[2.7.5-43]
- Move python.conf from /etc/tmpfiles.d/ to /usr/lib/tmpfiles.d/ Resolves: rhbz#1288426
[2.7.5-42]
- JSON decoder lone surrogates fix Resolves: rhbz#1301017
[2.7.5-41]
- Updated PEP493 implementation Resolves: rhbz#1315758
[2.7.5-40]
- Backport of Computed Goto dispatch Resolves: rhbz#1289277
Обновленные пакеты
Oracle Linux 7
Oracle Linux aarch64
python
2.7.5-58.0.1.el7
python-debug
2.7.5-58.0.1.el7
python-devel
2.7.5-58.0.1.el7
python-libs
2.7.5-58.0.1.el7
python-test
2.7.5-58.0.1.el7
python-tools
2.7.5-58.0.1.el7
tkinter
2.7.5-58.0.1.el7
Oracle Linux x86_64
python
2.7.5-58.0.1.el7
python-debug
2.7.5-58.0.1.el7
python-devel
2.7.5-58.0.1.el7
python-libs
2.7.5-58.0.1.el7
python-test
2.7.5-58.0.1.el7
python-tools
2.7.5-58.0.1.el7
tkinter
2.7.5-58.0.1.el7
Связанные CVE
Связанные уязвимости
The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) ...
The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.