Описание
Security update for python
This update for python fixes the following issues:
- CVE-2016-0772: smtplib vulnerability opens startTLS stripping attack (bsc#984751)
- CVE-2016-5699: incorrect validation of HTTP headers allow header injection (bsc#985348)
- CVE-2016-1000110: HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY when REQUEST_METHOD is also set (bsc#989523)
Список пакетов
SUSE Linux Enterprise Server 11 SP4
SUSE Linux Enterprise Server for SAP Applications 11 SP4
SUSE Linux Enterprise Software Development Kit 11 SP4
Ссылки
- Link for SUSE-SU-2016:2270-1
- E-Mail link for SUSE-SU-2016:2270-1
- SUSE Security Ratings
- SUSE Bug 984751
- SUSE Bug 985348
- SUSE Bug 989523
- SUSE CVE CVE-2016-0772 page
- SUSE CVE CVE-2016-1000110 page
- SUSE CVE CVE-2016-5699 page
Описание
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
Затронутые продукты
Ссылки
- CVE-2016-0772
- SUSE Bug 984751
Описание
The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
Затронутые продукты
Ссылки
- CVE-2016-1000110
- SUSE Bug 988484
- SUSE Bug 989523
Описание
CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.
Затронутые продукты
Ссылки
- CVE-2016-5699
- SUSE Bug 1122729
- SUSE Bug 1130840
- SUSE Bug 985348
- SUSE Bug 985351
- SUSE Bug 986630