[security-announce] Python: Security update

Tudor Florea tudor.florea at enea.com
Fri Jul 3 11:59:55 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	Python: Security update

=========================================================
Product/package: Python: 2.7.3
Severity: Low
CVE Name: CVE-2013-1752 httplib: header parsing is unlimited
=========================================================

This security patch fixes a insufficient check when parsing
the HTTP header leading to improper memory consuption

README file:  0086-python-CVE-2013-1752-httplib.README.asc
Signed patch: 0086-python-CVE-2013-1752-httplib.patch.asc

Description
===========
The httplib module / package can read arbitrary amounts of data
from its socket when it's parsing the HTTP header. This may lead
to issues when a user connects to a broken HTTP server or
something that isn't a HTTP at all.

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752
https://bugs.python.org/issue16037


How to apply the patches
=======================
Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget https://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

Fetch and apply the new patch
wget
https://linux.enea.com/4.0/patches/0086-python-CVE-2013-1752-httplib.patch.asc
patch -p1 < ./0086-python-CVE-2013-1752-httplib.patch.asc

Contact Info
============
If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Tudor Florea
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVlln7AAoJEMCI2qnpaXcspMAIAOCRZilgNdd21DN42qppGU3C
zFhDfZJ44LyMv+wiAS0L6XMxHOVd2jU3D9pDroz+AORlBYBBOecT0SPXN40CbJLC
D+bgTk+M2iGEg/EZhndCxt//qGAkhQAmUbZ6y7UGCZZmUiGSH7AtkDLi4EZyXerd
KOcftxEa60ESkRL1EevVMMQseif4PfgrvVTpV2T9THscPE67/JUcOhXDQyRz/J9O
Pi1sRztRo3missjXVisxx+sztASmN1gYGm6Bn0PkBG0Hs8cf6N+0ykF3UDMyw7zu
EOObzo0axThu7eZ3TGeL8fSMspt2470kcIbvERajEPB84i59GTuWjt4ureinLLU=
=W7wp
-----END PGP SIGNATURE-----




More information about the security-announce mailing list