[security-announce] Python: Security update

Tudor Florea tudor.florea at enea.com
Thu Jul 9 00:11:20 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Python: Security update

=======================================================================
Product/package: Enea-Linux: 5.0-beta-m400 / Python: 2.7.3
Severity: Low
CVE Name: CVE-2013-1752 ftplib, imaplib, nntplib and poplib: read limit
=======================================================================

This security patch fixes insufficient checks in
ftplib, imaplib, nntplib and poplib modules.

README file:  0020-python-CVE-2013-1752-ftp-imap-nntp-pop.README.asc
Signed patch: 0020-python-CVE-2013-1752-ftp-imap-nntp-pop.patch.asc

Description
===========
The ftplib, imaplib, nntplib and poplib modules doesn't limit the amount
of read data in its call to readline().
The ftplib, imaplib, nntplib and poplib modules are modified to use
limited readline() to _MAXLINE amount of data read.

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752
https://bugs.python.org/issue16038
https://bugs.python.org/issue16039
https://bugs.python.org/issue16040
https://bugs.python.org/issue16041

How to apply the patches
=======================
Preparation
Make sure that you have an installation of Enea Linux 5.0 beta m400
and have
applied the existing patches in the right order

wget http://linux.enea.com/5.0-beta-m400/Enea-Linux-5.0-beta-m400.tar.gz
tar zxf Enea-Linux-5.0-beta-m400.tar.gz
cd Enea-Linux-5.0-beta-m400/poky/
<Fetch and apply the existing patches >

Fetch and apply the new patch
wget https://linux.enea.com/5.0-beta-m400/patches/\
0020-python-CVE-2013-1752-ftp-imap-nntp-pop.patch.asc
patch -p1 < ./0020-python-CVE-2013-1752-ftp-imap-nntp-pop.patch.asc

Contact Info
============
If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Tudor Florea
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVnaAFAAoJEMCI2qnpaXcs8dIH+wdDA0IG/Jz1s9zX7O0x1e6K
bb2VyflVPy1AbWMmsYteBk88ee9+ZQU7dzS9HB5N95CKrjXj8Pp6Vliq1xEibR0v
BkZpX/iuRnYgnXUXFiOW2A79WhFdsIuyMudB+F7AFztzZHcvOsILgagf/XKp9ktS
BxGA2jDtCcZPCl2m6lvldlG66qIN5PNtxHH3+XYTdovPK99StVJpLsp86vAXS+ip
JcpTDvjDTwOPEVvdHN1jk91A0cYUsvQ26AuhzdY/wqhgZFLjykeYeXq1/XQ9QEEK
6gldbCmnNn1Y1pDfWEpYFUb94BpsWxuzT+L545lCK67Jr4OTv2Q3YlqMwAkYNS8=
=aPK4
-----END PGP SIGNATURE-----



More information about the security-announce mailing list