Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | |||
Test ID: | 1.3.6.1.4.1.25623.1.0.891663 |
Category: | Debian Local Security Checks |
Title: | Debian LTS: Security Advisory for python3.4 (DLA-1663-1) |
Summary: | This DLA fixes a problem parsing x509 certificates, a pickle integer;overflow, and some other minor issues:;;CVE-2016-0772;;The smtplib library in CPython does not return an error when StartTLS fails,;which might allow man-in-the-middle attackers to bypass the TLS protections by;leveraging a network position between the client and the registry to block the;StartTLS command, aka a 'StartTLS stripping attack.';;CVE-2016-5636;;Integer overflow in the get_data function in zipimport.c in CPython;allows remote attackers to have unspecified impact via a negative data size;value, which triggers a heap-based buffer overflow.;;CVE-2016-5699;;CRLF injection vulnerability in the HTTPConnection.putheader function in;urllib2 and urllib in CPython allows remote attackers to inject arbitrary HTTP;headers via CRLF sequences in a URL.;;CVE-2018-20406;;Modules/_pickle.c has an integer overflow via a large LONG_BINPUT value;that is mishandled during a 'resize to twice the size' attempt. This issue;might cause memory exhaustion, but is only relevant if the pickle format is;used for serializing tens or hundreds of gigabytes of data.;;CVE-2019-5010;;NULL pointer dereference using a specially crafted X509 certificate. |
Description: | Summary: This DLA fixes a problem parsing x509 certificates, a pickle integer overflow, and some other minor issues: CVE-2016-0772 The smtplib library in CPython does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a 'StartTLS stripping attack.' CVE-2016-5636 Integer overflow in the get_data function in zipimport.c in CPython allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow. CVE-2016-5699 CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL. CVE-2018-20406 Modules/_pickle.c has an integer overflow via a large LONG_BINPUT value that is mishandled during a 'resize to twice the size' attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. CVE-2019-5010 NULL pointer dereference using a specially crafted X509 certificate. Affected Software/OS: python3.4 on Debian Linux Solution: For Debian 8 'Jessie', these problems have been fixed in version 3.4.2-1+deb8u2. We recommend that you upgrade your python3.4 packages. CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C |
Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2016-0772 BugTraq ID: 91225 http://www.securityfocus.com/bid/91225 https://security.gentoo.org/glsa/201701-18 https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html http://www.openwall.com/lists/oss-security/2016/06/14/9 RedHat Security Advisories: RHSA-2016:1626 http://rhn.redhat.com/errata/RHSA-2016-1626.html RedHat Security Advisories: RHSA-2016:1627 http://rhn.redhat.com/errata/RHSA-2016-1627.html RedHat Security Advisories: RHSA-2016:1628 http://rhn.redhat.com/errata/RHSA-2016-1628.html RedHat Security Advisories: RHSA-2016:1629 http://rhn.redhat.com/errata/RHSA-2016-1629.html RedHat Security Advisories: RHSA-2016:1630 http://rhn.redhat.com/errata/RHSA-2016-1630.html SuSE Security Announcement: openSUSE-SU-2020:0086 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html Common Vulnerability Exposure (CVE) ID: CVE-2016-5636 BugTraq ID: 91247 http://www.securityfocus.com/bid/91247 http://www.openwall.com/lists/oss-security/2016/06/15/15 http://www.openwall.com/lists/oss-security/2016/06/16/1 RedHat Security Advisories: RHSA-2016:2586 http://rhn.redhat.com/errata/RHSA-2016-2586.html http://www.securitytracker.com/id/1038138 Common Vulnerability Exposure (CVE) ID: CVE-2016-5699 BugTraq ID: 91226 http://www.securityfocus.com/bid/91226 http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html http://www.openwall.com/lists/oss-security/2016/06/14/7 http://www.openwall.com/lists/oss-security/2016/06/15/12 http://www.openwall.com/lists/oss-security/2016/06/16/2 Common Vulnerability Exposure (CVE) ID: CVE-2019-5010 https://security.gentoo.org/glsa/202003-26 https://talosintelligence.com/vulnerability_reports/TALOS-2019-0758 https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html RedHat Security Advisories: RHSA-2019:3520 https://access.redhat.com/errata/RHSA-2019:3520 RedHat Security Advisories: RHSA-2019:3725 https://access.redhat.com/errata/RHSA-2019:3725 |
Copyright | Copyright (C) 2019 Greenbone Networks GmbH |
This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |