Cloud Foundry Logo

USN-3134-1: Python vulnerabilities

By: | December 14, 2016

Share

USN-3134-1: Python vulnerabilities

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 14.04 LTS

Description

It was discovered that the smtplib library in Python did not return an error when StartTLS fails. A remote attacker could possibly use this to expose sensitive information. (CVE-2016-0772)

Rémi Rampin discovered that Python would not protect CGI applications from contents of the HTTP_PROXY environment variable when based on the contents of the Proxy header from HTTP requests. A remote attacker could possibly use this to cause a CGI application to redirect outgoing HTTP requests. (CVE-2016-1000110)

Insu Yun discovered an integer overflow in the zipimporter module in Python that could lead to a heap-based overflow. An attacker could use this to craft a special zip file that when read by Python could possibly execute arbitrary code. (CVE-2016-5636)

Guido Vranken discovered that the urllib modules in Python did not properly handle carriage return line feed (CRLF) in headers. A remote attacker could use this to craft URLs that inject arbitrary HTTP headers. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5699)

Affected Products and Versions

Severity is medium unless otherwise noted.

  • Cloud Foundry BOSH stemcells are vulnerable, including:
    • All versions prior to 3151.5
    • 3233.x versions prior to 3233.6
    • 3263.x versions prior to 3263.12
    • 3312.x versions prior to 3312.7
    • All other versions
  • All versions of Cloud Foundry cflinuxfs2 prior to v.1.92.0
  • Python Buildpack versions prior to v1.5.8

Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry team recommends upgrading to the following BOSH stemcells:
    • Upgrade all lower versions of 3151.x to version 3151.5
    • Upgrade all lower versions of 3233.x to version 3233.6
    • Upgrade all lower versions of 3263.x to version 3263.12
    • Upgrade all lower versions of 3312.x to version 3312.7
  • The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.92.0 or later versions
  • For existing deployments, upgrade the Python Buildpack to v1.5.8 or later and restage all applications that use automated buildpack detection.

Credit

Rémi Rampin, Insu Yun, Guido Vranken

References

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES