Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

• Canonical Ubuntu 14.04 LTS

Description

It was discovered that the smtplib library in Python did not return an error when StartTLS fails. A remote attacker could possibly use this to expose sensitive information. (CVE-2016-0772)

Rémi Rampin discovered that Python would not protect CGI applications from contents of the HTTP_PROXY environment variable when based on the contents of the Proxy header from HTTP requests. A remote attacker could possibly use this to cause a CGI application to redirect outgoing HTTP requests. (CVE-2016-1000110)

Insu Yun discovered an integer overflow in the zipimporter module in Python that could lead to a heap-based overflow. An attacker could use this to craft a special zip file that when read by Python could possibly execute arbitrary code. (CVE-2016-5636)

Guido Vranken discovered that the urllib modules in Python did not properly handle carriage return line feed (CRLF) in headers. A remote attacker could use this to craft URLs that inject arbitrary HTTP headers. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5699)

Affected Products and Versions

Severity is medium unless otherwise noted.

• Cloud Foundry BOSH stemcells are vulnerable, including:
• All versions prior to 3151.5
• 3233.x versions prior to 3233.6
• 3263.x versions prior to 3263.12
• 3312.x versions prior to 3312.7
• All other versions
• All versions of Cloud Foundry cflinuxfs2 prior to v.1.92.0
• Python Buildpack versions prior to v1.5.8

Mitigation

Users of affected versions should apply the following mitigation:

• The Cloud Foundry team recommends upgrading to the following BOSH stemcells:
• Upgrade all lower versions of 3151.x to version 3151.5
• Upgrade all lower versions of 3233.x to version 3233.6
• Upgrade all lower versions of 3263.x to version 3263.12
• Upgrade all lower versions of 3312.x to version 3312.7
• The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.92.0 or later versions
• For existing deployments, upgrade the Python Buildpack to v1.5.8 or later and restage all applications that use automated buildpack detection.

Credit

Rémi Rampin, Insu Yun, Guido Vranken

References

• https://www.ubuntu.com/usn/usn-3134-1
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-0772
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-1000110
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-5636
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-5699
• https://github.com/cloudfoundry/python-buildpack/releases