An update for rh-python35-python is now available for Red Hat SoftwareCollections.Red Hat Product Security has rated this update as having a security impact ofModerate.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Python is an interpreted, interactive, object-oriented programming language,which includes modules, classes, exceptions, very high level dynamic data typesand dynamic typing. Python supports interfaces to many system calls andlibraries, as well as to various windowing systems.Security Fix(es):* It was discovered that the Python CGIHandler class did not properly protectagainst the HTTP_PROXY variable name clash in a CGI context.

A remote attackercould possibly use this flaw to redirect HTTP requests performed by a Python CGIscript to an attacker-controlled proxy via a malicious HTTP request.(CVE-2016-1000110)* It was found that Python’s smtplib library did not return an exception whenStartTLS failed to be established in the SMTP.starttls() function.

A man in themiddle attacker could strip out the STARTTLS command without generating anexception on the Python SMTP client application, preventing the establishment ofthe TLS layer. (CVE-2016-0772)* It was found that the Python’s httplib library (used by urllib, urllib2 andothers) did not properly check HTTPConnection.putheader() function arguments.

Anattacker could use this flaw to inject additional headers in a Pythonapplication that allowed user provided header names or values. (CVE-2016-5699)Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-1000110.
Red Hat Software Collections 1 for RHEL 7

    MD5: 3e7427248741a3220bae61c9a4157b47SHA-256: c76e800a6cf90f0a4b3d8d17d0b1352b4dfef6e205b7fe2b3f47ad9e68f2e621
    MD5: a55501d37576861dcf93cf397cd0db0aSHA-256: d65efb9cb71f0c4d86360c8a72ffa92c08231e7f04802d8237d6c1984dd336d3
    MD5: 500027254b7e011db5c7f8c73419e9e8SHA-256: 43bd986dcced1dcc0b19e1b7c2e9b6b444bbfbb6f795d8db1876abf2c555b2c1
    MD5: c02e5a3f235b06f11baa96582d81562dSHA-256: cc109c42ccaa807a9a7c2bbce1a10f9a97f4c30f32c01457182c64084366382d
    MD5: f6ed0eed67e10a67d35b31d6dbceececSHA-256: 275c74f11333d7f9672d0b22f3a65c7eb69429c716f1686bba378276fb6ecb48
    MD5: bbea48a42ef9d4ea82a99327905b6056SHA-256: 2fdb17a5bd260588107c5bf166006862f05262e831745c251fde8d6ff94ecec1
    MD5: c32a6ac95ba8b820e134e7c07bd00e46SHA-256: 7cbb9b8b499660dd1d3dc72d96f8cb95a0312cc348b73abd96f49f5cd4158d79
    MD5: b11177831d42465a9232b07618fac55fSHA-256: b0deb8b0983846b1028b632a2a28221d492949e7428a0a2166a05d448724f082
    MD5: e83147bfecea913ca0adf92738c901ddSHA-256: 4efdb3e9bb744811259beae6829760d826e8662e4bc3f690dd500e7cee9c9bd9
(The unlinked packages above are only available from the Red Hat Network)

1303647 – CVE-2016-0772 python: smtplib StartTLS stripping attack1303699 – CVE-2016-5699 python: http protocol steam injection attack1357334 – CVE-2016-1000110 Python CGIHandler: sets environmental variable based on user supplied Proxy request header

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply