An update for python27-python is now available for Red Hat Software Collections.Red Hat Product Security has rated this update as having a security impact ofModerate.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Python is an interpreted, interactive, object-oriented programming language,which includes modules, classes, exceptions, very high level dynamic data typesand dynamic typing. Python supports interfaces to many system calls andlibraries, as well as to various windowing systems.Security Fix(es):* It was discovered that the Python CGIHandler class did not properly protectagainst the HTTP_PROXY variable name clash in a CGI context.

A remote attackercould possibly use this flaw to redirect HTTP requests performed by a Python CGIscript to an attacker-controlled proxy via a malicious HTTP request.(CVE-2016-1000110)* It was found that Python’s smtplib library did not return an exception whenStartTLS failed to be established in the SMTP.starttls() function.

A man in themiddle attacker could strip out the STARTTLS command without generating anexception on the Python SMTP client application, preventing the establishment ofthe TLS layer. (CVE-2016-0772)* It was found that the Python’s httplib library (used by urllib, urllib2 andothers) did not properly check HTTPConnection.putheader() function arguments.

Anattacker could use this flaw to inject additional headers in a Pythonapplication that allowed user provided header names or values. (CVE-2016-5699)Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-1000110.
Red Hat Software Collections 1 for RHEL 6

SRPMS:
python27-python-2.7.8-18.el6.src.rpm
    MD5: f9d20ca76aa15d0c8b42deaddd20cb2bSHA-256: 1d1365e60ba39e210aeaf6bd550075c8e538a948e557a7b84af0e556675fea91
 
x86_64:
python27-python-2.7.8-18.el6.x86_64.rpm
    MD5: 54a39118b35f549ac13880c6c3aae9c4SHA-256: ec29d60e38e6813e03080f2915090bcd98cb86f154dde2b6783a56ed16f236d8
python27-python-debug-2.7.8-18.el6.x86_64.rpm
    MD5: 90162e2b582de6937b0fe7703ec2e7d2SHA-256: fc9bd4b331182b50f9b86dc6967283e75405fb00a8bc3f759ad8a6e98caf2d45
python27-python-debuginfo-2.7.8-18.el6.x86_64.rpm
    MD5: 815c44a6e36cf358282c0a864266defdSHA-256: ef5944007497111be4437072b17bf63dd005e848d451b9217b7c4a22818447a6
python27-python-devel-2.7.8-18.el6.x86_64.rpm
    MD5: 0976bb566dc8eb9458ad5253858a3107SHA-256: 83c3f0c7602da350e1fdde617e6a3b76bdcf2e42c58ed5e5b4a5cfc79175f7b6
python27-python-libs-2.7.8-18.el6.x86_64.rpm
    MD5: faa34d98f65a684736d2e7688deaf434SHA-256: ebf3622be1d87f8413e7ccd0dccdbd56188b48c5087ecc17a26b62146e9054fb
python27-python-test-2.7.8-18.el6.x86_64.rpm
    MD5: 0dca0610b0852ea6be4d1d63b6f8f95cSHA-256: 5ae8cacb62698b4f9f2da1aa80a6986653d44775d4d533ce8a5d6b904ab0e611
python27-python-tools-2.7.8-18.el6.x86_64.rpm
    MD5: f822e4a0acf9d0691dfa8543ce1fe917SHA-256: 1d2733afc2f89df9a6c35ffa2c3653c3ca47e70b0f774302e7b377d078e6bef4
python27-tkinter-2.7.8-18.el6.x86_64.rpm
    MD5: 284c75c1be20fe5656a1f9248f7c0652SHA-256: 4088c38bd93f5aabbf166aa9fbfa32bb765e892845803bc85f19872141497819
 
Red Hat Software Collections 1 for RHEL 7

SRPMS:
python27-python-2.7.8-16.el7.src.rpm
    MD5: b0a7e510fdc4965f466f42944c091babSHA-256: f84d813172b1d0a83873faf0f4c563e7f7916b5d13e7bce8e4056555e4b60c29
 
x86_64:
python27-python-2.7.8-16.el7.x86_64.rpm
    MD5: 23df1c1823f49fdf7354034e97936119SHA-256: ba5e23798c958e88272b92852544ad4359d6b54186b37e4bb3e94536b9a5936b
python27-python-debug-2.7.8-16.el7.x86_64.rpm
    MD5: 3637ce3ec5021d99c63db97c267a0719SHA-256: f740107467242f8f2821550cf812d6dade661865e4570d542a907fad56deae88
python27-python-debuginfo-2.7.8-16.el7.x86_64.rpm
    MD5: 506a551bfb1d90a793a2b1b392be2001SHA-256: b028a385b12db6471e09316ecc7b35208f58e05692c2457b77f3517398f86fe4
python27-python-devel-2.7.8-16.el7.x86_64.rpm
    MD5: 3c7a7f0c24f9ffc6f81d9a687ebacb69SHA-256: 567ddb6859a9632085908aa890e135b84f979730532697064a57029ccd51f0df
python27-python-libs-2.7.8-16.el7.x86_64.rpm
    MD5: 85cc05035f8474ae8485abaac44cad68SHA-256: fba913944a897ac4d518d4e03b021fcdebf64aaffe5a90b5b1d557f4f4c72ac5
python27-python-test-2.7.8-16.el7.x86_64.rpm
    MD5: c3eb17f66312edb463a74f8c42f372adSHA-256: b5ff0f18fd83b016368c93ef5124c7be50add472bfa2264d45426aa25f30a572
python27-python-tools-2.7.8-16.el7.x86_64.rpm
    MD5: 7084cec317d4a53f85a5f9bbb75b9590SHA-256: dea8a2267effce22260071a51ac5547e98f35da67cdb080576d1ad1bad5226b5
python27-tkinter-2.7.8-16.el7.x86_64.rpm
    MD5: fd5890dc3056605f60af41728edfb1f6SHA-256: 87f05961e5a3f2c181effb9c260eea87b875ff9b824ad6eaf8b071c1c0b29d37
 
(The unlinked packages above are only available from the Red Hat Network)

1303647 – CVE-2016-0772 python: smtplib StartTLS stripping attack1303699 – CVE-2016-5699 python: http protocol steam injection attack1357334 – CVE-2016-1000110 Python CGIHandler: sets environmental variable based on user supplied Proxy request header

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply