An update for python33-python is now available for Red Hat Software Collections.Red Hat Product Security has rated this update as having a security impact ofModerate.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Python is an interpreted, interactive, object-oriented programming language,which includes modules, classes, exceptions, very high level dynamic data typesand dynamic typing. Python supports interfaces to many system calls andlibraries, as well as to various windowing systems.Security Fix(es):* It was discovered that the Python CGIHandler class did not properly protectagainst the HTTP_PROXY variable name clash in a CGI context.

A remote attackercould possibly use this flaw to redirect HTTP requests performed by a Python CGIscript to an attacker-controlled proxy via a malicious HTTP request.(CVE-2016-1000110)* It was found that Python’s smtplib library did not return an exception whenStartTLS failed to be established in the SMTP.starttls() function.

A man in themiddle attacker could strip out the STARTTLS command without generating anexception on the Python SMTP client application, preventing the establishment ofthe TLS layer. (CVE-2016-0772)* It was found that the Python’s httplib library (used by urllib, urllib2 andothers) did not properly check HTTPConnection.putheader() function arguments.

Anattacker could use this flaw to inject additional headers in a Pythonapplication that allowed user provided header names or values. (CVE-2016-5699)Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-1000110.
Red Hat Software Collections 1 for RHEL 6

SRPMS:
python33-python-3.3.2-18.el6.src.rpm
    MD5: 72a63b5ba1f5ba926856c3912b59496bSHA-256: 61ca357382821ceff6e8d34b8f515036e17ac4e31ca59c485fdcd5ef468a3901
 
x86_64:
python33-python-3.3.2-18.el6.x86_64.rpm
    MD5: 630e888be8fb00d032d2ea8ee7d9fe13SHA-256: 3f42c452647692e57b1e2a7c18763327abab1ba5de8c7299ccb175be72a5e551
python33-python-debug-3.3.2-18.el6.x86_64.rpm
    MD5: dd160eaaa83bea7df74548e4ff235053SHA-256: 5e1c4e039bbb429f859e20a2f2e24ea9fcd4bc32e57d557823958f8d447bf322
python33-python-debuginfo-3.3.2-18.el6.x86_64.rpm
    MD5: f45076e75785d65a138271392e9c0d1fSHA-256: 8e242ac3e7bcc7e885544826541ea57c2a27aa7711aed991cf8271b8f52b51eb
python33-python-devel-3.3.2-18.el6.x86_64.rpm
    MD5: 44cbc676d7bab091c903288c154eca25SHA-256: e6ea68535e78ec41e1645bcfad2726733dfcb5472277750b5f756c46ad4d2e8c
python33-python-libs-3.3.2-18.el6.x86_64.rpm
    MD5: c22845daba4a0f3dd947a2f4d8c2bcc1SHA-256: 23d35347c80c0a074e698d6d1d56009b907a2896a810937d4b7fce1684ad2eb0
python33-python-test-3.3.2-18.el6.x86_64.rpm
    MD5: 9d14ea7e903e5dc47ecc79fe0dc4e453SHA-256: 04b6ad5e7f8456df1ce3ec57885a1bd0a355cd88283abc8038dd7e31a5b7616a
python33-python-tkinter-3.3.2-18.el6.x86_64.rpm
    MD5: d897756e5b513b8a4e97f0be7b2abe03SHA-256: 2856b27a29c83a95e69816f37436d9102d154b5491a66fae34d6e70f8ccfeba1
python33-python-tools-3.3.2-18.el6.x86_64.rpm
    MD5: 26cfd2af57f48075e9bc3e19d574b7b7SHA-256: 3f9ac0c7c69cf92b40a35dfb38c46db8504a7a079f1f79206b42895e9f2f2a42
 
Red Hat Software Collections 1 for RHEL 7

SRPMS:
python33-python-3.3.2-16.el7.src.rpm
    MD5: 64a044622deef95361a1429fcb688833SHA-256: faf911f86dc8d93e78c9fbe43da59c71008b2e56362baa9d1d4514c14c4cf382
 
x86_64:
python33-python-3.3.2-16.el7.x86_64.rpm
    MD5: 06781e723cca21c1ec91d4a236e282e3SHA-256: fbae1dbd20aabccf81840473d19daec34b1c5ca68cdab1d5c6667071a1db3966
python33-python-debug-3.3.2-16.el7.x86_64.rpm
    MD5: 7a755920d00e7d6939d4788a09c4e156SHA-256: 04946491a879333135ccbf4bffd6a1c2cb8c1244796d76cada80b7c6ec5854d8
python33-python-debuginfo-3.3.2-16.el7.x86_64.rpm
    MD5: 2a7fe992e8e5f6c033abfc993d247da8SHA-256: 49a3c113df51efd79fc00c4c5d3364ca1d20b2eae1f652f0823db7b0512dbd52
python33-python-devel-3.3.2-16.el7.x86_64.rpm
    MD5: 4f60a2e1e6ea3faced61caa3ab70e9cfSHA-256: dbbbc4c5ec45a3d77b9e9a9f00c12f923ac892b12906b6d1f269768eb5e8e309
python33-python-libs-3.3.2-16.el7.x86_64.rpm
    MD5: 6319bd5eba40f3269b4fa6e3633664d6SHA-256: 211245e289192edd943827ffea48b38f55010eccd7564f9fae0388d688750436
python33-python-test-3.3.2-16.el7.x86_64.rpm
    MD5: 4023a0748f286f6a5f2ddc80e3e9705eSHA-256: 1b952e72ed1db6a344b3de324ed8bff8f24885effe1fc1f86236db91d334b86a
python33-python-tkinter-3.3.2-16.el7.x86_64.rpm
    MD5: 52cdd941e6d102a56c81cd7be5a382a2SHA-256: 025caa1dfcc5759224fc0978251f6840b8d4b42fe5606c3dbb908cb3f689a9f8
python33-python-tools-3.3.2-16.el7.x86_64.rpm
    MD5: dbabc133a89e3793d71385f3e00f3d0bSHA-256: 315f6fefe5703e0a4cd9af8bdef76691b220152ebb0d212839579972d5cc2c84
 
(The unlinked packages above are only available from the Red Hat Network)

1303647 – CVE-2016-0772 python: smtplib StartTLS stripping attack1303699 – CVE-2016-5699 python: http protocol steam injection attack1357334 – CVE-2016-1000110 Python CGIHandler: sets environmental variable based on user supplied Proxy request header

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply