An update for rh-python34-python is now available for Red Hat SoftwareCollections.Red Hat Product Security has rated this update as having a security impact ofModerate.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Python is an interpreted, interactive, object-oriented programming language,which includes modules, classes, exceptions, very high level dynamic data typesand dynamic typing. Python supports interfaces to many system calls andlibraries, as well as to various windowing systems.Security Fix(es):* It was discovered that the Python CGIHandler class did not properly protectagainst the HTTP_PROXY variable name clash in a CGI context.

A remote attackercould possibly use this flaw to redirect HTTP requests performed by a Python CGIscript to an attacker-controlled proxy via a malicious HTTP request.(CVE-2016-1000110)* It was found that Python’s smtplib library did not return an exception whenStartTLS failed to be established in the SMTP.starttls() function.

A man in themiddle attacker could strip out the STARTTLS command without generating anexception on the Python SMTP client application, preventing the establishment ofthe TLS layer. (CVE-2016-0772)* It was found that the Python’s httplib library (used by urllib, urllib2 andothers) did not properly check HTTPConnection.putheader() function arguments.

Anattacker could use this flaw to inject additional headers in a Pythonapplication that allowed user provided header names or values. (CVE-2016-5699)Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-1000110.
Red Hat Software Collections 1 for RHEL 6

SRPMS:
rh-python34-python-3.4.2-14.el6.src.rpm
    MD5: add0cdb4ac033f69efea68a86bbdaf4cSHA-256: de62d02824de80c60f8c461ebff13b6ac80ce28b3f78a87a98c621288ce49066
 
x86_64:
rh-python34-python-3.4.2-14.el6.x86_64.rpm
    MD5: f52809c8414f62f105aa643f00d73fd0SHA-256: 141768f7ad27cb71f26284752c991a8878500fab1f81990a89057db5d9e554fc
rh-python34-python-debug-3.4.2-14.el6.x86_64.rpm
    MD5: cf2225d98a8d760a8510b7c0e2e1588aSHA-256: eea3d38f3676f1f3d814aa074f8c3f9c567dd06f33ca185ec0ab16169b3fe632
rh-python34-python-debuginfo-3.4.2-14.el6.x86_64.rpm
    MD5: c7000925f428513efaed9eb9a969a64cSHA-256: 74e61c2611f1d90fc48715938197224df25c96deb60c3406d147fd935cdef799
rh-python34-python-devel-3.4.2-14.el6.x86_64.rpm
    MD5: bad56fc0b6dc315a3fd675b6873dd008SHA-256: a44532274fb4de56688fded17b02c4ad5e73f0b355747d9e815fb9ca1aebc8e9
rh-python34-python-libs-3.4.2-14.el6.x86_64.rpm
    MD5: 3d04beed4599765638863e9571fdefb5SHA-256: 8cbf6b58f1813253ce2df355b3ea4150f6a95b1e89cf947bd6adbe2fefe91ea9
rh-python34-python-test-3.4.2-14.el6.x86_64.rpm
    MD5: e37a7df33ca250662f7c28045f804325SHA-256: c9f26ff0c83a7a2a694f57df6b4cfa3cecc14f6ff3cc94c211a879d54ac5524f
rh-python34-python-tkinter-3.4.2-14.el6.x86_64.rpm
    MD5: 0445fb586f644ee8f4c4cad70e6e1141SHA-256: 77177a1dbd1bc38b8bc5a49ed30cb47023bd2237009b7846117a08eb25ba7d59
rh-python34-python-tools-3.4.2-14.el6.x86_64.rpm
    MD5: 6be9f90e9f5d73dcc0dda3b37e714494SHA-256: bf9887394906325591f93876c2df12860d9028cc45834e8803e18d5a970a8ed1
 
Red Hat Software Collections 1 for RHEL 7

SRPMS:
rh-python34-python-3.4.2-13.el7.src.rpm
    MD5: 6e1cf101fdfac20527f083c7695dae57SHA-256: 52e2ebd4419879edd1db9045486b50f4a121a4c944a9d9866bb2f3dfb35d640c
 
x86_64:
rh-python34-python-3.4.2-13.el7.x86_64.rpm
    MD5: 7f6ece07111e781bff1c19804f42593fSHA-256: 867ac99d41962d204252707cf72ff412835457dcdda1b98c567cc12927e2d59f
rh-python34-python-debug-3.4.2-13.el7.x86_64.rpm
    MD5: 207a4769a843735ac369c83c23b8a9bbSHA-256: 66d9575b63163495108f4cae9ba7c65bb7076fdf7f88a88cb8cfad08a49ac7de
rh-python34-python-debuginfo-3.4.2-13.el7.x86_64.rpm
    MD5: 4bf6b8bf5733a50f3b3b87553c2bc922SHA-256: e6925118edfed168aebc0afdb4e1bec230811e72b094e8f4134018dbe649e6a3
rh-python34-python-devel-3.4.2-13.el7.x86_64.rpm
    MD5: 2517487c5dcdbcd00ce1f7cd8853dd1cSHA-256: 5e90f19b8441e146858e9ce4f411bbc41daef7b45ad53d1df26da6f57c3ead03
rh-python34-python-libs-3.4.2-13.el7.x86_64.rpm
    MD5: 7c2e1b1e7427391622f9250dae23b560SHA-256: 7cc6f979b488df4899842f008d35373133f39f9938e167808e866385e47d86cf
rh-python34-python-test-3.4.2-13.el7.x86_64.rpm
    MD5: 4c94a1e4e620631b008d5b6d69e9edb4SHA-256: 6bfd7289abf12d3ec578ec957d6827216ab6baf4a76d263a5e0b840b458b1af8
rh-python34-python-tkinter-3.4.2-13.el7.x86_64.rpm
    MD5: 1ff687af3a526edd72a579e3bb915401SHA-256: b02088461bc053a42498e16c7f0bacf2ffb917643d21b732f6fcb8cce648a822
rh-python34-python-tools-3.4.2-13.el7.x86_64.rpm
    MD5: 28f2addd4942fb49a0b198e133e39094SHA-256: 0481b3cfa88741752db01471e9b8b1058fa2094cfcecadd295432f10d3998f43
 
(The unlinked packages above are only available from the Red Hat Network)

1303647 – CVE-2016-0772 python: smtplib StartTLS stripping attack1303699 – CVE-2016-5699 python: http protocol steam injection attack1357334 – CVE-2016-1000110 Python CGIHandler: sets environmental variable based on user supplied Proxy request header

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply