13.6 C
London
Tuesday, September 26, 2017
Home Tags Windowing

Tag: Windowing

An update for rh-python34-python is now available for Red Hat SoftwareCollections.Red Hat Product Security has rated this update as having a security impact ofModerate.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Python is an interpreted, interactive, object-oriented programming language,which includes modules, classes, exceptions, very high level dynamic data typesand dynamic typing. Python supports interfaces to many system calls andlibraries, as well as to various windowing systems.Security Fix(es):* It was discovered that the Python CGIHandler class did not properly protectagainst the HTTP_PROXY variable name clash in a CGI context.

A remote attackercould possibly use this flaw to redirect HTTP requests performed by a Python CGIscript to an attacker-controlled proxy via a malicious HTTP request.(CVE-2016-1000110)* It was found that Python's smtplib library did not return an exception whenStartTLS failed to be established in the SMTP.starttls() function.

A man in themiddle attacker could strip out the STARTTLS command without generating anexception on the Python SMTP client application, preventing the establishment ofthe TLS layer. (CVE-2016-0772)* It was found that the Python's httplib library (used by urllib, urllib2 andothers) did not properly check HTTPConnection.putheader() function arguments.

Anattacker could use this flaw to inject additional headers in a Pythonapplication that allowed user provided header names or values. (CVE-2016-5699)Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-1000110. Red Hat Software Collections 1 for RHEL 6 SRPMS: rh-python34-python-3.4.2-14.el6.src.rpm     MD5: add0cdb4ac033f69efea68a86bbdaf4cSHA-256: de62d02824de80c60f8c461ebff13b6ac80ce28b3f78a87a98c621288ce49066   x86_64: rh-python34-python-3.4.2-14.el6.x86_64.rpm     MD5: f52809c8414f62f105aa643f00d73fd0SHA-256: 141768f7ad27cb71f26284752c991a8878500fab1f81990a89057db5d9e554fc rh-python34-python-debug-3.4.2-14.el6.x86_64.rpm     MD5: cf2225d98a8d760a8510b7c0e2e1588aSHA-256: eea3d38f3676f1f3d814aa074f8c3f9c567dd06f33ca185ec0ab16169b3fe632 rh-python34-python-debuginfo-3.4.2-14.el6.x86_64.rpm     MD5: c7000925f428513efaed9eb9a969a64cSHA-256: 74e61c2611f1d90fc48715938197224df25c96deb60c3406d147fd935cdef799 rh-python34-python-devel-3.4.2-14.el6.x86_64.rpm     MD5: bad56fc0b6dc315a3fd675b6873dd008SHA-256: a44532274fb4de56688fded17b02c4ad5e73f0b355747d9e815fb9ca1aebc8e9 rh-python34-python-libs-3.4.2-14.el6.x86_64.rpm     MD5: 3d04beed4599765638863e9571fdefb5SHA-256: 8cbf6b58f1813253ce2df355b3ea4150f6a95b1e89cf947bd6adbe2fefe91ea9 rh-python34-python-test-3.4.2-14.el6.x86_64.rpm     MD5: e37a7df33ca250662f7c28045f804325SHA-256: c9f26ff0c83a7a2a694f57df6b4cfa3cecc14f6ff3cc94c211a879d54ac5524f rh-python34-python-tkinter-3.4.2-14.el6.x86_64.rpm     MD5: 0445fb586f644ee8f4c4cad70e6e1141SHA-256: 77177a1dbd1bc38b8bc5a49ed30cb47023bd2237009b7846117a08eb25ba7d59 rh-python34-python-tools-3.4.2-14.el6.x86_64.rpm     MD5: 6be9f90e9f5d73dcc0dda3b37e714494SHA-256: bf9887394906325591f93876c2df12860d9028cc45834e8803e18d5a970a8ed1   Red Hat Software Collections 1 for RHEL 7 SRPMS: rh-python34-python-3.4.2-13.el7.src.rpm     MD5: 6e1cf101fdfac20527f083c7695dae57SHA-256: 52e2ebd4419879edd1db9045486b50f4a121a4c944a9d9866bb2f3dfb35d640c   x86_64: rh-python34-python-3.4.2-13.el7.x86_64.rpm     MD5: 7f6ece07111e781bff1c19804f42593fSHA-256: 867ac99d41962d204252707cf72ff412835457dcdda1b98c567cc12927e2d59f rh-python34-python-debug-3.4.2-13.el7.x86_64.rpm     MD5: 207a4769a843735ac369c83c23b8a9bbSHA-256: 66d9575b63163495108f4cae9ba7c65bb7076fdf7f88a88cb8cfad08a49ac7de rh-python34-python-debuginfo-3.4.2-13.el7.x86_64.rpm     MD5: 4bf6b8bf5733a50f3b3b87553c2bc922SHA-256: e6925118edfed168aebc0afdb4e1bec230811e72b094e8f4134018dbe649e6a3 rh-python34-python-devel-3.4.2-13.el7.x86_64.rpm     MD5: 2517487c5dcdbcd00ce1f7cd8853dd1cSHA-256: 5e90f19b8441e146858e9ce4f411bbc41daef7b45ad53d1df26da6f57c3ead03 rh-python34-python-libs-3.4.2-13.el7.x86_64.rpm     MD5: 7c2e1b1e7427391622f9250dae23b560SHA-256: 7cc6f979b488df4899842f008d35373133f39f9938e167808e866385e47d86cf rh-python34-python-test-3.4.2-13.el7.x86_64.rpm     MD5: 4c94a1e4e620631b008d5b6d69e9edb4SHA-256: 6bfd7289abf12d3ec578ec957d6827216ab6baf4a76d263a5e0b840b458b1af8 rh-python34-python-tkinter-3.4.2-13.el7.x86_64.rpm     MD5: 1ff687af3a526edd72a579e3bb915401SHA-256: b02088461bc053a42498e16c7f0bacf2ffb917643d21b732f6fcb8cce648a822 rh-python34-python-tools-3.4.2-13.el7.x86_64.rpm     MD5: 28f2addd4942fb49a0b198e133e39094SHA-256: 0481b3cfa88741752db01471e9b8b1058fa2094cfcecadd295432f10d3998f43   (The unlinked packages above are only available from the Red Hat Network) 1303647 - CVE-2016-0772 python: smtplib StartTLS stripping attack1303699 - CVE-2016-5699 python: http protocol steam injection attack1357334 - CVE-2016-1000110 Python CGIHandler: sets environmental variable based on user supplied Proxy request header These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
An update for python27-python is now available for Red Hat Software Collections.Red Hat Product Security has rated this update as having a security impact ofModerate.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Python is an interpreted, interactive, object-oriented programming language,which includes modules, classes, exceptions, very high level dynamic data typesand dynamic typing. Python supports interfaces to many system calls andlibraries, as well as to various windowing systems.Security Fix(es):* It was discovered that the Python CGIHandler class did not properly protectagainst the HTTP_PROXY variable name clash in a CGI context.

A remote attackercould possibly use this flaw to redirect HTTP requests performed by a Python CGIscript to an attacker-controlled proxy via a malicious HTTP request.(CVE-2016-1000110)* It was found that Python's smtplib library did not return an exception whenStartTLS failed to be established in the SMTP.starttls() function.

A man in themiddle attacker could strip out the STARTTLS command without generating anexception on the Python SMTP client application, preventing the establishment ofthe TLS layer. (CVE-2016-0772)* It was found that the Python's httplib library (used by urllib, urllib2 andothers) did not properly check HTTPConnection.putheader() function arguments.

Anattacker could use this flaw to inject additional headers in a Pythonapplication that allowed user provided header names or values. (CVE-2016-5699)Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-1000110. Red Hat Software Collections 1 for RHEL 6 SRPMS: python27-python-2.7.8-18.el6.src.rpm     MD5: f9d20ca76aa15d0c8b42deaddd20cb2bSHA-256: 1d1365e60ba39e210aeaf6bd550075c8e538a948e557a7b84af0e556675fea91   x86_64: python27-python-2.7.8-18.el6.x86_64.rpm     MD5: 54a39118b35f549ac13880c6c3aae9c4SHA-256: ec29d60e38e6813e03080f2915090bcd98cb86f154dde2b6783a56ed16f236d8 python27-python-debug-2.7.8-18.el6.x86_64.rpm     MD5: 90162e2b582de6937b0fe7703ec2e7d2SHA-256: fc9bd4b331182b50f9b86dc6967283e75405fb00a8bc3f759ad8a6e98caf2d45 python27-python-debuginfo-2.7.8-18.el6.x86_64.rpm     MD5: 815c44a6e36cf358282c0a864266defdSHA-256: ef5944007497111be4437072b17bf63dd005e848d451b9217b7c4a22818447a6 python27-python-devel-2.7.8-18.el6.x86_64.rpm     MD5: 0976bb566dc8eb9458ad5253858a3107SHA-256: 83c3f0c7602da350e1fdde617e6a3b76bdcf2e42c58ed5e5b4a5cfc79175f7b6 python27-python-libs-2.7.8-18.el6.x86_64.rpm     MD5: faa34d98f65a684736d2e7688deaf434SHA-256: ebf3622be1d87f8413e7ccd0dccdbd56188b48c5087ecc17a26b62146e9054fb python27-python-test-2.7.8-18.el6.x86_64.rpm     MD5: 0dca0610b0852ea6be4d1d63b6f8f95cSHA-256: 5ae8cacb62698b4f9f2da1aa80a6986653d44775d4d533ce8a5d6b904ab0e611 python27-python-tools-2.7.8-18.el6.x86_64.rpm     MD5: f822e4a0acf9d0691dfa8543ce1fe917SHA-256: 1d2733afc2f89df9a6c35ffa2c3653c3ca47e70b0f774302e7b377d078e6bef4 python27-tkinter-2.7.8-18.el6.x86_64.rpm     MD5: 284c75c1be20fe5656a1f9248f7c0652SHA-256: 4088c38bd93f5aabbf166aa9fbfa32bb765e892845803bc85f19872141497819   Red Hat Software Collections 1 for RHEL 7 SRPMS: python27-python-2.7.8-16.el7.src.rpm     MD5: b0a7e510fdc4965f466f42944c091babSHA-256: f84d813172b1d0a83873faf0f4c563e7f7916b5d13e7bce8e4056555e4b60c29   x86_64: python27-python-2.7.8-16.el7.x86_64.rpm     MD5: 23df1c1823f49fdf7354034e97936119SHA-256: ba5e23798c958e88272b92852544ad4359d6b54186b37e4bb3e94536b9a5936b python27-python-debug-2.7.8-16.el7.x86_64.rpm     MD5: 3637ce3ec5021d99c63db97c267a0719SHA-256: f740107467242f8f2821550cf812d6dade661865e4570d542a907fad56deae88 python27-python-debuginfo-2.7.8-16.el7.x86_64.rpm     MD5: 506a551bfb1d90a793a2b1b392be2001SHA-256: b028a385b12db6471e09316ecc7b35208f58e05692c2457b77f3517398f86fe4 python27-python-devel-2.7.8-16.el7.x86_64.rpm     MD5: 3c7a7f0c24f9ffc6f81d9a687ebacb69SHA-256: 567ddb6859a9632085908aa890e135b84f979730532697064a57029ccd51f0df python27-python-libs-2.7.8-16.el7.x86_64.rpm     MD5: 85cc05035f8474ae8485abaac44cad68SHA-256: fba913944a897ac4d518d4e03b021fcdebf64aaffe5a90b5b1d557f4f4c72ac5 python27-python-test-2.7.8-16.el7.x86_64.rpm     MD5: c3eb17f66312edb463a74f8c42f372adSHA-256: b5ff0f18fd83b016368c93ef5124c7be50add472bfa2264d45426aa25f30a572 python27-python-tools-2.7.8-16.el7.x86_64.rpm     MD5: 7084cec317d4a53f85a5f9bbb75b9590SHA-256: dea8a2267effce22260071a51ac5547e98f35da67cdb080576d1ad1bad5226b5 python27-tkinter-2.7.8-16.el7.x86_64.rpm     MD5: fd5890dc3056605f60af41728edfb1f6SHA-256: 87f05961e5a3f2c181effb9c260eea87b875ff9b824ad6eaf8b071c1c0b29d37   (The unlinked packages above are only available from the Red Hat Network) 1303647 - CVE-2016-0772 python: smtplib StartTLS stripping attack1303699 - CVE-2016-5699 python: http protocol steam injection attack1357334 - CVE-2016-1000110 Python CGIHandler: sets environmental variable based on user supplied Proxy request header These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
An update for rh-python35-python is now available for Red Hat SoftwareCollections.Red Hat Product Security has rated this update as having a security impact ofModerate.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Python is an interpreted, interactive, object-oriented programming language,which includes modules, classes, exceptions, very high level dynamic data typesand dynamic typing. Python supports interfaces to many system calls andlibraries, as well as to various windowing systems.Security Fix(es):* It was discovered that the Python CGIHandler class did not properly protectagainst the HTTP_PROXY variable name clash in a CGI context.

A remote attackercould possibly use this flaw to redirect HTTP requests performed by a Python CGIscript to an attacker-controlled proxy via a malicious HTTP request.(CVE-2016-1000110)* It was found that Python's smtplib library did not return an exception whenStartTLS failed to be established in the SMTP.starttls() function.

A man in themiddle attacker could strip out the STARTTLS command without generating anexception on the Python SMTP client application, preventing the establishment ofthe TLS layer. (CVE-2016-0772)* It was found that the Python's httplib library (used by urllib, urllib2 andothers) did not properly check HTTPConnection.putheader() function arguments.

Anattacker could use this flaw to inject additional headers in a Pythonapplication that allowed user provided header names or values. (CVE-2016-5699)Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-1000110. Red Hat Software Collections 1 for RHEL 7 SRPMS: rh-python35-python-3.5.1-9.el7.src.rpm     MD5: 3e7427248741a3220bae61c9a4157b47SHA-256: c76e800a6cf90f0a4b3d8d17d0b1352b4dfef6e205b7fe2b3f47ad9e68f2e621   x86_64: rh-python35-python-3.5.1-9.el7.x86_64.rpm     MD5: a55501d37576861dcf93cf397cd0db0aSHA-256: d65efb9cb71f0c4d86360c8a72ffa92c08231e7f04802d8237d6c1984dd336d3 rh-python35-python-debug-3.5.1-9.el7.x86_64.rpm     MD5: 500027254b7e011db5c7f8c73419e9e8SHA-256: 43bd986dcced1dcc0b19e1b7c2e9b6b444bbfbb6f795d8db1876abf2c555b2c1 rh-python35-python-debuginfo-3.5.1-9.el7.x86_64.rpm     MD5: c02e5a3f235b06f11baa96582d81562dSHA-256: cc109c42ccaa807a9a7c2bbce1a10f9a97f4c30f32c01457182c64084366382d rh-python35-python-devel-3.5.1-9.el7.x86_64.rpm     MD5: f6ed0eed67e10a67d35b31d6dbceececSHA-256: 275c74f11333d7f9672d0b22f3a65c7eb69429c716f1686bba378276fb6ecb48 rh-python35-python-libs-3.5.1-9.el7.x86_64.rpm     MD5: bbea48a42ef9d4ea82a99327905b6056SHA-256: 2fdb17a5bd260588107c5bf166006862f05262e831745c251fde8d6ff94ecec1 rh-python35-python-test-3.5.1-9.el7.x86_64.rpm     MD5: c32a6ac95ba8b820e134e7c07bd00e46SHA-256: 7cbb9b8b499660dd1d3dc72d96f8cb95a0312cc348b73abd96f49f5cd4158d79 rh-python35-python-tkinter-3.5.1-9.el7.x86_64.rpm     MD5: b11177831d42465a9232b07618fac55fSHA-256: b0deb8b0983846b1028b632a2a28221d492949e7428a0a2166a05d448724f082 rh-python35-python-tools-3.5.1-9.el7.x86_64.rpm     MD5: e83147bfecea913ca0adf92738c901ddSHA-256: 4efdb3e9bb744811259beae6829760d826e8662e4bc3f690dd500e7cee9c9bd9   (The unlinked packages above are only available from the Red Hat Network) 1303647 - CVE-2016-0772 python: smtplib StartTLS stripping attack1303699 - CVE-2016-5699 python: http protocol steam injection attack1357334 - CVE-2016-1000110 Python CGIHandler: sets environmental variable based on user supplied Proxy request header These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
Iain Watsonreader comments 67 Share this story The United States Copyright Office has sided with cable companies in their fight against a Federal Communications Commission plan to boost competition in the TV set-top box market. The FCC proposal would force pay-TV providers to make channels and on-demand content available to third parties, who could then build their own devices and apps that could replace rented set-top boxes. Comcast and other cable companies complain that this will open the door to copyright violations, and US Register of Copyrights Maria Pallante agrees with them.

The Copyright Office provided advice to the FCC at the FCC's request, and Pallante yesterday detailed the concerns her office raised in a letter to members of Congress who asked her to weigh in. "In its most basic form, the rule contemplated by the FCC would seem to take a valuable good—bundled video programming created through private effort and agreement under the protections of the Copyright Act—and deliver it to third parties who are not in privity with the copyright owners, but who may nevertheless exploit the content for profit," Pallante wrote. "Under the Proposed Rule, this would be accomplished without compensation to the creators or licensees of the copyrighted programming, and without requiring the third party to adhere to agreed-upon license terms." There are already "third-party set-top box devices, mainly produced overseas, that are used to view pirated content delivered over the Internet," and the FCC's plan could expand the market to include devices "designed to exploit the more readily available [cable TV] programming streams without adhering to the prescribed security measures," Pallante wrote. Consumer advocacy group Public Knowledge, a supporter of the FCC's original set-top box plan, criticized the Copyright Office's analysis, saying it ignores the interests of consumers and contains various inaccuracies. "This letter is another example of how the Copyright Office has become dedicated to the interests of some copyright holders—as opposed to providing an accurate interpretation of copyright law," Public Knowledge Senior Staff Attorney John Bergmayer wrote. The proposal doesn't require "delivery of content to third parties," it simply lets consumers watch the video they subscribe to on the devices of their choice, he argued. It's not like CableCard, Copyright Office says The Copyright Office, which processes registrations of copyright for books, music, movies, software, and other works, says that under the FCC plan, third parties "would have no way of knowing all of the requirements and limitations" imposed by licensing agreements between programmers and pay-TV providers.

Among other things, such requirements can be related to the types of devices that video may be viewed on, limitations on advertising, and channel lineups, the letter said.

For third-party devices such as the Amazon Fire TV, Roku, and Apple TV, contracts can also include "requirements to exclude applications used for the consumption of pirated works" before allowing pay-TV content on the device. While the existing CableCard system already allows access to pay-TV content on third-party devices, the Copyright Office argues that this is not equivalent because the CableCard regime is administered by the CableLabs cable industry consortium, "which licenses the CableCARD technology to third-party device manufacturers in written agreements" and can thus "impose and maintain appropriate standards for the delivery of content to consumers." By contrast, Pallante wrote, the FCC proposal would require pay-TV operators to support content protection systems that are administered by an independent entity that isn't controlled by the cable industry. The Copyright Office provides some examples of how contracts between programmers and cable companies could be violated, such as: The Proposed Rule requires MVPDs [multichannel video programming distributors] to make licensed programming feeds available to third-party device or software manufacturers free of charge and without “discrimination,” thus potentially undermining copyright owners’ ability to enforce exclusivity agreements, including “windowing” or “tiering” agreements that make content available on certain platforms before others. ... Even if third-party devices and applications did not replace the advertising that appears in the programming itself, the Proposed Rule would appear to allow them to add additional advertising as part of the programming stream, e.g., advertising spots before or after an on-demand video, or banner advertising next to or overlaid on top of a program, without any requirement that resulting advertising revenues be shared with either the MVPD or the content creator. Public Knowledge argued that "While two parties are free to negotiate amongst themselves, they cannot bargain away the rights of third parties. What the Copyright Office advocates is encouraging distributors to negotiate away their consumers’ rights without those consumers’ consent." More specifically, "While your cable provider can agree not to build DVR features into its equipment, that cannot and does not make it illegal for consumers to record their favorite shows at home," Public Knowledge wrote. FCC finalizing proposal FCC Chairman Tom Wheeler has insisted that third parties will have to respect copyright under his proposal, but fellow Democratic FCC Commissioner Jessica Rosenworcel has expressed concerns about copyright. Rosenworcel's statements raise the possibility that the plan could be changed significantly before a final version is approved.
In the meantime, FCC officials are reviewing an alternative proposal from the pay-TV industry that would require cable companies to deploy video applications for third-party set-top boxes using open standards. After today's FCC meeting, Wheeler promised that his final proposal will simplify the implementation while protecting "copyright and contract enforcement of copyright" and providing choices to consumers "that they so long have been denied."