Alpine: python: security update to 2.7.11-r5 (deprecated)

critical Tenable Self-Hosted Container Security Plugin ID 401034

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does
not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS
protections by leveraging a network position between the client and the registry to block the StartTLS
command, aka a "StartTLS stripping attack." (CVE-2016-0772)

- Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before
3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size
value, which triggers a heap-based buffer overflow. (CVE-2016-5636)

- CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython
(aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers
via CRLF sequences in a URL. (CVE-2016-5699)

See Also

https://git.alpinelinux.org/aports/commit/?id=312dc15a4f3c4068c67e3addfa4d76ebf6246483

https://git.alpinelinux.org/aports/commit/?id=3d994125acdd839bfb7a3388456b347623961344

Plugin Details

Severity: Critical

ID: 401034

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

Percentile: 96.79

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2016-5636

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/29/2016

Vulnerability Publication Date: 6/14/2016

Reference Information

CVE: CVE-2016-0772, CVE-2016-5636, CVE-2016-5699

BID: 91225, 91226, 91247