Debian DSA-458-3 : python2.2 - buffer overflow

high Nessus Plugin ID 15295

Synopsis

The remote Debian host is missing a security-related update.

Description

This security advisory corrects DSA 458-2 which caused a problem in the gethostbyaddr routine.

The original advisory said :

Sebastian Schmidt discovered a buffer overflow bug in Python's getaddrinfo function, which could allow an IPv6 address, supplied by a remote attacker via DNS, to overwrite memory on the stack.

This bug only exists in python 2.2 and 2.2.1, and only when IPv6 support is disabled. The python2.2 package in Debian woody meets these conditions (the 'python' package does not).

Solution

For the stable distribution (woody), this bug has been fixed in version 2.2.1-4.6.

The testing and unstable distribution (sarge and sid) are not affected by this problem.

We recommend that you update your python2.2 packages.

See Also

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248946

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=269548

http://www.debian.org/security/2004/dsa-458

Plugin Details

Severity: High

ID: 15295

File Name: debian_DSA-458.nasl

Version: 1.20

Type: local

Agent: unix

Published: 9/29/2004

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:python2.2, cpe:/o:debian:debian_linux:3.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 10/10/2004

Vulnerability Publication Date: 3/10/2004

Reference Information

CVE: CVE-2004-0150

BID: 9836

DSA: 458