Debian DSA-1977-1 : python2.4 python2.5 - several vulnerabilities

high Nessus Plugin ID 44841

Language:

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 5.5

Synopsis

The remote Debian host is missing a security-related update.

Description

Jukka Taimisto, Tero Rontti and Rauli Kaksonen discovered that the embedded Expat copy in the interpreter for the Python language, does not properly process malformed or crafted XML files. (CVE-2009-3560 CVE-2009-3720 ) This vulnerability could allow an attacker to cause a denial of service while parsing a malformed XML file.

In addition, this update fixes an integer overflow in the hashlib module in python2.5. This vulnerability could allow an attacker to defeat cryptographic digests. (CVE-2008-2316 ) It only affects the oldstable distribution (etch).

Solution

Upgrade the python packages.

For the oldstable distribution (etch), these problems have been fixed in version 2.4.4-3+etch3 for python2.4 and version 2.5-5+etch2 for python2.5.

For the stable distribution (lenny), these problems have been fixed in version 2.4.6-1+lenny1 for python2.4 and version 2.5.2-15+lenny1 for python2.5.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=493797

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560912

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560913

https://security-tracker.debian.org/tracker/CVE-2009-3560

https://security-tracker.debian.org/tracker/CVE-2009-3720

https://security-tracker.debian.org/tracker/CVE-2008-2316

https://www.debian.org/security/2010/dsa-1977

Plugin Details

Severity: High

ID: 44841

File Name: debian_DSA-1977.nasl

Version: 1.13

Type: local

Agent: unix

Published: 2/24/2010

Updated: 1/4/2021

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 5.5

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:python2.4 python2.5, cpe:/o:debian:debian_linux:4.0, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 1/25/2010

Reference Information

CVE: CVE-2008-2316, CVE-2009-3560, CVE-2009-3720

BID: 30491, 36097, 37203

DSA: 1977

CWE: 119, 189