OracleVM 3.3 / 3.4 : python (OVMSA-2016-0099) (httpoxy)

Medium Nessus Plugin ID 93038

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- Add Oracle Linux distribution in platform.py [orabug 21288328] (Keshav Sharma)

- Fix for CVE-2016-1000110 HTTPoxy attack Resolves:
rhbz#1359161

- Fix for CVE-2016-0772 python: smtplib StartTLS stripping attack (rhbz#1303647) Raise an error when STARTTLS fails (upstream patch)

- Fix for CVE-2016-5699 python: http protocol steam injection attack (rhbz#1303699) Disabled HTTP header injections in httplib (upstream patch) Resolves:
rhbz#1346354

Solution

Update the affected python / python-libs packages.

See Also

http://www.nessus.org/u?ee4ea01f

http://www.nessus.org/u?5114db7e

Plugin Details

Severity: Medium

ID: 93038

File Name: oraclevm_OVMSA-2016-0099.nasl

Version: 2.7

Type: local

Published: 2016/08/19

Updated: 2018/07/24

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5.8

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:python, p-cpe:/a:oracle:vm:python-libs, cpe:/o:oracle:vm_server:3.3, cpe:/o:oracle:vm_server:3.4

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/08/18

Reference Information

CVE: CVE-2016-0772, CVE-2016-1000110, CVE-2016-5699