Main Vulnerability Database SB2014110307

SB2014110307 - Fedora 21 update for python3

Published: November 3, 2014 Updated: June 28, 2025

Security Bulletin ID SB2014110307

Severity

High

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2014-4650)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.

2) Buffer overflow (CVE-ID: CVE-2014-4616)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2014-14208