Main Vulnerability Database SB2016122807

SB2016122807 - Slackware Linux update for python

Published: December 28, 2016 Updated: May 6, 2017

Security Bulletin ID SB2016122807

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Open redirect (CVE-ID: CVE-2016-1000110)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.

2) Information disclosure (CVE-ID: CVE-2016-2183)

The vulnerability allows a remote attacker to decrypt transmitted data.

The vulnerability exists due to remote user's ability to control the network and capture long duration 3DES CBC mode encrypted session during which he can see a part of the text. In case of repeated sending the attacker can read the part and reconstruct the whole text.

Successful exploitation of this vulnerability may allow a remote attacker to decode transmitted data. This vulnerability is known as SWEET32.

Remediation

Install update from vendor's website.

References

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.443792