Bug 19189

Python3 and Python updated in Cauldron


Advisory:
========================

Updated python and python3 packages fix security vulnerability:
Fix for CVE-2016-1000110 HTTPoxy attack

Many software projects and vendors have implemented support for the âProxyâ request header in their respective CGI implementations and languages by creating the âHTTP_PROXYâ environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service.

References: 
https://bugzilla.redhat.com/show_bug.cgi?id=1359175
http://lwn.net/Vulnerabilities/697141/
https://bugs.python.org/issue27568

========================

Updated packages in core/updates_testing:
========================
python3-3.4.3-1.5.mga5
libpython3.4-3.4.3-1.5.mga5.i586
libpython3-devel-3.4.3-1.5.mga5
python3-docs-3.4.3-1.5.mga5
tkinter3-3.4.3-1.5.mga5
tkinter3-apps-3.4.3-1.5.mga5

python-2.7.9-2.4.mga5
libpython2.7-2.7.9-2.4.mga5
libpython-devel-2.7.9-2.4.mga5
python-docs-2.7.9-2.4.mga5
tkinter-2.7.9-2.4.mga5
tkinter-apps-2.7.9-2.4.mga5

from 
python3-3.2.3-1.3.mga5.src.rpm
python-2.7.9-2.4.mga5.src.rpm

Assignee: makowski.mageia => qa-bugs

Created attachment 8350 [details]
test case

before update :
$ python CVE-2016-1000110.py 
F
======================================================================
FAIL: test_proxy_cgi_ignore (__main__.TestCVE)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "CVE-2016-1000110.py", line 23, in test_proxy_cgi_ignore
    self.assertNotIn('http', proxies)
AssertionError: 'http' unexpectedly found in {'http': 'http://somewhere:3128'}

----------------------------------------------------------------------
Ran 1 test in 0.000s

FAILED (failures=1)

$ python3 CVE-2016-1000110.py 
F
======================================================================
FAIL: test_proxy_cgi_ignore (__main__.TestCVE)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "CVE-2016-1000110.py", line 23, in test_proxy_cgi_ignore
    self.assertNotIn('http', proxies)
AssertionError: 'http' unexpectedly found in {'http': 'http://somewhere:3128'}

----------------------------------------------------------------------
Ran 1 test in 0.001s

FAILED (failures=1)

after update :

$ python CVE-2016-1000110.py 
.
----------------------------------------------------------------------
Ran 1 test in 0.000s

OK

$ python3 CVE-2016-1000110.py 
.
----------------------------------------------------------------------
Ran 1 test in 0.001s

OK

CC: (none) => makowski.mageia
Whiteboard: (none) => has_procedure MGA5-64-OK

Advisory seems to list wrong package:

Checking SRPMs⦠                      â (5/core/python3-3.2.3-1.3.mga5)

CC: (none) => pterjan

Advisory fixed, there was a typo in comment 1 which was reproduced in SVN.

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0296.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED