Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 80592 - dev-lang/python SimpleXMLRPCServer remote access vulnerability
Summary: dev-lang/python SimpleXMLRPCServer remote access vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.python.org/security/PSF-20...
Whiteboard: B1 [glsa] koon
Keywords:
: 80094 80597 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-02-03 08:24 UTC by Rob Cakebread (RETIRED)
Modified: 2005-02-08 13:34 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rob Cakebread (RETIRED) gentoo-dev 2005-02-03 08:24:33 UTC
Versions:     2.2 all versions, 2.3 prior to 2.3.5, 2.4
CVE Names:    CAN-2005-0089

The Python development team has discovered a flaw in the SimpleXMLRPCServer library module which can give remote attackers access to internals of the registered object or its module or possibly other modules. The flaw only affects Python XML-RPC servers that use the register_instance() method to register an object without a _dispatch() method. Servers using only register_function() are not affected.

http://www.python.org/security/PSF-2005-001/

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-02-03 08:45:01 UTC
Python team: please bump and/or apply patches...
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-02-03 08:45:48 UTC
*** Bug 80094 has been marked as a duplicate of this bug. ***
Comment 3 Rob Cakebread (RETIRED) gentoo-dev 2005-02-06 20:31:03 UTC
I've patched and bumped all affected versions in CVS. I beleive you can close this now.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-02-07 00:31:24 UTC
No stable marking needed as keywords were conserved by maintainer.

Ready for GLSA, fixed versions seem to be :
 *>=2.2.3-r6
 *>=2.3.3-r2
  >=2.3.4-r1
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-02-08 11:36:35 UTC
GLSA drafted
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-02-08 11:39:48 UTC
*** Bug 80597 has been marked as a duplicate of this bug. ***
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-02-08 13:34:52 UTC
GLSA 200502-09