Gentoo Bug 80592 - dev-lang/python SimpleXMLRPCServer remote access vulnerability

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bug#:	80592
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Rob Cakebread <pythonhead@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 80592 depends on:			Show dependency tree
Bug 80592 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2005-02-03 08:24 0000

Versions:     2.2 all versions, 2.3 prior to 2.3.5, 2.4
CVE Names:    CAN-2005-0089

The Python development team has discovered a flaw in the SimpleXMLRPCServer library module which can give remote attackers access to internals of the registered object or its module or possibly other modules. The flaw only affects Python XML-RPC servers that use the register_instance() method to register an object without a _dispatch() method. Servers using only register_function() are not affected.

http://www.python.org/security/PSF-2005-001/

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

------- Comment #1 From Thierry Carrez (RETIRED) 2005-02-03 08:45:01 0000 -------

Python team: please bump and/or apply patches...

------- Comment #2 From Thierry Carrez (RETIRED) 2005-02-03 08:45:48 0000 -------

*** Bug 80094 has been marked as a duplicate of this bug. ***

------- Comment #3 From Rob Cakebread 2005-02-06 20:31:03 0000 -------

I've patched and bumped all affected versions in CVS. I beleive you can close
this now.

------- Comment #4 From Thierry Carrez (RETIRED) 2005-02-07 00:31:24 0000 -------

No stable marking needed as keywords were conserved by maintainer.

Ready for GLSA, fixed versions seem to be :
 *>=2.2.3-r6
 *>=2.3.3-r2
  >=2.3.4-r1

------- Comment #5 From Thierry Carrez (RETIRED) 2005-02-08 11:36:35 0000 -------

GLSA drafted

------- Comment #6 From Thierry Carrez (RETIRED) 2005-02-08 11:39:48 0000 -------

*** Bug 80597 has been marked as a duplicate of this bug. ***

------- Comment #7 From Thierry Carrez (RETIRED) 2005-02-08 13:34:52 0000 -------

GLSA 200502-09

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bugzilla Bug 80592

dev-lang/python SimpleXMLRPCServer remote access vulnerability

Last modified: 2005-02-08 13:34:52 0000