Description: Brian Bird has reported a vulnerability in Cheetah, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to Cheetah searching for modules in the world-writable "/tmp" directory before looking in the PythonPath when importing modules. This can be exploited to execute arbitrary code with escalated privileges by placing a malicious module in the "/tmp" directory. Solution: The vulnerability has been fixed in version 0.9.17-rc1. Provided and/or discovered by: Brian Bird
Python team, please bump
Bumped to 0.9.17-rc1 in CVS, removed vulnerable versions.
Thx for the swift reaction. Committed directly to stable this one is ready for GLSA.
GLSA 200505-14