Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 358663 (CVE-2010-3492) - <dev-lang/python-2.7.1-r1: Multiple vulnerabilities (CVE-2010-3492,CVE-2011-1015)
Summary: <dev-lang/python-2.7.1-r1: Multiple vulnerabilities (CVE-2010-3492,CVE-2011-1...
Alias: CVE-2010-3492
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on: 358717
  Show dependency tree
Reported: 2011-03-13 09:10 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2014-01-06 21:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-13 09:10:16 UTC
A vulnerability has been discovered in Python, which can be exploited by malicious people to disclose sensitive information.

The vulnerability is caused due to the "CGIHTTPServer" module incorrectly handling HTTP requests to scripts in the "cgi-bin" directory without e.g. "/" at the beginning of the URI. This can be exploited to retrieve the source code of CGI scripts by sending specially crafted requests to the server.

The vulnerability is confirmed in version 2.6.6. Other versions may also be affected.

Fixed in the SVN repository and version 2.7 and later.

Provided and/or discovered by
Reported by m.sucajtys in a Python bug.

Original Advisory
Python Bug 2254:
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-13 09:12:10 UTC
Python maintainers, is it OK to stabilize python-2.7.1-r1? Or would you prefer to backport the patch?
Comment 2 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2011-03-13 15:25:34 UTC
The change is incompatible, so it cannot be backported. dev-lang/python-2.7.1-r1 will be stabilized in bug #358717.
Comment 3 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2011-03-13 15:40:14 UTC
By the way, Python 2.7.1 fixes a bug, which isn't a security vulnerability, but received CVE-2010-3492.
Comment 4 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2011-06-05 22:47:10 UTC
Stabilization has been finished.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-06-06 01:56:17 UTC
Arfrever, please do not change the status whiteboard. Thank you. Thanks too for the pointer on CVE-2010-3492.

Rerating as A3 for CVE-2010-3492 which the NVD lists as AV:N/AC:L/Au:N/C:N/I:N/A:P. Added to existing GLSA request.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:17:51 UTC
CVE-2010-3492 (
  The asyncore module in Python before 3.2 does not properly handle
  unsuccessful calls to the accept function, and does not have accompanying
  documentation describing how daemon applications should handle unsuccessful
  calls to the accept function, which makes it easier for remote attackers to
  conduct denial of service attacks that terminate these applications via
  network connections.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 20:03:49 UTC
CVE-2011-1015 (
  The is_cgi method in in the CGIHTTPServer module in Python
  2.5, 2.6, and 3.0 allows remote attackers to read script source code via an
  HTTP GET request that lacks a / (slash) character at the beginning of the
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-01-06 21:28:01 UTC
This issue was resolved and addressed in
 GLSA 201401-04 at
by GLSA coordinator Sergey Popov (pinkbyte).