A vulnerability has been discovered in Python, which can be exploited by malicious people to disclose sensitive information.
The vulnerability is caused due to the "CGIHTTPServer" module incorrectly handling HTTP requests to scripts in the "cgi-bin" directory without e.g. "/" at the beginning of the URI. This can be exploited to retrieve the source code of CGI scripts by sending specially crafted requests to the server.
The vulnerability is confirmed in version 2.6.6. Other versions may also be affected.
Fixed in the SVN repository and version 2.7 and later.
Provided and/or discovered by
Reported by m.sucajtys in a Python bug.
Python Bug 2254:
Python maintainers, is it OK to stabilize python-2.7.1-r1? Or would you prefer to backport the patch?
The change is incompatible, so it cannot be backported. dev-lang/python-2.7.1-r1 will be stabilized in bug #358717.
By the way, Python 2.7.1 fixes a bug, which isn't a security vulnerability, but received CVE-2010-3492.
Stabilization has been finished.
Arfrever, please do not change the status whiteboard. Thank you. Thanks too for the pointer on CVE-2010-3492.
Rerating as A3 for CVE-2010-3492 which the NVD lists as AV:N/AC:L/Au:N/C:N/I:N/A:P. Added to existing GLSA request.
The asyncore module in Python before 3.2 does not properly handle
unsuccessful calls to the accept function, and does not have accompanying
documentation describing how daemon applications should handle unsuccessful
calls to the accept function, which makes it easier for remote attackers to
conduct denial of service attacks that terminate these applications via
The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python
2.5, 2.6, and 3.0 allows remote attackers to read script source code via an
HTTP GET request that lacks a / (slash) character at the beginning of the
This issue was resolved and addressed in
GLSA 201401-04 at http://security.gentoo.org/glsa/glsa-201401-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).