Brian Bird has reported a vulnerability in Cheetah, which can be exploited by malicious, local users to gain escalated privileges.
The vulnerability is caused due to Cheetah searching for modules in the world-writable "/tmp" directory before looking in the PythonPath when importing modules. This can be exploited to execute arbitrary code with escalated privileges by placing a malicious module in the "/tmp" directory.
The vulnerability has been fixed in version 0.9.17-rc1.
Provided and/or discovered by:
Python team, please bump
Bumped to 0.9.17-rc1 in CVS, removed vulnerable versions.
Thx for the swift reaction. Committed directly to stable this one is ready for