Your message dated Sun, 30 May 2010 15:41:14 +0000
with message-id <[email protected]>
and subject line Bug#572010: fixed in python2.6 2.6.5+20100529-1
has caused the Debian Bug report #572010,
regarding CVE-2008-5983 untrusted search path
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
572010: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572010
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python2.6
Version: 2.6.4-6
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for python2.6.
CVE-2008-5983[0]:
| Untrusted search path vulnerability in the PySys_SetArgv API function
| in Python 2.6 and earlier, and possibly later versions, prepends an
| empty string to sys.path when the argv[0] argument does not contain a
| path separator, which might allow local users to execute arbitrary
| code via a Trojan horse Python file in the current working directory.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Note there appears to be no upstream solution at the moment. There is
a proposed patch [1], but for some reason hasn't been reviewed yet by
upstream after over half a year. The redhat bug [2] may also be useful.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5983
http://security-tracker.debian.org/tracker/CVE-2008-5983
[1] http://bugs.python.org/issue5753
[2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-5983
--- End Message ---
--- Begin Message ---
Source: python2.6
Source-Version: 2.6.5+20100529-1
We believe that the bug you reported is fixed in the latest version of
python2.6, which is due to be installed in the Debian FTP archive:
idle-python2.6_2.6.5+20100529-1_all.deb
to main/p/python2.6/idle-python2.6_2.6.5+20100529-1_all.deb
libpython2.6_2.6.5+20100529-1_i386.deb
to main/p/python2.6/libpython2.6_2.6.5+20100529-1_i386.deb
python2.6-dbg_2.6.5+20100529-1_i386.deb
to main/p/python2.6/python2.6-dbg_2.6.5+20100529-1_i386.deb
python2.6-dev_2.6.5+20100529-1_i386.deb
to main/p/python2.6/python2.6-dev_2.6.5+20100529-1_i386.deb
python2.6-doc_2.6.5+20100529-1_all.deb
to main/p/python2.6/python2.6-doc_2.6.5+20100529-1_all.deb
python2.6-examples_2.6.5+20100529-1_all.deb
to main/p/python2.6/python2.6-examples_2.6.5+20100529-1_all.deb
python2.6-minimal_2.6.5+20100529-1_i386.deb
to main/p/python2.6/python2.6-minimal_2.6.5+20100529-1_i386.deb
python2.6_2.6.5+20100529-1.diff.gz
to main/p/python2.6/python2.6_2.6.5+20100529-1.diff.gz
python2.6_2.6.5+20100529-1.dsc
to main/p/python2.6/python2.6_2.6.5+20100529-1.dsc
python2.6_2.6.5+20100529-1_i386.deb
to main/p/python2.6/python2.6_2.6.5+20100529-1_i386.deb
python2.6_2.6.5+20100529.orig.tar.gz
to main/p/python2.6/python2.6_2.6.5+20100529.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <[email protected]> (supplier of updated python2.6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 29 May 2010 15:07:51 +0200
Source: python2.6
Binary: python2.6 python2.6-minimal libpython2.6 python2.6-examples
python2.6-dev idle-python2.6 python2.6-doc python2.6-dbg
Architecture: source all i386
Version: 2.6.5+20100529-1
Distribution: unstable
Urgency: low
Maintainer: Matthias Klose <[email protected]>
Changed-By: Matthias Klose <[email protected]>
Description:
idle-python2.6 - An IDE for Python (v2.6) using Tkinter
libpython2.6 - Shared Python runtime library (version 2.6)
python2.6 - An interactive high-level object-oriented language (version 2.6)
python2.6-dbg - Debug Build of the Python Interpreter (version 2.6)
python2.6-dev - Header files and a static library for Python (v2.6)
python2.6-doc - Documentation for the high-level object-oriented language
Python
python2.6-examples - Examples for the Python language (v2.6)
python2.6-minimal - A minimal subset of the Python language (version 2.6)
Closes: 572010 574696
Changes:
python2.6 (2.6.5+20100529-1) unstable; urgency=low
.
* Update to 20100529, taken from the 2.6 release branch (r81601).
- Fix issue #5753, CVE-2008-5983 python: untrusted python modules
search path. Closes: #572010.
* Convert internal dpatch system to quilt.
* Build the ossaudio extension on GNU/kFreeBSD. Closes: #574696.
Checksums-Sha1:
f9b231b7c5141b5f78b55ef0b1fb7d2f2a77dfff 1796 python2.6_2.6.5+20100529-1.dsc
8fbcdfbef21085ba20031da64a3111188e807915 13387166
python2.6_2.6.5+20100529.orig.tar.gz
e130e87f2e28a0ef89b10836e7614fe901ba0495 241392
python2.6_2.6.5+20100529-1.diff.gz
a26099a46af5c2a33313761103874c41a46054a6 688364
python2.6-examples_2.6.5+20100529-1_all.deb
1dfb194b914e3080526f5e6b2be0052edd90e534 289732
idle-python2.6_2.6.5+20100529-1_all.deb
3a48b0c979f9167ca61cf505fa9fc8b092019072 5697672
python2.6-doc_2.6.5+20100529-1_all.deb
b8f892ff9378008ea852414af7527970a9d591b9 2478666
python2.6_2.6.5+20100529-1_i386.deb
4e4fdd7645773340d59d102b3cd96497833cb706 1377914
python2.6-minimal_2.6.5+20100529-1_i386.deb
181d1bde189336500385790b8d21f4a8437cc4d7 984966
libpython2.6_2.6.5+20100529-1_i386.deb
60e385e08010c4dcfbe1cfd80eda580c20c82c33 4385800
python2.6-dev_2.6.5+20100529-1_i386.deb
6fc71358836215c1084275eed15a1b15c610045f 13042740
python2.6-dbg_2.6.5+20100529-1_i386.deb
Checksums-Sha256:
cb88d088ceb18ad2b0787d9bf67cb8adeea34b1e9b49354d09b1249e91459191 1796
python2.6_2.6.5+20100529-1.dsc
99cdc278d3533421f225a775d493aa1b7b00cd5a82ee6f63b0018dce49685532 13387166
python2.6_2.6.5+20100529.orig.tar.gz
8bec625fd5c2732fa98d55c04383bf338883ed4e8f77118c02b5377a28a10e19 241392
python2.6_2.6.5+20100529-1.diff.gz
5e9b52387659db7b8142310c060a4a5a0c71735975711f09b253d4c9f6a173f6 688364
python2.6-examples_2.6.5+20100529-1_all.deb
74902e0b3d90a6d27b4084c4fbba3ba25aa4f87570b4c2b93f219ce753d7d9c9 289732
idle-python2.6_2.6.5+20100529-1_all.deb
b3dacde169ae78b43fbae18b4f7707dfa54a866602a7004f7da9b7ab3e935115 5697672
python2.6-doc_2.6.5+20100529-1_all.deb
c3b42e9fe6bef18a6b2600cad4fc4c11f724ac93ff84d4fb3f6b65dfdca8600c 2478666
python2.6_2.6.5+20100529-1_i386.deb
18a48c713401c58869f6d5e6cac9812e14c80543877b0ed81d157b6436b93615 1377914
python2.6-minimal_2.6.5+20100529-1_i386.deb
f643ed0a7ecd335687bedc7a7f4d95cce3902a331ffc4bbe92ff27ccc216ae53 984966
libpython2.6_2.6.5+20100529-1_i386.deb
434d42f8cfc197813e757962187835db02cc5e54cb95557d1db8699ff956d3f5 4385800
python2.6-dev_2.6.5+20100529-1_i386.deb
a1f5c7f4e0020a01e45a8d015300eec539defce0f59addcd7b5a11da7b27b619 13042740
python2.6-dbg_2.6.5+20100529-1_i386.deb
Files:
10e261ea60d658e2ba4fedd200294681 1796 python optional
python2.6_2.6.5+20100529-1.dsc
5401a13ee6edca79ef51773339c3e4e2 13387166 python optional
python2.6_2.6.5+20100529.orig.tar.gz
08508e34cecffe071f6a51c8e71e71d7 241392 python optional
python2.6_2.6.5+20100529-1.diff.gz
83268cc087d479a148ae0d1a227d3f2a 688364 python optional
python2.6-examples_2.6.5+20100529-1_all.deb
e27ac31c6c40ef5e0aea318e73b76e6f 289732 python optional
idle-python2.6_2.6.5+20100529-1_all.deb
15bf2cb0d3bdbded6713355daa68e8dc 5697672 doc optional
python2.6-doc_2.6.5+20100529-1_all.deb
fff9fc7240c0301a8081d3260470fc86 2478666 python optional
python2.6_2.6.5+20100529-1_i386.deb
96bc6be9680fbe4f81e04d95d2688f0d 1377914 python optional
python2.6-minimal_2.6.5+20100529-1_i386.deb
671b806a13a2f79af0bd791c6ac23f87 984966 libs optional
libpython2.6_2.6.5+20100529-1_i386.deb
0d7eb17c197f9c7c32d851b71715474f 4385800 python optional
python2.6-dev_2.6.5+20100529-1_i386.deb
f40171831926a8d612649e714a127457 13042740 debug extra
python2.6-dbg_2.6.5+20100529-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkwCeFcACgkQStlRaw+TLJwc0ACgrMstWlDsaTppgVDCz+yz0X9L
VXgAni0Xp/WNL9VzO1a/kSVz8TFVe9et
=XWn6
-----END PGP SIGNATURE-----
--- End Message ---
