Bugzilla – Bug 856836
VUL-1: CVE-2013-1752: python: various stdlib read flaws
Last modified: 2020-06-30 19:12:37 UTC
CVE-2013-1752 via oss-sec / rh bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1046174 Multiple denial of service flaws were reported against various parts of Python's stdlib: * httplib [1] (fixed in 2.7.4 [2], 2.6.9 [3], and 3.3.3 [4]) * ftplib [5] (fixed in 2.7.6 [6], 2.6.9 [7], 3.3.3 [8]) * imaplib [9] (not yet fixed in 2.7.x, fixed in 2.6.9 [10], 3.3.3 [11]) * nntplib [12] (fixed in 2.7.6 [13], 2.6.9 [14], 3.3.3 [15]) * poplib [16] (not yet fixed in 2.7.x, fixed in 2.6.9 [17], 3.3.3 [18]) * smtplib [19] (not yet fixed in 2.7.x, fixed in 2.6.9 [20], not yet fixed in 3.3.x) Unfortunately, upstream assigned a single CVE to all of these, however I do not believe they can all use the same CVE due to them being fixed across so many different versions (2.6.9, 2.7.4, 2.7.6, 3.3.3, as well as future 2.7.x and 3.3.x versions). So this will likely require MITRE to detangle. [1] http://bugs.python.org/issue16037 [2] http://hg.python.org/cpython/rev/8a22a2804a66/ [3] http://hg.python.org/cpython/rev/582e5072ff89 [4] http://hg.python.org/cpython/rev/e445d02e5306/ [5] http://bugs.python.org/issue16038 [6] http://hg.python.org/cpython/rev/44ac81e6d584/ [7] http://hg.python.org/cpython/rev/8b19e7d0be45/ [8] http://hg.python.org/cpython/rev/38db4d0726bd/ [9] http://bugs.python.org/issue16039 [10] http://hg.python.org/cpython/rev/4190568ceda0/ [11] http://hg.python.org/cpython/rev/4b0364fc5711/ [12] http://bugs.python.org/issue16040 [13] http://hg.python.org/cpython/rev/36680a7c0e22/ [14] http://hg.python.org/cpython/rev/731abf7834c4/ [15] http://hg.python.org/cpython/rev/fc88bd80d925/ [16] http://bugs.python.org/issue16041 [17] http://hg.python.org/cpython/rev/7214e3324a45/ [18] http://hg.python.org/cpython/rev/68029048c9c6/ [19] http://bugs.python.org/issue16042 [20] http://hg.python.org/cpython/rev/8a6def3add5b/ References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1752 http://bugs.python.org/issue16040 http://bugs.python.org/issue16041 http://bugs.python.org/issue16042 https://bugzilla.redhat.com/show_bug.cgi?id=1046174 http://bugs.python.org/issue16038 http://bugs.python.org/issue16037 http://bugs.python.org/issue16039 http://comments.gmane.org/gmane.comp.security.oss.general/11745
not sure if this is worth an update.
bugbot adjusting priority
For 13.1, we could do a version-update to 2.7.6 and 3.3.3, and include all the fixes that were left out from that version, and bug 856835. (bug 857003 asks for update to 2.7.6) Python micro version updates are generally low-risk, as they only include bugfixes. I checked that 2.7.5 -> 2.7.6 does not have any backwards-incompatible changes, i will check 3.3.2 -> 3.3.3 later. We already have the two versions in Factory. python3 will be upgraded to 3.4 when RC1 is released (scheduled Jan 19), that will most likely include all the fixes from upstream. 12.3 has pythons 2.7.3 and 3.3.0, so the version upgrade is still viable, but i would be more wary of skipping multiple micro versions. For 12.2 (and lower), it's probably not worth it. In SLE 11, I suggest a version-update to 2.6.9. The upgrade from 2.6.8 actually *only* contains security fixes [1], it would even make sense to do the update and call it "patched 2.6.8". SLE 10 has Python 2.4.2, which is not mentioned in the reports, but most likely is affected by at least some of the issues. Backporting the fixes should not be a problem, but it is probably not worth the update. Same for SLE 9 (python 2.3.3) [1] http://python.org/download/releases/2.6.9/NEWS.txt
submitted the 2.6.9 update for SLE 11 as SR 31879
This is an autogenerated message for OBS integration: This bug (856836) was mentioned in https://build.opensuse.org/request/show/222059 Factory / python
This is an autogenerated message for OBS integration: This bug (856836) was mentioned in https://build.opensuse.org/request/show/222235 Factory / python
Update released for: libpython2_6-1_0, python, python-base, python-base-debuginfo, python-base-debugsource, python-curses, python-debuginfo, python-debugsource, python-demo, python-devel, python-doc, python-doc-pdf, python-gdbm, python-idle, python-tk, python-xml Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
lets skip SLE10 for now.
Update released for: libpython2_6-1_0, libpython2_6-1_0-32bit, libpython2_6-1_0-64bit, libpython2_6-1_0-x86, python, python-32bit, python-64bit, python-base, python-base-32bit, python-base-64bit, python-base-debuginfo, python-base-debuginfo-32bit, python-base-debuginfo-64bit, python-base-debuginfo-x86, python-base-debugsource, python-base-x86, python-curses, python-debuginfo, python-debuginfo-32bit, python-debuginfo-64bit, python-debuginfo-x86, python-debugsource, python-demo, python-devel, python-doc, python-doc-pdf, python-gdbm, python-idle, python-tk, python-x86, python-xml Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0337-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 834601,847135,856836,859068 CVE References: CVE-2013-4073,CVE-2013-4238 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): python-2.6.9-0.25.1, python-base-2.6.9-0.25.1, python-doc-2.6-8.25.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): python-2.6.9-0.25.1, python-base-2.6.9-0.25.1, python-doc-2.6-8.25.1 SUSE Linux Enterprise Server 11 SP3 (src): python-2.6.9-0.25.1, python-base-2.6.9-0.25.1, python-doc-2.6-8.25.1 SUSE Linux Enterprise Desktop 11 SP3 (src): python-2.6.9-0.25.1, python-base-2.6.9-0.25.1
Lets do the version updates for 13.1 Lets leave out 12.3 if its too risk. 12.2 is out of maintenance for us.
This is an autogenerated message for OBS integration: This bug (856836) was mentioned in https://build.opensuse.org/request/show/225093 13.1 / python
openSUSE-SU-2014:0380-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 637176,831442,856835,856836,857470,863741 CVE References: CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2014-1912 Sources used: openSUSE 13.1 (src): python-2.7.6-8.6.1, python-base-2.7.6-8.6.1, python-doc-2.7.6-8.6.1
This is an autogenerated message for OBS integration: This bug (856836) was mentioned in https://build.opensuse.org/request/show/227818 13.1 / python3
openSUSE-SU-2014:0498-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 856835,856836,863741,869222 CVE References: CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2013-7338,CVE-2014-1912 Sources used: openSUSE 13.1 (src): python3-3.3.5-5.4.1, python3-base-3.3.5-5.4.1, python3-doc-3.3.5-5.4.1
fixed where relevant, closing
SUSE-SU-2014:0997-1: An update that solves four vulnerabilities and has four fixes is now available. Category: security (moderate) Bug References: 827982,834601,847135,856836,859068,863741,872848,885882 CVE References: CVE-2013-1752,CVE-2013-4238,CVE-2014-1912,CVE-2014-4650 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): python-2.6.9-0.31.1, python-base-2.6.9-0.31.1, python-doc-2.6-8.31.1 SUSE Linux Enterprise Server 11 SP1 LTSS (src): python-2.6.9-0.31.1, python-base-2.6.9-0.31.1, python-doc-2.6-8.31.1
SUSE-SU-2014:1006-1: An update that solves four vulnerabilities and has four fixes is now available. Category: security (moderate) Bug References: 827982,834601,847135,856836,859068,863741,872848,885882 CVE References: CVE-2013-1752,CVE-2013-4238,CVE-2014-1912,CVE-2014-4650 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): python-2.6.9-0.31.1, python-base-2.6.9-0.31.1, python-doc-2.6-8.31.1 SUSE Linux Enterprise Server 11 SP1 LTSS (src): python-2.6.9-0.31.1, python-base-2.6.9-0.31.1, python-doc-2.6-8.31.1
SUSE-SU-2014:1012-1: An update that solves four vulnerabilities and has four fixes is now available. Category: security (moderate) Bug References: 827982,834601,847135,856836,859068,863741,872848,885882 CVE References: CVE-2013-1752,CVE-2013-4238,CVE-2014-1912,CVE-2014-4650 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): python-2.6.9-0.31.1, python-base-2.6.9-0.31.1, python-doc-2.6-8.31.1 SUSE Linux Enterprise Server 11 SP1 LTSS (src): python-2.6.9-0.31.1, python-base-2.6.9-0.31.1, python-doc-2.6-8.31.1
SUSE-SU-2020:0234-1: An update that solves 37 vulnerabilities and has 50 fixes is now available. Category: security (important) Bug References: 1027282,1041090,1042670,1068664,1073269,1073748,1078326,1078485,1079300,1081750,1083507,1084650,1086001,1088004,1088009,1109847,1111793,1113755,1122191,1129346,1130840,1130847,1138459,1141853,1149792,1149955,1153238,1153830,1159035,214983,298378,346490,367853,379534,380942,399190,406051,425138,426563,430761,432677,436966,437293,441088,462375,525295,534721,551715,572673,577032,581765,603255,617751,637176,638233,658604,673071,682554,697251,707667,718009,747125,747794,751718,754447,766778,794139,804978,827982,831442,834601,836739,856835,856836,857470,863741,885882,898572,901715,935856,945401,964182,984751,985177,985348,989523,997436 CVE References: CVE-2007-2052,CVE-2008-1721,CVE-2008-2315,CVE-2008-2316,CVE-2008-3142,CVE-2008-3143,CVE-2008-3144,CVE-2011-1521,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2014-1912,CVE-2014-4650,CVE-2014-7185,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-1000158,CVE-2017-18207,CVE-2018-1000030,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20852,CVE-2019-10160,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947,CVE-2019-9948 Sources used: SUSE Linux Enterprise Module for Python2 15-SP1 (src): python-2.7.17-7.32.2, python-base-2.7.17-7.32.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): python-2.7.17-7.32.2, python-base-2.7.17-7.32.1, python-doc-2.7.17-7.32.2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): python-2.7.17-7.32.2, python-doc-2.7.17-7.32.2 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): python-2.7.17-7.32.2 SUSE Linux Enterprise Module for Desktop Applications 15 (src): python-2.7.17-7.32.2 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): python-2.7.17-7.32.2, python-base-2.7.17-7.32.1 SUSE Linux Enterprise Module for Basesystem 15 (src): python-2.7.17-7.32.2, python-base-2.7.17-7.32.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.