Bugzilla – Bug 916890
VUL-1: CVE-2014-3539 python-rope: pickle.load of remotely supplied data with no authentication required
Last modified: 2015-03-03 16:05:30 UTC
rh#1116485 Kurt Seifried and Vasyl Kaigorodov of Red Hat Product Security report: pickle.load of remotely supplied data with no auth, RCE See RH bug for details. References: https://bugzilla.redhat.com/show_bug.cgi?id=1116485 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3539 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3539
bugbot adjusting priority
The author as described here: https://github.com/python-rope/rope/issues/105 worked already in a solution https://gitorious.org/rope/rope/commits/58b1c31c33842001ee0cac0078861e5f6567da6a
Note that the issue is not fully fixed by the upstream patch. The most important change is that the listening server is now restricted to localhost, but still open to other local users without authentication. The patch also disables the vulnerable feature by default, but this can be overriden in custom config, and it's possible that this will remain active in cases where user already has the custom config with this enabled. Still worth the update for the localhost restriction. For Factory and new installs, disabling the feature by default should be sufficient, and so we can wait for upstream to deliver a proper fix.
This is an autogenerated message for OBS integration: This bug (916890) was mentioned in https://build.opensuse.org/request/show/287349 13.2+13.1 / python-rope
was released
openSUSE-SU-2015:0413-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 916890 CVE References: CVE-2014-3539 Sources used: openSUSE 13.2 (src): python-rope-0.9.4-8.4.1 openSUSE 13.1 (src): python-rope-0.9.4-6.4.1