OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 23-Jan-2003 11:36:10 Branch: HEAD Handle: 2003012310361000 Modified files: openpkg-web/security OpenPKG-SA-2003.006-python.txt Log: final polishing and signing Summary: Revision Changes Path 1.3 +20 -11 openpkg-web/security/OpenPKG-SA-2003.006-python.txt ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.006-python.txt ============================================================================ $ cvs diff -u -r1.2 -r1.3 OpenPKG-SA-2003.006-python.txt --- openpkg-web/security/OpenPKG-SA-2003.006-python.txt 23 Jan 2003 10:26:39 -0000 1.2 +++ openpkg-web/security/OpenPKG-SA-2003.006-python.txt 23 Jan 2003 10:36:10 -0000 1.3 @@ -1,3 +1,6 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project @@ -7,7 +10,7 @@ ________________________________________________________________________ Package: python -Vulnerability: predictable filename allows arbitrary code execution +Vulnerability: predictable filename allows arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: @@ -19,18 +22,17 @@ Description: Zack Weinberg discovered an insecure use of a predictable file name - [0] in Python, a interpreted, interactive, object-oriented programming - language [1]. Python attempts to exec a file which does not exist just - to find out what error the operating system returns. It uses a - constant filename for this task which could lead to execution of - arbitrary code. The Common Vulnerabilities and Exposures (CVE) - project assigned the id CAN-2002-1119 [2] to the problem. + [0] in the Python programming language [1]. Python attempts to execute + a file which is assumed to not exist just to find out what error + the operating system returns in this situation. It uses a constant + filename for this task which could lead to the execution of arbitrary + code. The Common Vulnerabilities and Exposures (CVE) project assigned + the id CAN-2002-1119 [2] to the problem. Please check whether you are affected by running "<prefix>/bin/rpm -q - python". If you have the "python" package installed and its version is - affected (see above), we recommend that you immediately upgrade it - (see Solution) and it's dependent packages (see above), if any, too. - [3][4] + python". If you have the "python" package installed and its version + is affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release @@ -72,3 +74,10 @@ the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ +-----BEGIN PGP SIGNATURE----- +Comment: OpenPKG <[EMAIL PROTECTED]> + +iD8DBQE+L8WAgHWT4GPEy58RAtl5AJ40nGCQKxI5yrs4KnKMaRI5veFM4ACePHmi +z8mwYutcBLXjOsWlMf5CEZM= +=OSaV +-----END PGP SIGNATURE----- @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]