var-201410-1319
Vulnerability from variot
Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function. Python is prone to an integer-overflow vulnerability because it fails to properly bounds check user-supplied input before copying it into an insufficiently sized buffer. Attackers can exploit this issue to obtain potentially sensitive information or cause a denial-of-service condition. Versions prior to Python 2.7.8 are vulnerable. The language is scalable, supports modules and packages, and supports multiple platforms.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/python < 3.3.5-r1 *>= 2.7.9-r1 >= 3.3.5-r1
Description
Multiple vulnerabilities have been discovered in Python. Please review the CVE identifiers referenced below for details.
Workaround
There is no known workaround at this time.
Resolution
All Python 3.3 users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-3.3.5-r1"
All Python 2.7 users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.9-r1"
References
[ 1 ] CVE-2013-1752 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1752 [ 2 ] CVE-2013-7338 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7338 [ 3 ] CVE-2014-1912 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1912 [ 4 ] CVE-2014-2667 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2667 [ 5 ] CVE-2014-4616 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4616 [ 6 ] CVE-2014-7185 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7185 [ 7 ] CVE-2014-9365 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9365
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/201503-10
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. ============================================================================ Ubuntu Security Notice USN-2653-1 June 25, 2015
python2.7, python3.2, python3.4 vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Python. A malicious ftp, http, imap, nntp, pop or smtp server could use this issue to cause a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-7185)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 14.10: python2.7 2.7.8-10ubuntu1.1 python2.7-minimal 2.7.8-10ubuntu1.1 python3.4 3.4.2-1ubuntu0.1 python3.4-minimal 3.4.2-1ubuntu0.1
Ubuntu 14.04 LTS: python2.7 2.7.6-8ubuntu0.2 python2.7-minimal 2.7.6-8ubuntu0.2 python3.4 3.4.0-2ubuntu1.1 python3.4-minimal 3.4.0-2ubuntu1.1
Ubuntu 12.04 LTS: python2.7 2.7.3-0ubuntu3.8 python2.7-minimal 2.7.3-0ubuntu3.8 python3.2 3.2.3-0ubuntu3.7 python3.2-minimal 3.2.3-0ubuntu3.7
In general, a standard system update will make all the necessary changes. 7) - noarch, x86_64
- The python27 collection provide a stable release of Python 2.7 with a number of additional utilities and database connectors for MySQL and PostgreSQL.
The python27-python packages have been upgraded to upstream version 2.7.8, which provides numerous bug fixes over the previous version. (BZ#1167912)
The following security issues were fixed in the python27-python component:
It was discovered that the socket.recvfrom_into() function failed to check the size of the supplied buffer. (CVE-2014-4616)
In addition, this update adds the following enhancement:
-
The python27 Software Collection now includes the python-wheel and python-pip modules. All running python27 instances must be restarted for this update to take effect. 6) - i386, x86_64
-
Space precludes documenting all of these changes in this advisory. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: python security, bug fix, and enhancement update Advisory ID: RHSA-2015:2101-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2101.html Issue date: 2015-11-19 CVE Names: CVE-2013-1752 CVE-2013-1753 CVE-2014-4616 CVE-2014-4650 CVE-2014-7185 =====================================================================
- Summary:
Updated python packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
- Description:
Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme, or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC).
It was discovered that the Python xmlrpclib module did not restrict the size of gzip-compressed HTTP responses. A malicious XMLRPC server could cause an XMLRPC client using xmlrpclib to consume an excessive amount of memory. (CVE-2013-1753)
It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict the sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory. (CVE-2013-1752)
It was discovered that the CGIHTTPServer module incorrectly handled URL encoded paths. A remote attacker could use this flaw to execute scripts outside of the cgi-bin directory, or disclose the source code of the scripts in the cgi-bin directory. An attacker able to control these arguments could use this flaw to disclose portions of the application memory or cause it to crash. (CVE-2014-7185)
A flaw was found in the way the json module handled negative index arguments passed to certain functions (such as raw_decode()). An attacker able to control the index value passed to one of the affected functions could possibly use this flaw to disclose portions of the application memory. (CVE-2014-4616)
The Python standard library HTTP client modules (such as httplib or urllib) did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data. (CVE-2014-9365)
Note: The Python standard library was updated to make it possible to enable certificate verification by default. However, for backwards compatibility, verification remains disabled by default. Future updates may change this default. Refer to the Knowledgebase article 2039753 linked to in the References section for further details about this change. (BZ#1219108)
This update also fixes the following bugs:
-
Subprocesses used with the Eventlet library or regular threads previously tried to close epoll file descriptors twice, which led to an "Invalid argument" error. Subprocesses have been fixed to close the file descriptors only once. (BZ#1103452)
-
When importing the readline module from a Python script, Python no longer produces erroneous random characters on stdout. (BZ#1189301)
-
The cProfile utility has been fixed to print all values that the "-s" option supports when this option is used without a correct value. (BZ#1237107)
-
The load_cert_chain() function now accepts "None" as a keyfile argument. (BZ#1250611)
In addition, this update adds the following enhancements:
-
Security enhancements as described in PEP 466 have been backported to the Python standard library, for example, new features of the ssl module: Server Name Indication (SNI) support, support for new TLSv1.x protocols, new hash algorithms in the hashlib module, and many more. (BZ#1111461)
-
Support for the ssl.PROTOCOL_TLSv1_2 protocol has been added to the ssl library. (BZ#1192015)
-
The ssl.SSLSocket.version() method is now available to access information about the version of the SSL protocol used in a connection. (BZ#1259421)
All python users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.
- Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1046170 - CVE-2013-1753 python: XMLRPC library unrestricted decompression of HTTP responses using gzip enconding 1046174 - CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib 1058482 - tmpwatch removes python multiprocessing sockets 1112285 - CVE-2014-4616 python: missing boundary check in JSON module 1113527 - CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs 1146026 - CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read 1173041 - CVE-2014-9365 python: failure to validate certificates in the HTTP client with TLS (PEP 476) 1177613 - setup.py bdist_rpm NameError: global name 'get_python_version' is not defined 1181624 - multiprocessing BaseManager serve_client() does not check EINTR on recv 1237107 - cProfile main() traceback if options syntax is invalid 1250611 - SSLContext.load_cert_chain() keyfile argument can't be set to None 1259421 - Backport SSLSocket.version() to python 2.7.5
- Package List:
Red Hat Enterprise Linux Client (v. 7):
Source: python-2.7.5-34.el7.src.rpm
x86_64: python-2.7.5-34.el7.x86_64.rpm python-debuginfo-2.7.5-34.el7.i686.rpm python-debuginfo-2.7.5-34.el7.x86_64.rpm python-libs-2.7.5-34.el7.i686.rpm python-libs-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64: python-debug-2.7.5-34.el7.x86_64.rpm python-debuginfo-2.7.5-34.el7.x86_64.rpm python-devel-2.7.5-34.el7.x86_64.rpm python-test-2.7.5-34.el7.x86_64.rpm python-tools-2.7.5-34.el7.x86_64.rpm tkinter-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: python-2.7.5-34.el7.src.rpm
x86_64: python-2.7.5-34.el7.x86_64.rpm python-debuginfo-2.7.5-34.el7.i686.rpm python-debuginfo-2.7.5-34.el7.x86_64.rpm python-devel-2.7.5-34.el7.x86_64.rpm python-libs-2.7.5-34.el7.i686.rpm python-libs-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64: python-debug-2.7.5-34.el7.x86_64.rpm python-debuginfo-2.7.5-34.el7.x86_64.rpm python-test-2.7.5-34.el7.x86_64.rpm python-tools-2.7.5-34.el7.x86_64.rpm tkinter-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: python-2.7.5-34.el7.src.rpm
aarch64: python-2.7.5-34.el7.aarch64.rpm python-debuginfo-2.7.5-34.el7.aarch64.rpm python-devel-2.7.5-34.el7.aarch64.rpm python-libs-2.7.5-34.el7.aarch64.rpm
ppc64: python-2.7.5-34.el7.ppc64.rpm python-debuginfo-2.7.5-34.el7.ppc.rpm python-debuginfo-2.7.5-34.el7.ppc64.rpm python-devel-2.7.5-34.el7.ppc64.rpm python-libs-2.7.5-34.el7.ppc.rpm python-libs-2.7.5-34.el7.ppc64.rpm
ppc64le: python-2.7.5-34.el7.ppc64le.rpm python-debuginfo-2.7.5-34.el7.ppc64le.rpm python-devel-2.7.5-34.el7.ppc64le.rpm python-libs-2.7.5-34.el7.ppc64le.rpm
s390x: python-2.7.5-34.el7.s390x.rpm python-debuginfo-2.7.5-34.el7.s390.rpm python-debuginfo-2.7.5-34.el7.s390x.rpm python-devel-2.7.5-34.el7.s390x.rpm python-libs-2.7.5-34.el7.s390.rpm python-libs-2.7.5-34.el7.s390x.rpm
x86_64: python-2.7.5-34.el7.x86_64.rpm python-debuginfo-2.7.5-34.el7.i686.rpm python-debuginfo-2.7.5-34.el7.x86_64.rpm python-devel-2.7.5-34.el7.x86_64.rpm python-libs-2.7.5-34.el7.i686.rpm python-libs-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
aarch64: python-debug-2.7.5-34.el7.aarch64.rpm python-debuginfo-2.7.5-34.el7.aarch64.rpm python-test-2.7.5-34.el7.aarch64.rpm python-tools-2.7.5-34.el7.aarch64.rpm tkinter-2.7.5-34.el7.aarch64.rpm
ppc64: python-debug-2.7.5-34.el7.ppc64.rpm python-debuginfo-2.7.5-34.el7.ppc64.rpm python-test-2.7.5-34.el7.ppc64.rpm python-tools-2.7.5-34.el7.ppc64.rpm tkinter-2.7.5-34.el7.ppc64.rpm
ppc64le: python-debug-2.7.5-34.el7.ppc64le.rpm python-debuginfo-2.7.5-34.el7.ppc64le.rpm python-test-2.7.5-34.el7.ppc64le.rpm python-tools-2.7.5-34.el7.ppc64le.rpm tkinter-2.7.5-34.el7.ppc64le.rpm
s390x: python-debug-2.7.5-34.el7.s390x.rpm python-debuginfo-2.7.5-34.el7.s390x.rpm python-test-2.7.5-34.el7.s390x.rpm python-tools-2.7.5-34.el7.s390x.rpm tkinter-2.7.5-34.el7.s390x.rpm
x86_64: python-debug-2.7.5-34.el7.x86_64.rpm python-debuginfo-2.7.5-34.el7.x86_64.rpm python-test-2.7.5-34.el7.x86_64.rpm python-tools-2.7.5-34.el7.x86_64.rpm tkinter-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: python-2.7.5-34.el7.src.rpm
x86_64: python-2.7.5-34.el7.x86_64.rpm python-debuginfo-2.7.5-34.el7.i686.rpm python-debuginfo-2.7.5-34.el7.x86_64.rpm python-devel-2.7.5-34.el7.x86_64.rpm python-libs-2.7.5-34.el7.i686.rpm python-libs-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: python-debug-2.7.5-34.el7.x86_64.rpm python-debuginfo-2.7.5-34.el7.x86_64.rpm python-test-2.7.5-34.el7.x86_64.rpm python-tools-2.7.5-34.el7.x86_64.rpm tkinter-2.7.5-34.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2013-1752 https://access.redhat.com/security/cve/CVE-2013-1753 https://access.redhat.com/security/cve/CVE-2014-4616 https://access.redhat.com/security/cve/CVE-2014-4650 https://access.redhat.com/security/cve/CVE-2014-7185 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/articles/2039753 https://www.python.org/dev/peps/pep-0466/
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iD8DBQFWTj/SXlSAg2UNWIIRAuXcAKCCJdw1P4H3y4fnhu6lXW2AcADYJgCfRO+v qMX3qLAXBobeDiPX4eN9Pxc= =JQMw -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFURgY6mqjQ0CJFipgRAvwgAKDXcnHrFfvCfHLE8+K8hm5c36UF2QCg2paU ZKHEaBTvKIYVDsnVIp/qdrA= =zMF9 -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201410-1319",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "python",
"scope": "eq",
"trust": 1.6,
"vendor": "python",
"version": "2.7.2150"
},
{
"model": "python",
"scope": "eq",
"trust": 1.0,
"vendor": "python",
"version": "2.7.2"
},
{
"model": "mac os x",
"scope": "lte",
"trust": 1.0,
"vendor": "apple",
"version": "10.10.4"
},
{
"model": "python",
"scope": "eq",
"trust": 1.0,
"vendor": "python",
"version": "2.7.6"
},
{
"model": "python",
"scope": "eq",
"trust": 1.0,
"vendor": "python",
"version": "2.7.4"
},
{
"model": "python",
"scope": "eq",
"trust": 1.0,
"vendor": "python",
"version": "2.7.5"
},
{
"model": "python",
"scope": "eq",
"trust": 1.0,
"vendor": "python",
"version": "2.7.1"
},
{
"model": "python",
"scope": "eq",
"trust": 1.0,
"vendor": "python",
"version": "2.7.1150"
},
{
"model": "python",
"scope": "lte",
"trust": 1.0,
"vendor": "python",
"version": "2.7.7"
},
{
"model": "python",
"scope": "eq",
"trust": 1.0,
"vendor": "python",
"version": "2.7.3"
},
{
"model": "linux lts i386",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "12.04"
},
{
"model": "linux lts amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "12.04"
},
{
"model": "hat enterprise linux workstation optional",
"scope": "eq",
"trust": 0.3,
"vendor": "red",
"version": "6"
},
{
"model": "hat enterprise linux workstation",
"scope": "eq",
"trust": 0.3,
"vendor": "red",
"version": "6"
},
{
"model": "hat enterprise linux server optional",
"scope": "eq",
"trust": 0.3,
"vendor": "red",
"version": "6"
},
{
"model": "hat enterprise linux server",
"scope": "eq",
"trust": 0.3,
"vendor": "red",
"version": "6"
},
{
"model": "hat enterprise linux hpc node optional",
"scope": "eq",
"trust": 0.3,
"vendor": "red",
"version": "6"
},
{
"model": "hat enterprise linux hpc node",
"scope": "eq",
"trust": 0.3,
"vendor": "red",
"version": "6"
},
{
"model": "hat enterprise linux desktop optional",
"scope": "eq",
"trust": 0.3,
"vendor": "red",
"version": "6"
},
{
"model": "hat enterprise linux desktop",
"scope": "eq",
"trust": 0.3,
"vendor": "red",
"version": "6"
},
{
"model": "software foundation python",
"scope": "eq",
"trust": 0.3,
"vendor": "python",
"version": "2.7.2"
},
{
"model": "software foundation python",
"scope": "eq",
"trust": 0.3,
"vendor": "python",
"version": "2.7"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "0"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6.2"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6"
}
],
"sources": [
{
"db": "BID",
"id": "70089"
},
{
"db": "CNNVD",
"id": "CNNVD-201409-970"
},
{
"db": "NVD",
"id": "CVE-2014-7185"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Chris Foster",
"sources": [
{
"db": "BID",
"id": "70089"
},
{
"db": "CNNVD",
"id": "CNNVD-201409-970"
}
],
"trust": 0.9
},
"cve": "CVE-2014-7185",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2014-7185",
"impactScore": 4.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-75129",
"impactScore": 4.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2014-7185",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201409-970",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-75129",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2014-7185",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-75129"
},
{
"db": "VULMON",
"id": "CVE-2014-7185"
},
{
"db": "CNNVD",
"id": "CNNVD-201409-970"
},
{
"db": "NVD",
"id": "CVE-2014-7185"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a \"buffer\" function. Python is prone to an integer-overflow vulnerability because it fails to properly bounds check user-supplied input before copying it into an insufficiently sized buffer. \nAttackers can exploit this issue to obtain potentially sensitive information or cause a denial-of-service condition. \nVersions prior to Python 2.7.8 are vulnerable. The language is scalable, supports modules and packages, and supports multiple platforms. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 dev-lang/python \u003c 3.3.5-r1 *\u003e= 2.7.9-r1\n \u003e= 3.3.5-r1\n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in Python. Please review\nthe CVE identifiers referenced below for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Python 3.3 users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=dev-lang/python-3.3.5-r1\"\n\nAll Python 2.7 users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=dev-lang/python-2.7.9-r1\"\n\nReferences\n==========\n\n[ 1 ] CVE-2013-1752\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1752\n[ 2 ] CVE-2013-7338\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7338\n[ 3 ] CVE-2014-1912\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1912\n[ 4 ] CVE-2014-2667\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2667\n[ 5 ] CVE-2014-4616\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4616\n[ 6 ] CVE-2014-7185\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7185\n[ 7 ] CVE-2014-9365\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9365\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/201503-10\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2015 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. ============================================================================\nUbuntu Security Notice USN-2653-1\nJune 25, 2015\n\npython2.7, python3.2, python3.4 vulnerabilities\n============================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 14.10\n- Ubuntu 14.04 LTS\n- Ubuntu 12.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in Python. A malicious ftp, http,\nimap, nntp, pop or smtp server could use this issue to cause a denial of\nservice. This issue only affected Ubuntu\n12.04 LTS and Ubuntu 14.04 LTS. This\nissue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. This issue only affected\nUbuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-7185)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 14.10:\n python2.7 2.7.8-10ubuntu1.1\n python2.7-minimal 2.7.8-10ubuntu1.1\n python3.4 3.4.2-1ubuntu0.1\n python3.4-minimal 3.4.2-1ubuntu0.1\n\nUbuntu 14.04 LTS:\n python2.7 2.7.6-8ubuntu0.2\n python2.7-minimal 2.7.6-8ubuntu0.2\n python3.4 3.4.0-2ubuntu1.1\n python3.4-minimal 3.4.0-2ubuntu1.1\n\nUbuntu 12.04 LTS:\n python2.7 2.7.3-0ubuntu3.8\n python2.7-minimal 2.7.3-0ubuntu3.8\n python3.2 3.2.3-0ubuntu3.7\n python3.2-minimal 3.2.3-0ubuntu3.7\n\nIn general, a standard system update will make all the necessary changes. 7) - noarch, x86_64\n\n3. The python27 collection provide a stable release of\nPython 2.7 with a number of additional utilities and database connectors\nfor MySQL and PostgreSQL. \n\nThe python27-python packages have been upgraded to upstream version 2.7.8,\nwhich provides numerous bug fixes over the previous version. (BZ#1167912)\n\nThe following security issues were fixed in the python27-python component:\n\nIt was discovered that the socket.recvfrom_into() function failed to check\nthe size of the supplied buffer. (CVE-2014-4616)\n\nIn addition, this update adds the following enhancement:\n\n* The python27 Software Collection now includes the python-wheel and\npython-pip modules. All running python27\ninstances must be restarted for this update to take effect. 6) - i386, x86_64\n\n3. Space precludes documenting all of these changes in this\nadvisory. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: python security, bug fix, and enhancement update\nAdvisory ID: RHSA-2015:2101-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://rhn.redhat.com/errata/RHSA-2015-2101.html\nIssue date: 2015-11-19\nCVE Names: CVE-2013-1752 CVE-2013-1753 CVE-2014-4616 \n CVE-2014-4650 CVE-2014-7185 \n=====================================================================\n\n1. Summary:\n\nUpdated python packages that fix multiple security issues, several bugs,\nand add various enhancements are now available for Red Hat Enterprise\nLinux 7. \n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - x86_64\nRed Hat Enterprise Linux Client Optional (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64\nRed Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - x86_64\n\n3. Description:\n\nPython is an interpreted, interactive, object-oriented programming language\noften compared to Tcl, Perl, Scheme, or Java. Python includes modules,\nclasses, exceptions, very high level dynamic data types and dynamic typing. \nPython supports interfaces to many system calls and libraries, as well as\nto various windowing systems (X11, Motif, Tk, Mac and MFC). \n\nIt was discovered that the Python xmlrpclib module did not restrict the\nsize of gzip-compressed HTTP responses. A malicious XMLRPC server could\ncause an XMLRPC client using xmlrpclib to consume an excessive amount of\nmemory. (CVE-2013-1753)\n\nIt was discovered that multiple Python standard library modules\nimplementing network protocols (such as httplib or smtplib) failed to\nrestrict the sizes of server responses. A malicious server could cause a\nclient using one of the affected modules to consume an excessive amount of\nmemory. (CVE-2013-1752)\n\nIt was discovered that the CGIHTTPServer module incorrectly handled URL\nencoded paths. A remote attacker could use this flaw to execute scripts\noutside of the cgi-bin directory, or disclose the source code of the\nscripts in the cgi-bin directory. An attacker able to control these arguments\ncould use this flaw to disclose portions of the application memory or cause\nit to crash. (CVE-2014-7185)\n\nA flaw was found in the way the json module handled negative index\narguments passed to certain functions (such as raw_decode()). An attacker\nable to control the index value passed to one of the affected functions\ncould possibly use this flaw to disclose portions of the application\nmemory. (CVE-2014-4616)\n\nThe Python standard library HTTP client modules (such as httplib or urllib)\ndid not perform verification of TLS/SSL certificates when connecting to\nHTTPS servers. A man-in-the-middle attacker could use this flaw to hijack\nconnections and eavesdrop or modify transferred data. (CVE-2014-9365)\n\nNote: The Python standard library was updated to make it possible to enable\ncertificate verification by default. However, for backwards compatibility,\nverification remains disabled by default. Future updates may change this\ndefault. Refer to the Knowledgebase article 2039753 linked to in the\nReferences section for further details about this change. (BZ#1219108)\n\nThis update also fixes the following bugs:\n\n* Subprocesses used with the Eventlet library or regular threads previously\ntried to close epoll file descriptors twice, which led to an \"Invalid\nargument\" error. Subprocesses have been fixed to close the file descriptors\nonly once. (BZ#1103452)\n\n* When importing the readline module from a Python script, Python no longer\nproduces erroneous random characters on stdout. (BZ#1189301)\n\n* The cProfile utility has been fixed to print all values that the \"-s\"\noption supports when this option is used without a correct value. \n(BZ#1237107)\n\n* The load_cert_chain() function now accepts \"None\" as a keyfile argument. \n(BZ#1250611)\n\nIn addition, this update adds the following enhancements:\n\n* Security enhancements as described in PEP 466 have been backported to the\nPython standard library, for example, new features of the ssl module:\nServer Name Indication (SNI) support, support for new TLSv1.x protocols,\nnew hash algorithms in the hashlib module, and many more. (BZ#1111461)\n\n* Support for the ssl.PROTOCOL_TLSv1_2 protocol has been added to the ssl\nlibrary. (BZ#1192015)\n\n* The ssl.SSLSocket.version() method is now available to access information\nabout the version of the SSL protocol used in a connection. (BZ#1259421)\n\nAll python users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues and add these\nenhancements. \n\n4. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1046170 - CVE-2013-1753 python: XMLRPC library unrestricted decompression of HTTP responses using gzip enconding\n1046174 - CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib\n1058482 - tmpwatch removes python multiprocessing sockets\n1112285 - CVE-2014-4616 python: missing boundary check in JSON module\n1113527 - CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs\n1146026 - CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read\n1173041 - CVE-2014-9365 python: failure to validate certificates in the HTTP client with TLS (PEP 476)\n1177613 - setup.py bdist_rpm NameError: global name \u0027get_python_version\u0027 is not defined\n1181624 - multiprocessing BaseManager serve_client() does not check EINTR on recv\n1237107 - cProfile main() traceback if options syntax is invalid\n1250611 - SSLContext.load_cert_chain() keyfile argument can\u0027t be set to None\n1259421 - Backport SSLSocket.version() to python 2.7.5\n\n6. Package List:\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\npython-2.7.5-34.el7.src.rpm\n\nx86_64:\npython-2.7.5-34.el7.x86_64.rpm\npython-debuginfo-2.7.5-34.el7.i686.rpm\npython-debuginfo-2.7.5-34.el7.x86_64.rpm\npython-libs-2.7.5-34.el7.i686.rpm\npython-libs-2.7.5-34.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nx86_64:\npython-debug-2.7.5-34.el7.x86_64.rpm\npython-debuginfo-2.7.5-34.el7.x86_64.rpm\npython-devel-2.7.5-34.el7.x86_64.rpm\npython-test-2.7.5-34.el7.x86_64.rpm\npython-tools-2.7.5-34.el7.x86_64.rpm\ntkinter-2.7.5-34.el7.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\npython-2.7.5-34.el7.src.rpm\n\nx86_64:\npython-2.7.5-34.el7.x86_64.rpm\npython-debuginfo-2.7.5-34.el7.i686.rpm\npython-debuginfo-2.7.5-34.el7.x86_64.rpm\npython-devel-2.7.5-34.el7.x86_64.rpm\npython-libs-2.7.5-34.el7.i686.rpm\npython-libs-2.7.5-34.el7.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nx86_64:\npython-debug-2.7.5-34.el7.x86_64.rpm\npython-debuginfo-2.7.5-34.el7.x86_64.rpm\npython-test-2.7.5-34.el7.x86_64.rpm\npython-tools-2.7.5-34.el7.x86_64.rpm\ntkinter-2.7.5-34.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\npython-2.7.5-34.el7.src.rpm\n\naarch64:\npython-2.7.5-34.el7.aarch64.rpm\npython-debuginfo-2.7.5-34.el7.aarch64.rpm\npython-devel-2.7.5-34.el7.aarch64.rpm\npython-libs-2.7.5-34.el7.aarch64.rpm\n\nppc64:\npython-2.7.5-34.el7.ppc64.rpm\npython-debuginfo-2.7.5-34.el7.ppc.rpm\npython-debuginfo-2.7.5-34.el7.ppc64.rpm\npython-devel-2.7.5-34.el7.ppc64.rpm\npython-libs-2.7.5-34.el7.ppc.rpm\npython-libs-2.7.5-34.el7.ppc64.rpm\n\nppc64le:\npython-2.7.5-34.el7.ppc64le.rpm\npython-debuginfo-2.7.5-34.el7.ppc64le.rpm\npython-devel-2.7.5-34.el7.ppc64le.rpm\npython-libs-2.7.5-34.el7.ppc64le.rpm\n\ns390x:\npython-2.7.5-34.el7.s390x.rpm\npython-debuginfo-2.7.5-34.el7.s390.rpm\npython-debuginfo-2.7.5-34.el7.s390x.rpm\npython-devel-2.7.5-34.el7.s390x.rpm\npython-libs-2.7.5-34.el7.s390.rpm\npython-libs-2.7.5-34.el7.s390x.rpm\n\nx86_64:\npython-2.7.5-34.el7.x86_64.rpm\npython-debuginfo-2.7.5-34.el7.i686.rpm\npython-debuginfo-2.7.5-34.el7.x86_64.rpm\npython-devel-2.7.5-34.el7.x86_64.rpm\npython-libs-2.7.5-34.el7.i686.rpm\npython-libs-2.7.5-34.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\naarch64:\npython-debug-2.7.5-34.el7.aarch64.rpm\npython-debuginfo-2.7.5-34.el7.aarch64.rpm\npython-test-2.7.5-34.el7.aarch64.rpm\npython-tools-2.7.5-34.el7.aarch64.rpm\ntkinter-2.7.5-34.el7.aarch64.rpm\n\nppc64:\npython-debug-2.7.5-34.el7.ppc64.rpm\npython-debuginfo-2.7.5-34.el7.ppc64.rpm\npython-test-2.7.5-34.el7.ppc64.rpm\npython-tools-2.7.5-34.el7.ppc64.rpm\ntkinter-2.7.5-34.el7.ppc64.rpm\n\nppc64le:\npython-debug-2.7.5-34.el7.ppc64le.rpm\npython-debuginfo-2.7.5-34.el7.ppc64le.rpm\npython-test-2.7.5-34.el7.ppc64le.rpm\npython-tools-2.7.5-34.el7.ppc64le.rpm\ntkinter-2.7.5-34.el7.ppc64le.rpm\n\ns390x:\npython-debug-2.7.5-34.el7.s390x.rpm\npython-debuginfo-2.7.5-34.el7.s390x.rpm\npython-test-2.7.5-34.el7.s390x.rpm\npython-tools-2.7.5-34.el7.s390x.rpm\ntkinter-2.7.5-34.el7.s390x.rpm\n\nx86_64:\npython-debug-2.7.5-34.el7.x86_64.rpm\npython-debuginfo-2.7.5-34.el7.x86_64.rpm\npython-test-2.7.5-34.el7.x86_64.rpm\npython-tools-2.7.5-34.el7.x86_64.rpm\ntkinter-2.7.5-34.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\npython-2.7.5-34.el7.src.rpm\n\nx86_64:\npython-2.7.5-34.el7.x86_64.rpm\npython-debuginfo-2.7.5-34.el7.i686.rpm\npython-debuginfo-2.7.5-34.el7.x86_64.rpm\npython-devel-2.7.5-34.el7.x86_64.rpm\npython-libs-2.7.5-34.el7.i686.rpm\npython-libs-2.7.5-34.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nx86_64:\npython-debug-2.7.5-34.el7.x86_64.rpm\npython-debuginfo-2.7.5-34.el7.x86_64.rpm\npython-test-2.7.5-34.el7.x86_64.rpm\npython-tools-2.7.5-34.el7.x86_64.rpm\ntkinter-2.7.5-34.el7.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2013-1752\nhttps://access.redhat.com/security/cve/CVE-2013-1753\nhttps://access.redhat.com/security/cve/CVE-2014-4616\nhttps://access.redhat.com/security/cve/CVE-2014-4650\nhttps://access.redhat.com/security/cve/CVE-2014-7185\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/articles/2039753\nhttps://www.python.org/dev/peps/pep-0466/\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2015 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niD8DBQFWTj/SXlSAg2UNWIIRAuXcAKCCJdw1P4H3y4fnhu6lXW2AcADYJgCfRO+v\nqMX3qLAXBobeDiPX4eN9Pxc=\n=JQMw\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. The verification\n of md5 checksums and GPG signatures is performed automatically for you. You can obtain the\n GPG public key of the Mandriva Security Team by executing:\n\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\n\n You can view other update advisories for Mandriva Linux at:\n\n http://www.mandriva.com/en/support/security/advisories/\n\n If you want to report vulnerabilities, please contact\n\n security_(at)_mandriva.com\n _______________________________________________________________________\n\n Type Bits/KeyID Date User ID\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\n \u003csecurity*mandriva.com\u003e\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.12 (GNU/Linux)\n\niD8DBQFURgY6mqjQ0CJFipgRAvwgAKDXcnHrFfvCfHLE8+K8hm5c36UF2QCg2paU\nZKHEaBTvKIYVDsnVIp/qdrA=\n=zMF9\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-7185"
},
{
"db": "BID",
"id": "70089"
},
{
"db": "VULHUB",
"id": "VHN-75129"
},
{
"db": "VULMON",
"id": "CVE-2014-7185"
},
{
"db": "PACKETSTORM",
"id": "130890"
},
{
"db": "PACKETSTORM",
"id": "132445"
},
{
"db": "PACKETSTORM",
"id": "132160"
},
{
"db": "PACKETSTORM",
"id": "132772"
},
{
"db": "PACKETSTORM",
"id": "134476"
},
{
"db": "PACKETSTORM",
"id": "128780"
}
],
"trust": 1.89
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-75129",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-75129"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-7185",
"trust": 2.7
},
{
"db": "BID",
"id": "70089",
"trust": 2.1
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2014/09/23/5",
"trust": 1.8
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2014/09/25/47",
"trust": 1.8
},
{
"db": "CNNVD",
"id": "CNNVD-201409-970",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2020.0296",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "128780",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-75129",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2014-7185",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "130890",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "132445",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "132160",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "132772",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "134476",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-75129"
},
{
"db": "VULMON",
"id": "CVE-2014-7185"
},
{
"db": "BID",
"id": "70089"
},
{
"db": "PACKETSTORM",
"id": "130890"
},
{
"db": "PACKETSTORM",
"id": "132445"
},
{
"db": "PACKETSTORM",
"id": "132160"
},
{
"db": "PACKETSTORM",
"id": "132772"
},
{
"db": "PACKETSTORM",
"id": "134476"
},
{
"db": "PACKETSTORM",
"id": "128780"
},
{
"db": "CNNVD",
"id": "CNNVD-201409-970"
},
{
"db": "NVD",
"id": "CVE-2014-7185"
}
]
},
"id": "VAR-201410-1319",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-75129"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-29T22:34:46.272000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "python-2.7.8-macosx10.6",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=51789"
},
{
"title": "python-2.7.8",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=51788"
},
{
"title": "Python-2.7.8",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=51791"
},
{
"title": "Python-2.7.8",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=51790"
},
{
"title": "Debian CVElist Bug Report Logs: CVE-2014-7185: python2.7: integer overflow in \u0027buffer\u0027 type allows reading memory",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=73ce28914e06a841be6adab32623deac"
},
{
"title": "Red Hat: CVE-2014-7185",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2014-7185"
},
{
"title": "Ubuntu Security Notice: python2.7, python3.2, python3.4 vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-2653-1"
},
{
"title": "Amazon Linux AMI: ALAS-2014-440",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2014-440"
},
{
"title": "Amazon Linux AMI: ALAS-2015-621",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2015-621"
},
{
"title": "Apple: OS X Yosemite v10.10.5 and Security Update 2015-006",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories\u0026qid=9834d0d73bf28fb80d3390930bafd906"
},
{
"title": "Oracle Linux Bulletins: Oracle Linux Bulletin - October 2015",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins\u0026qid=435ed9abc2fb1e74ce2a69605a01e326"
},
{
"title": "Oracle Linux Bulletins: Oracle Linux Bulletin - January 2016",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins\u0026qid=8ad80411af3e936eb2998df70506cc71"
},
{
"title": "wale_seg_fault",
"trust": 0.1,
"url": "https://github.com/blakeblackshear/wale_seg_fault "
},
{
"title": "LinuxFlaw",
"trust": 0.1,
"url": "https://github.com/mudongliang/LinuxFlaw "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2014-7185"
},
{
"db": "CNNVD",
"id": "CNNVD-201409-970"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-189",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-75129"
},
{
"db": "NVD",
"id": "CVE-2014-7185"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.2,
"url": "http://rhn.redhat.com/errata/rhsa-2015-1064.html"
},
{
"trust": 2.1,
"url": "http://bugs.python.org/issue21831"
},
{
"trust": 2.1,
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"
},
{
"trust": 2.1,
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"trust": 1.9,
"url": "https://security.gentoo.org/glsa/201503-10"
},
{
"trust": 1.9,
"url": "http://rhn.redhat.com/errata/rhsa-2015-1330.html"
},
{
"trust": 1.8,
"url": "http://lists.apple.com/archives/security-announce/2015/aug/msg00001.html"
},
{
"trust": 1.8,
"url": "http://www.securityfocus.com/bid/70089"
},
{
"trust": 1.8,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1146026"
},
{
"trust": 1.8,
"url": "https://support.apple.com/kb/ht205031"
},
{
"trust": 1.8,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-october/139663.html"
},
{
"trust": 1.8,
"url": "http://www.openwall.com/lists/oss-security/2014/09/23/5"
},
{
"trust": 1.8,
"url": "http://www.openwall.com/lists/oss-security/2014/09/25/47"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-updates/2014-10/msg00016.html"
},
{
"trust": 1.8,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96193"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-7185"
},
{
"trust": 0.6,
"url": "https://www.suse.com/support/update/announcement/2020/suse-su-20200234-1.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.0296/"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-1752"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2014-7185"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-4616"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-4650"
},
{
"trust": 0.3,
"url": "https://blogs.oracle.com/sunsecurity/entry/cve_2014_7185_integer_overflow"
},
{
"trust": 0.3,
"url": "http://www.python.org/"
},
{
"trust": 0.3,
"url": "http://prod.lists.apple.com/archives/security-announce/2015/aug/msg00001.html"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=isg3t1023300"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=isg3t1023439"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-1912"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-1753"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2013-1752"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.3,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.3,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2014-4650"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2014-4616"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2014-1912"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2013-1753"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/189.html"
},
{
"trust": 0.1,
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763848"
},
{
"trust": 0.1,
"url": "http://tools.cisco.com/security/center/viewalert.x?alertid=36498"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/2653-1/"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-7185"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-2667"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-1912"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2013-7338"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-4616"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7338"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-2667"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9365"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-9365"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2013-1752"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/python2.7/2.7.8-10ubuntu1.1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/python3.4/3.4.2-1ubuntu0.1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/python2.7/2.7.3-0ubuntu3.8"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/python2.7/2.7.6-8ubuntu0.2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/python3.2/3.2.3-0ubuntu3.7"
},
{
"trust": 0.1,
"url": "http://www.ubuntu.com/usn/usn-2653-1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/python3.4/3.4.0-2ubuntu1.1"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/1495363"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/2039753"
},
{
"trust": 0.1,
"url": "https://www.python.org/dev/peps/pep-0466/"
},
{
"trust": 0.1,
"url": "https://rhn.redhat.com/errata/rhsa-2015-2101.html"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-7185"
},
{
"trust": 0.1,
"url": "http://www.mandriva.com/en/support/security/"
},
{
"trust": 0.1,
"url": "http://www.mandriva.com/en/support/security/advisories/"
},
{
"trust": 0.1,
"url": "http://advisories.mageia.org/mgasa-2014-0399.html"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-75129"
},
{
"db": "VULMON",
"id": "CVE-2014-7185"
},
{
"db": "BID",
"id": "70089"
},
{
"db": "PACKETSTORM",
"id": "130890"
},
{
"db": "PACKETSTORM",
"id": "132445"
},
{
"db": "PACKETSTORM",
"id": "132160"
},
{
"db": "PACKETSTORM",
"id": "132772"
},
{
"db": "PACKETSTORM",
"id": "134476"
},
{
"db": "PACKETSTORM",
"id": "128780"
},
{
"db": "CNNVD",
"id": "CNNVD-201409-970"
},
{
"db": "NVD",
"id": "CVE-2014-7185"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-75129"
},
{
"db": "VULMON",
"id": "CVE-2014-7185"
},
{
"db": "BID",
"id": "70089"
},
{
"db": "PACKETSTORM",
"id": "130890"
},
{
"db": "PACKETSTORM",
"id": "132445"
},
{
"db": "PACKETSTORM",
"id": "132160"
},
{
"db": "PACKETSTORM",
"id": "132772"
},
{
"db": "PACKETSTORM",
"id": "134476"
},
{
"db": "PACKETSTORM",
"id": "128780"
},
{
"db": "CNNVD",
"id": "CNNVD-201409-970"
},
{
"db": "NVD",
"id": "CVE-2014-7185"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-10-08T00:00:00",
"db": "VULHUB",
"id": "VHN-75129"
},
{
"date": "2014-10-08T00:00:00",
"db": "VULMON",
"id": "CVE-2014-7185"
},
{
"date": "2014-09-23T00:00:00",
"db": "BID",
"id": "70089"
},
{
"date": "2015-03-19T00:39:44",
"db": "PACKETSTORM",
"id": "130890"
},
{
"date": "2015-06-25T14:18:51",
"db": "PACKETSTORM",
"id": "132445"
},
{
"date": "2015-06-04T16:14:38",
"db": "PACKETSTORM",
"id": "132160"
},
{
"date": "2015-07-22T17:54:07",
"db": "PACKETSTORM",
"id": "132772"
},
{
"date": "2015-11-20T00:47:36",
"db": "PACKETSTORM",
"id": "134476"
},
{
"date": "2014-10-21T20:29:44",
"db": "PACKETSTORM",
"id": "128780"
},
{
"date": "2014-09-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201409-970"
},
{
"date": "2014-10-08T17:55:05.187000",
"db": "NVD",
"id": "CVE-2014-7185"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-10-25T00:00:00",
"db": "VULHUB",
"id": "VHN-75129"
},
{
"date": "2019-10-25T00:00:00",
"db": "VULMON",
"id": "CVE-2014-7185"
},
{
"date": "2016-07-06T13:15:00",
"db": "BID",
"id": "70089"
},
{
"date": "2020-02-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201409-970"
},
{
"date": "2024-11-21T02:16:28.973000",
"db": "NVD",
"id": "CVE-2014-7185"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201409-970"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Python \u2018 bufferobject.c \u0027Integer overflow vulnerability",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201409-970"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "digital error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201409-970"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.