ALAS-2015-552


Amazon Linux 1 Security Advisory: ALAS-2015-552
Advisory Release Date: 2015-06-22 10:31 Pacific
Advisory Updated Date: 2017-08-31 22:55 Pacific
Severity: Medium

Issue Overview:

It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory.(CVE-2013-1752)

It was discovered that the Python xmlrpclib did not restrict the size of a gzip compressed HTTP responses. A malicious XMLRPC server could cause an XMLRPC client using xmlrpclib to consume an excessive amount of memory. (CVE-2013-1753)

The Python standard library HTTP client modules (such as httplib or urllib) did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data.(CVE-2014-9365)


Affected Packages:

python27


Issue Correction:
Run yum update python27 to update your system.

New Packages:
i686:
    python27-devel-2.7.9-4.114.amzn1.i686
    python27-tools-2.7.9-4.114.amzn1.i686
    python27-2.7.9-4.114.amzn1.i686
    python27-debuginfo-2.7.9-4.114.amzn1.i686
    python27-libs-2.7.9-4.114.amzn1.i686
    python27-test-2.7.9-4.114.amzn1.i686

src:
    python27-2.7.9-4.114.amzn1.src

x86_64:
    python27-2.7.9-4.114.amzn1.x86_64
    python27-libs-2.7.9-4.114.amzn1.x86_64
    python27-tools-2.7.9-4.114.amzn1.x86_64
    python27-devel-2.7.9-4.114.amzn1.x86_64
    python27-test-2.7.9-4.114.amzn1.x86_64
    python27-debuginfo-2.7.9-4.114.amzn1.x86_64