Python Fixes Security Holes

Friday, July 11, 2014 @ 11:07 AM gHale


Security fixes are one of the major issues in the latest version of the Python programming language released by the Python Software Foundation.

The developers said the OpenSSL version bundled with the Windows installer ended up updated to version 1.0.1h, which addresses the ChangeCipherSpec (CCS) injection vulnerability that could allow for a man-in-the-middle (MitM) attack against an encrypted connection.

RELATED STORIES
Solar Companies Under Attack
Hiking Software Security in a SWAMP
Apache Struts Security Fixes in VMware
After False Start, Apache Struts Fixed

Another issue fixed with Python 2.7.8 refers to a possible buffer overflow that could allow memory reading. The flaw reported in late June 24 ended up catalogued as a “release blocker,” a priority assigned to bugs that “stop the release dead in its tracks.”

Additionally, a vulnerability in the CGIHTTPServer module got a patch. An attacker could leverage the bug, rated as “critical,” to execute arbitrary code.

“The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose a CGI script’s source code or execute arbitrary scripts in the server’s document root,” said the bug report for the flaw.

Additional details are available in the release notes.



Leave a Reply

You must be logged in to post a comment.