このコンテンツは選択した言語では利用できません。
8.160. python
Updated python packages that fix one security issue, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
Python is an interpreted, interactive, object-oriented programming language.
Security Fix
- CVE-2013-4238
- A flaw was found in the way the Python SSL module handled X.509 certificate fields that contain a NULL byte. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully crafted certificate signed by an authority that the client trusts.
Bug Fixes
- BZ#521898
- Previously, several Python executables from the python-tools subpackage started with the #!/usr/bin/env python shebang. This made it harder to install and use alternative Python versions. With this update, the first line of these executables has been replaced with #!/usr/bin/python that explicitly refers to the system version of Python. As a result, a user-preferred version of Python can now be used without complications
- BZ#841937
- Prior to this update, the
sqlite3.Cursor.lastrowid
object did not accept an insert statement specified in the Turkish locale. Consequently, when installing Red Hat Enterprise Linux 6 with the graphical installer, selecting "Turkish" as the install language led to an installation failure. With this update,sqlite3.Cursor.lastrowid
has been fixed and installation no longer fails under the Turkish locale. - BZ#845802
- Previously, the
SysLogHandler
class inserted a UTF-8 byte order mark (BOM) into log messages. Consequently, these messages were evaluated as having the emergency priority level and were logged to all user consoles. With this update,SysLogHandler
no longer appends a BOM to log messages, and messages are now assigned correct priority levels. - BZ#893034
- Previously, the
random.py
script failed to import therandom
module when the/dev/urandom
file did not exist on the system. This led subsequent programs, such as Yum, to terminate unexpectedly. This bug has been fixed, andrandom.py
now works as expected even without/dev/urandom
. - BZ#919163
- The
WatchedFileHandler
class was sensitive to a race condition, which led to occasional errors. Consequently, rotating to a new log file failed.WatchedFileHandler
has been fixed and the log rotation now works as expected. - BZ#928390
- Prior to this update, Python did not read Alternative Subject Names from certain Secure Sockets Layer (SSL) certificates. Consequently, a false authentication failure could have occurred when checking the certificate host name. This update fixes the handling of Alternative Subject Names and false authentication errors no longer occur.
- BZ#948025
- Previously, the
SocketServer
module did not handle the system call interruption properly. This caused certain HTTP servers to terminate unexpectedly. With this update,SocketServer
has been modified to handle the interruption and servers no longer crash in the aforementioned scenario. - BZ#958868
- Passing the
timeout=None
argument to thesubprocess.Popen()
function caused the upstream version of theEventlet
library to terminate unexpectedly. This bug has been fixed andEventlet
no longer fails in the described case. - BZ#960168
- When a connection incoming to a server with an enabled
SSLSocket
class failed to pass the automaticdo_handshake()
function, the connection remained open. This problem affected only Python 2 versions. The underlying source code has been fixed and the failed incoming connection is now closed properly. - BZ#962779
- In cases when multiple
libexpat.so
libraries were available, Python failed to choose the correct one. This update adds an explicit RPATH to the_elementtree.so
, thus fixing this bug. - BZ#978129
- Previously, the
urlparse
module did not parse the query and fragment parts of URLs properly for arbitrary XML schemes. With this update,urlparse
has been fixed and correct parsing is now assured in this scenario.
Enhancement
- BZ#929258
- This update adds the
collections.OrderedDict
data structure to the collections package.collections.OrderedDict
is used in application code to ensure that the in-memory python dictionaries are emitted in the same order when converted to a string by the json.dumps routines.
All python users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement.