8.160. python

Security Fix

CVE-2013-4238

A flaw was found in the way the Python SSL module handled X.509 certificate fields that contain a NULL byte. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully crafted certificate signed by an authority that the client trusts.

Bug Fixes

BZ#521898

Previously, several Python executables from the python-tools subpackage started with the #!/usr/bin/env python shebang. This made it harder to install and use alternative Python versions. With this update, the first line of these executables has been replaced with #!/usr/bin/python that explicitly refers to the system version of Python. As a result, a user-preferred version of Python can now be used without complications

BZ#841937

Prior to this update, the sqlite3.Cursor.lastrowid object did not accept an insert statement specified in the Turkish locale. Consequently, when installing Red Hat Enterprise Linux 6 with the graphical installer, selecting "Turkish" as the install language led to an installation failure. With this update, sqlite3.Cursor.lastrowid has been fixed and installation no longer fails under the Turkish locale.

BZ#845802

Previously, the SysLogHandler class inserted a UTF-8 byte order mark (BOM) into log messages. Consequently, these messages were evaluated as having the emergency priority level and were logged to all user consoles. With this update, SysLogHandler no longer appends a BOM to log messages, and messages are now assigned correct priority levels.

BZ#893034

Previously, the random.py script failed to import the random module when the /dev/urandom file did not exist on the system. This led subsequent programs, such as Yum, to terminate unexpectedly. This bug has been fixed, and random.py now works as expected even without /dev/urandom.

BZ#919163

The WatchedFileHandler class was sensitive to a race condition, which led to occasional errors. Consequently, rotating to a new log file failed. WatchedFileHandler has been fixed and the log rotation now works as expected.

BZ#928390

Prior to this update, Python did not read Alternative Subject Names from certain Secure Sockets Layer (SSL) certificates. Consequently, a false authentication failure could have occurred when checking the certificate host name. This update fixes the handling of Alternative Subject Names and false authentication errors no longer occur.

BZ#948025

Previously, the SocketServer module did not handle the system call interruption properly. This caused certain HTTP servers to terminate unexpectedly. With this update, SocketServer has been modified to handle the interruption and servers no longer crash in the aforementioned scenario.

BZ#958868

Passing the timeout=None argument to the subprocess.Popen() function caused the upstream version of the Eventlet library to terminate unexpectedly. This bug has been fixed and Eventlet no longer fails in the described case.

BZ#960168

When a connection incoming to a server with an enabled SSLSocket class failed to pass the automatic do_handshake() function, the connection remained open. This problem affected only Python 2 versions. The underlying source code has been fixed and the failed incoming connection is now closed properly.

BZ#962779

In cases when multiple libexpat.so libraries were available, Python failed to choose the correct one. This update adds an explicit RPATH to the _elementtree.so, thus fixing this bug.

BZ#978129

Previously, the urlparse module did not parse the query and fragment parts of URLs properly for arbitrary XML schemes. With this update, urlparse has been fixed and correct parsing is now assured in this scenario.

Enhancement

BZ#929258

This update adds the collections.OrderedDict data structure to the collections package. collections.OrderedDict is used in application code to ensure that the in-memory python dictionaries are emitted in the same order when converted to a string by the json.dumps routines.