Multiple denial of service flaws were reported against various parts of Python's stdlib: * httplib [1] (fixed in 2.7.4 [2], 2.6.9 [3], and 3.3.3 [4]) * ftplib [5] (fixed in 2.7.6 [6], 2.6.9 [7], 3.3.3 [8]) * imaplib [9] (not yet fixed in 2.7.x, fixed in 2.6.9 [10], 3.3.3 [11]) * nntplib [12] (fixed in 2.7.6 [13], 2.6.9 [14], 3.3.3 [15]) * poplib [16] (not yet fixed in 2.7.x, fixed in 2.6.9 [17], 3.3.3 [18]) * smtplib [19] (not yet fixed in 2.7.x, fixed in 2.6.9 [20], not yet fixed in 3.3.x) Unfortunately, upstream assigned a single CVE to all of these, however I do not believe they can all use the same CVE due to them being fixed across so many different versions (2.6.9, 2.7.4, 2.7.6, 3.3.3, as well as future 2.7.x and 3.3.x versions). So this will likely require MITRE to detangle. [1] http://bugs.python.org/issue16037 [2] http://hg.python.org/cpython/rev/8a22a2804a66/ [3] http://hg.python.org/cpython/rev/582e5072ff89 [4] http://hg.python.org/cpython/rev/e445d02e5306/ [5] http://bugs.python.org/issue16038 [6] http://hg.python.org/cpython/rev/44ac81e6d584/ [7] http://hg.python.org/cpython/rev/8b19e7d0be45/ [8] http://hg.python.org/cpython/rev/38db4d0726bd/ [9] http://bugs.python.org/issue16039 [10] http://hg.python.org/cpython/rev/4190568ceda0/ [11] http://hg.python.org/cpython/rev/4b0364fc5711/ [12] http://bugs.python.org/issue16040 [13] http://hg.python.org/cpython/rev/36680a7c0e22/ [14] http://hg.python.org/cpython/rev/731abf7834c4/ [15] http://hg.python.org/cpython/rev/fc88bd80d925/ [16] http://bugs.python.org/issue16041 [17] http://hg.python.org/cpython/rev/7214e3324a45/ [18] http://hg.python.org/cpython/rev/68029048c9c6/ [19] http://bugs.python.org/issue16042 [20] http://hg.python.org/cpython/rev/8a6def3add5b/
* httplib There are actually two separate issues for httplib under this CVE. The first issue was originally reported in the following upstream bug: http://bugs.python.org/issue6791 This bug covers use of readline() without size limit, which can lead to excessive memory usage if a malicious or broken HTTP server sends excessively long lines without any line breaks. Issue was addressed upstream in the following commit: https://hg.python.org/cpython/rev/0b94635ed2f6 and backported to 2.7 and 3.1 branches: 2.7 https://hg.python.org/cpython/rev/965314f12f71 3.1 https://hg.python.org/cpython/rev/3c182f71d4c9 This fix was never backported to 2.6 branch upstream. Mentioned backports to 2.7 and 3.1 missed one readline() call in _read_status(). This is one of the problems covered by the upstream bug: http://bugs.python.org/issue16037 The missed call was corrected in 2.7 branch in the following commit: 2.7 https://hg.python.org/cpython/rev/8a22a2804a66 The second issue in the upstream issue16037 is the lack of restriction on the number of HTTP headers server can send. This issue was fixed upstream in 2.6, 2.7, 3.2 and 3.3 branches: 2.6 https://hg.python.org/cpython/rev/582e5072ff89 2.7 https://hg.python.org/cpython/rev/5e310c6a8520 3.3 https://hg.python.org/cpython/rev/e445d02e5306 Patches limit the number of headers to 100. Exception is raised if server sends more headers.
* ftplib Upstream bug is: http://bugs.python.org/issue16038 This issue is similar to the unlimited readline() use in httplib, as described in comment 1. Issue was fixed upstream in 2.6, 2.7, 3.2 and 3.3. 2.6 https://hg.python.org/cpython/rev/8b19e7d0be45 2.7 https://hg.python.org/cpython/rev/44ac81e6d584 3.3 https://hg.python.org/cpython/rev/38db4d0726bd
* imaplib Upstream bug is: http://bugs.python.org/issue16039 Another case of unlimited readline(), imaplib in this case. Fixed upstream in 2.6, 2.7, 3.2 and 3.3: 2.6 https://hg.python.org/cpython/rev/4190568ceda0 2.7 https://hg.python.org/cpython/rev/dd906f4ab923 3.3 https://hg.python.org/cpython/rev/4b0364fc5711
* nntplib Upstream bug is: http://bugs.python.org/issue16040 Another unlimited readline(), fixed upstream in 2.6, 2.7, 3.2 and 3.3: 2.6 https://hg.python.org/cpython/rev/731abf7834c4 2.7 https://hg.python.org/cpython/rev/36680a7c0e22 3.3 https://hg.python.org/cpython/rev/fc88bd80d925
* poplib Upstream bug is: http://bugs.python.org/issue16041 Another unlimited readline(). Fixed upstream in 2.6, 3.2 and 3.3. 2.7 is still unfixed upstream. 2.6 https://hg.python.org/cpython/rev/7214e3324a45 3.3 https://hg.python.org/cpython/rev/68029048c9c6
* smtplib Upstream bug is: http://bugs.python.org/issue16042 Similar to the poplib, this was fixed upstream in 2.6, 3.2 and 3.3, but remains unfixed in 2.7 to date. 2.6 https://hg.python.org/cpython/rev/8a6def3add5b 3.3 https://hg.python.org/cpython/rev/d62a67318023
All issues are listed as fixed in python 2.6.9. However, as noted in comment 1, httplib unlimited readline() was never fixed in 2.6. https://www.python.org/download/releases/2.6.9/ Status for the 2.7 upstream is: - 2.7.4 - fixed httplib _read_status() readline - 2.7.6 - ftplib and nntplib - 2.7.7 - imaplib - upcoming 2.7.9 - should add httplib header limit - poplib and smtplib are unfixed in 2.7 branch in upstream mercurial Status for 3.3 is: - 3.3.3 - httplib header limit, ftplib, imaplib, nntplib, poplib - 3.3.4 - smtplib 3.2 has all fixes applied in upstream version 3.2.6.
Fedora status: - python - using 2.7.5, hence affected by most issues - python/rawhide - using 2.7.8, missing httplib, poplib and smtplib - python3 - using 3.3.2, hence affected by most issues - python3/rawhide - using 3.4.1, all issues fixed
Affected modules are also part of Jython standard library. Looking at the upstream repositories, only httplib readline issue is fixed in upcoming 2.7 version. No issue is fixed in 2.2 or 2.5 branches.
Created python tracking bugs for this issue: Affects: fedora-all [bug 1159200]
Created jython tracking bugs for this issue: Affects: fedora-all [bug 1159201] Affects: epel-7 [bug 1159202] Affects: epel-5 [bug 1159203]
Statement: Red Hat JBoss SOA Platform 5 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes; and Red Hat JBoss SOA Platform 4.3 is now in Extended Life Support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware Product Life Cycle: https://access.redhat.com/support/policy/updates/jboss_notes/
Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1168230]
Created python26 tracking bugs for this issue: Affects: epel-5 [bug 1168231]
python-2.7.8-8.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
jnr-posix-3.0.9-3.fc22, jline-2.12.1-1.fc22, jython-2.7-0.7.rc2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
python-2.7.5-16.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Via RHSA-2015:1064 https://rhn.redhat.com/errata/RHSA-2015-1064.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1330 https://rhn.redhat.com/errata/RHSA-2015-1330.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2101 https://rhn.redhat.com/errata/RHSA-2015-2101.html