A race condition was found in the way Python's SMTP proxy module (smtpd.py) processed retrieving of remote IP address the socket was connected to (the other end could close the connection sooner before the requester could get the peername). A remote, unauthenticated user could use this flaw to cause the running python SMTP instance to terminate with uncaught exception by issuing sequence of connection requests within short time interval. References: [1] http://bugs.python.org/issue9129 Upstream patch: [2] http://svn.python.org/view?view=rev&revision=84289
Public issue proof of concept (from [1]): ========================================= 1, In one shell run: "python -m smtpd -n" 2, In another one run: "for i in {1..1000};do nmap -sT -p 8025 localhost;done"
This issue affects the versions of the python package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. -- This issue affects the versions of the python package, as shipped with Fedora release of 12 and 13.
CVE Request: [1] http://www.openwall.com/lists/oss-security/2010/09/09/6
Upstream has fixed this in just the SMTP module: http://svn.python.org/view?rev=87123&view=rev It seems there isn't a nice way to fix this everywhere.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0492 https://rhn.redhat.com/errata/RHSA-2011-0492.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2011:0491 https://rhn.redhat.com/errata/RHSA-2011-0491.html
Statement: (none)
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0554 https://rhn.redhat.com/errata/RHSA-2011-0554.html