Bug 680094 (CVE-2011-1015) - CVE-2011-1015 python (CGIHTTPServer): CGI script source code disclosure
Summary: CVE-2011-1015 python (CGIHTTPServer): CGI script source code disclosure
Status: CLOSED ERRATA
Alias: CVE-2011-1015
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20080307,reported=20110218,sou...
Keywords: Security
Depends On: 680095 693954 693955 693956 693960 693961
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-24 10:46 UTC by Jan Lieskovsky
Modified: 2011-05-19 13:44 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-05-19 13:44:09 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0491 normal SHIPPED_LIVE Moderate: python security update 2011-05-05 18:56:24 UTC
Red Hat Product Errata RHSA-2011:0492 normal SHIPPED_LIVE Moderate: python security update 2011-05-05 18:20:30 UTC
Red Hat Product Errata RHSA-2011:0554 normal SHIPPED_LIVE Moderate: python security, bug fix, and enhancement update 2011-05-19 11:35:29 UTC

Description Jan Lieskovsky 2011-02-24 10:46:51 UTC
An information disclosure flaw was found in the way Python
CGI-savvy HTTP Server module processed HTTP GET requests
with relative path in the URI (relevant CGI scripts were
not executed, but rather their content displayed). A remote
attacker could use this flaw to obtain sensitive information.

Upstream bug report:
[1] http://bugs.python.org/issue2254

Related patch:
[2] http://svn.python.org/view?view=revision&revision=71303

Comment 1 Jan Lieskovsky 2011-02-24 10:48:23 UTC
CVE Request:
[3] http://www.openwall.com/lists/oss-security/2011/02/23/27

Comment 2 Jan Lieskovsky 2011-02-24 10:51:08 UTC
Created python tracking bugs for this issue

Affects: fedora-13 [bug 680095]

Comment 3 Jan Lieskovsky 2011-02-24 10:53:21 UTC
This issue affects the versions of the python package, as shipped
with Red Hat Enterprise Linux 4, 5, and 6.

--

This issue affects the version of the python package, as shipped
with Fedora release of 13.

This issue does NOT affect the version of the python package, as
shipped with Fedora release of 14 (particular version already contains
the fix for this issue).

Comment 4 Jan Lieskovsky 2011-02-24 10:55:18 UTC
Note related to backporting of particular upstream patch:
(from http://bugs.python.org/issue2254#msg85614):
=================================================

Fixed in trunk r71303.

This potentially changes the behavior of CGIHTTPServer (for the better)
so this is probably not appropriate to backport to a release branch
unless someone really considers the security of this to be severe.

If backported, the new module function should be expanded inline to
avoid adding a new (though undocumented) API.

Closing.

Comment 7 Vincent Danen 2011-02-25 22:24:40 UTC
This issue has been assigned the name CVE-2011-1015:

http://www.openwall.com/lists/oss-security/2011/02/24/10

Comment 9 Huzaifa S. Sidhpurwala 2011-04-05 06:23:08 UTC
Regarding comment #4, this is only a demo class shipped with python, and we are fixing this, because there are other security issues to be fixed, so i dont see any issues even if the API changes slightly,

@David,
do you agree with this?

Comment 16 errata-xmlrpc 2011-05-05 18:20:50 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0492 https://rhn.redhat.com/errata/RHSA-2011-0492.html

Comment 17 errata-xmlrpc 2011-05-05 18:56:47 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:0491 https://rhn.redhat.com/errata/RHSA-2011-0491.html

Comment 18 errata-xmlrpc 2011-05-19 11:35:42 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0554 https://rhn.redhat.com/errata/RHSA-2011-0554.html


Note You need to log in before you can comment on or make changes to this bug.