Common Vulnerabilities and Exposures assigned an identifier CVE-2012-2639 to the following vulnerability: The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding. References: [1] http://bugs.python.org/issue11442 [2] http://jvn.jp/en/jp/JVN51176027/index.html [3] http://jvndb.jvn.jp/jvndb/JVNDB-2012-000063 Relevant upstream patch: [4] http://hg.python.org/cpython/rev/e9724d7abbc2
This issue did NOT affect the version of the python package, as shipped with Red Hat Enterprise Linux 5. -- This issue did NOT affect the version of the python package, as shipped with Red Hat Enterprise Linux 6. -- This issue did NOT affect the versions of the python package, as shipped with Fedora release of 16 and 17. This issue did NOT affect the version of the python26 package, as shipped with Fedora EPEL 5. This issue did NOT affect the versions of the python3 package, as shipped with Fedora release of 16 and 17.
This is a dublicate of CVE-2011-4940, described in bug #803500 and seems to be addressed already: https://rhn.redhat.com/errata/RHSA-2012-0744.html (I cannot access the possible rhel6 security bug, which this depends on.)
(In reply to comment #2) > This is a dublicate of CVE-2011-4940, described in bug #803500 Thanks Thomas, you are right (I have had an impression I have seen this somewhere already). Will request CVE-2012-2639 id rejection then. > and seems to > be addressed already: > https://rhn.redhat.com/errata/RHSA-2012-0744.html > > (I cannot access the possible rhel6 security bug, which this depends on.) And due the corrected RHEL-6 packages, you were correct too. I have checked python-2.6.5-3.el6_0.2 before, which doesn't contain the fix yet, but obviously those from RHSA-2012-0744 (python-2.6.6-29.el6_2.2) contain it already.
*** This bug has been marked as a duplicate of bug 803500 ***