openSUSE Security Update: python: denial of service by proessing malformed XML ("Expat vulnerability") ______________________________________________________________________________ Announcement ID: openSUSE-SU-2010:0247-1 Rating: moderate References: #581765 Cross-References: CVE-2009-2625 CVE-2009-3560 CVE-2009-3720 Affected Products: openSUSE 11.2 openSUSE 11.1 openSUSE 11.0 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update of python has a copy of libxmlrpc that is vulnerable to denial of service bugs that can occur while processing malformed XML input. CVE-2009-2625: CVSS v2 Base Score: 5.0 (moderate) (AV:N/AC:L/Au:N/C:N/I:N/A:P): Permissions, Privileges, and Access Control (CWE-264) CVE-2009-3720: CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P): Insufficient Information (CWE-noinfo) CVE-2009-3560: CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P): Buffer Errors (CWE-119) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.2: zypper in -t patch libpython2_6-1_0-2213 - openSUSE 11.1: zypper in -t patch libpython2_6-1_0-2213 - openSUSE 11.0: zypper in -t patch libpython2_6-1_0-2213 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.2 (i586 src x86_64): python-2.6.2-6.4.1 python-base-2.6.2-6.4.1 - openSUSE 11.2 (i586 x86_64): libpython2_6-1_0-2.6.2-6.4.1 python-curses-2.6.2-6.4.1 python-demo-2.6.2-6.4.1 python-devel-2.6.2-6.4.1 python-gdbm-2.6.2-6.4.1 python-idle-2.6.2-6.4.1 python-tk-2.6.2-6.4.1 python-xml-2.6.2-6.4.1 - openSUSE 11.2 (x86_64): libpython2_6-1_0-32bit-2.6.2-6.4.1 python-32bit-2.6.2-6.4.1 python-base-32bit-2.6.2-6.4.1 - openSUSE 11.1 (i586 ppc src x86_64): python-2.6.0-2.23.1 python-base-2.6.0-2.22.23.1 - openSUSE 11.1 (i586 ppc x86_64): libpython2_6-1_0-2.6.0-2.22.23.1 python-curses-2.6.0-2.23.1 python-demo-2.6.0-2.23.1 python-devel-2.6.0-2.22.23.1 python-gdbm-2.6.0-2.23.1 python-idle-2.6.0-2.23.1 python-tk-2.6.0-2.23.1 python-xml-2.6.0-2.22.23.1 - openSUSE 11.1 (x86_64): libpython2_6-1_0-32bit-2.6.0-2.22.23.1 python-32bit-2.6.0-2.23.1 python-base-32bit-2.6.0-2.22.23.1 - openSUSE 11.1 (ppc): libpython2_6-1_0-64bit-2.6.0-2.22.23.1 python-64bit-2.6.0-2.23.1 python-base-64bit-2.6.0-2.22.23.1 - openSUSE 11.0 (i586 ppc src x86_64): python-2.5.2-26.6 - openSUSE 11.0 (i586 ppc x86_64): python-curses-2.5.2-26.6 python-demo-2.5.2-26.6 python-devel-2.5.2-26.6 python-gdbm-2.5.2-26.6 python-idle-2.5.2-26.6 python-tk-2.5.2-26.6 python-xml-2.5.2-26.6 - openSUSE 11.0 (x86_64): python-32bit-2.5.2-26.6 - openSUSE 11.0 (ppc): python-64bit-2.5.2-26.6 References: http://support.novell.com/security/cve/CVE-2009-2625.html http://support.novell.com/security/cve/CVE-2009-3560.html http://support.novell.com/security/cve/CVE-2009-3720.html https://bugzilla.novell.com/581765