Tag Archives: Python

FTP Handling Vulnerabilities Disclosed in Java and Python

Last month security researchers Alexander Klink and Blindspot Security Researcher Timothy Morgan publicly disclosed information disclosure and low-privilege code execution vulnerabilities affecting Oracle Java and Oracle Java/Python respectively. Alexander Klink’s vulnerability relates to XXE (XML External Entity) processing specifically crafted XML files leading to information disclosure. Timothy Morgan’s vulnerabilities involve adding Carriage Return (CR) and Line Feed (LF) characters to the TCP stream (a structured sequence of data) to the FTP processing code within Java and Python. The researchers notified the affected vendors over a year ago but the vendors did not address these issues. Timothy Morgan’s vulnerability also causes firewalls to open a port to temporarily allow an FTP connection.

How can I protect myself from these vulnerabilities?
Fortunately exploitation of these vulnerabilities is not trivial since the first FTP vulnerability requires an attacker to already have already compromised an organizations internal email server. The second vulnerability requires an attacker to know the victims internal IP address and for the FTP packets to be in alignment.

System administrators responsible for network infrastructure should monitor communications to email servers for suspicious activity and ensure internal computer systems are not accessible from the external internet (for example using Shodan). Apply vendor software updates when made available for these issues. The blog posts from the researchers here and here provide further detailed recommendations to mitigate these vulnerabilities.

Thank you.

Python 3.4.4 Released

Early this week the Python Foundation followed up it’s previous release earlier this month with version 3.4.4.

=======================

The noteworthy changes in this update are as follows which resolve the issues listed below:

8x buffer overreads
1x buffer overrun (essentially an overflow, defined)
1x reading from a buffer issue
1x integer overflow (defined)
Multiple integer overflows (no exact number given) resolved within the pickle module
1x integer out of bounds issue
1x overflow in _Unpickler_Read
Overflows fixed in timedelta * float, unicodedata module and Windows subprocess creation code
3x use after free issues (defined)
1x arbitrary code execution vulnerability in the dbm.dumb module
OpenSSL upgraded from 1.0.1j to 1.0.2d (for Windows), version 1.0.2e for Mac OS X which resolves 24 CVEs (defined)(see here and here for the CVE references provided by OpenSSL)

=======================
The full changelog is available from this link.

As was the case with the previous updates the buffer overreads, integer overflows and use-after-free issues etc. have not been assigned CVE numbers and are not explicitly reported as security vulnerabilities in this changelog, it is still best practice to patch these bugs if you are using an affected version of Python.

If you have an older release of Python installed e.g. 3.4.3 or older, please consider upgrading to the most recent 3.4.4 update to benefit from the above mentioned fixes.

Advice on porting (adapting) older Python code to newer releases is available here and here.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Python 3.5.1 and 2.7.11 Released

Last weekend the Python Foundation made available Python 2.7.11. Yesterday they also made available Python 3.5.1 (and a release candidate for 3.4.4).

=======================
The noteworthy changes in these updates are as follows:

For version 3.5.1, the following issues are resolved:

  • 1x buffer overead
  • 1x overflow in _Unpickler_Read (not a typo)
  • 2x memory leaks in SSLSocket.getpeercer()
  • SSLv3 is disabled by default when ssl.SSLContext

For version 2.7.11, the following issues are resolved:

  • 6x buffer overreads
  • 1x issue reading from a buffer
  • 1x buffer overflow
  • 1x integer overflow
  • 1x use after free (defined) issue
  • OpenSSL upgraded from 1.0.2a to 1.0.2d (which resolves 7 CVEs (defined))
  • SSLv3 is disabled by default when ssl.SSLContext

=======================

The full changelogs are available at the following links:

Version 3.5.1
Version 2.7.11

As before, while the above versions resolve buffer overflows, use-after-free bugs etc. these bugs have not been assigned CVE numbers and are not explicitly reported as security vulnerabilities in these changelogs, it is still best practice to patch these bugs if you are using an affected version of Python. My note above concerning CVEs within OpenSSL originated from OpenSSL’s release rotes for version 1.0.2.

An application on my computer uses Python 2.7 and it continues to work with the 2.7.11 release. If you have an older release of Python installed e.g. 3.4.3 or older, please consider upgrading to the most recent 3.5.0 update to benefit from the above mentioned fixes.

Advice on porting (adapting) older Python code to newer releases is available here and here.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Python 3.5.0 Released

Update: 8th December 2015:
The Python Foundation have released Python 3.5.1. Please see this more recent blog post for details.

Thank you.

=======================
Original Post:
=======================

Last weekend, the Python Foundation made available version 3.5.0 of Python. This 3.5.0 update is significant since it incorporates the following noteworthy changes:

=======================

  • 7 buffer overreads resolved (essentially these are buffer overflows)
  • 10 integer overflows resolved (11 other general overflows resolved)
  • 1 use after free and 1 double free issue resolved
  • 1 CVE (defined) resolved (resolves an issue with returning too much data, possible buffer overflow)
  • Improved parsing of HTTP cookies to resolve a possible security issue
  • Improved URL handling by CGIHTTPServer to prevent a security issue
  • Resolved an arbitrary code execution vulnerability in the dbm.dumb module
  • Disables SSL v3 (it can still be re-enabled manually (see the heading “Security improvements” for details)) while prioritizing the use of perfect forward secrecy (defined).

=======================

The full changelog is available here.

While none of the above overflows or the use after/double free bugs have been assigned CVE numbers and are not explicitly reported as security vulnerabilities, it is still best practice to patch these bugs if you are using an affected version of Python.

If you have an older release of Python installed e.g. 3.4.3 or older, please consider upgrading to the most recent 3.5.0 update to benefit from the above mentioned fixes.

Advice on porting (adapting) older Python code to newer releases is available here and here.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Python 2.7.10 Released

Update: 8th December 2015:
The Python Foundation have released Python 2.7.11. Please see this more recent blog post for details.

Thank you.

=======================
Update: 24th November 2015:
At this time, Python 2.7.11 has entered release candidate testing (defined).The final version should be available in early December. I will update this post and publish a dedicated post when this update becomes available.

Thank you.

=======================
Original Post:
=======================
Last weekend, the Python Foundation made available an update to its older series of Python installers. Version 2.7.10 was released for the 2.7 code branch (3.4.3 is the most recent branch with 3.5 in alpha testing). On one of my PCs I have a specific piece of purchased software installed that requires Python 2.7.

This 2.7.10 update is significant since it incorporates the following noteworthy changes:

  • 4 buffer overflows resolved
  • 2 integer overflows resolved
  • 1 use after free bug resolved
  • Removes the RC4 cipher from the SSL module’s default cipher list
  • Upgrades the Windows build of Python 2.7.10 to include OpenSSL 1.0.2a (previously the OpenSSL version was 1.0.1j bundled with Python 2.7.9 released in December 2014)

The full changelog is available here.

While none of the above overflows or the use after free bug have been assigned CVE numbers and are not explicitly reported as security vulnerabilities, it is still best practice to patch these bugs if you are using an older version of Python. In addition, 14 CVEs have been resolved by the OpenSSL Project between the releases of OpenSSL 1.0.1k up to 1.0.2a (i.e. from the previous 2.7.9 version to the current 2.7.10). Please note that the total of 14 CVEs does not include CVEs that only affected the 1.0.2 branch.

For an explanation of what CVEs are, please see the first short aside within this blog post.

If you have Python 2.7 installed, please consider upgrading to the most recent 2.7.10 update to benefit from the above mentioned fixes. I installed the 2.7.10 update over the previous 2.7.9 version (the installer detects the previous version and offers to update it) and the application that requires Python mentioned above continues to work normally.

As a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.