Python SimpleXMLRPCServer module (SSA:2005-111-02)
Posted on: 04/22/2005 05:11 AM

New Python packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, and -current to fix a security issue in the SimpleXMLRPCServer library module.

Here are the details from the Slackware 10.1 ChangeLog:
+--------------------------+
patches/packages/python-2.4.1-i486-1.tgz: Upgraded to python-2.4.1.
From the python.org site: "The Python development team has discovered a flaw
in the SimpleXMLRPCServer library module which can give remote attackers
access to internals of the registered object or its module or possibly other
modules. The flaw only affects Python XML-RPC servers that use the
register_instance() method to register an object without a _dispatch()
method. Servers using only register_function() are not affected."
For more details, see:
http://python.org/security/PSF-2005-001/
(* Security fix *)
patches/packages/python-demo-2.4.1-noarch-1.tgz: Upgraded to python-2.4.1
demos.
patches/packages/python-tools-2.4.1-noarch-1.tgz: Upgraded to python-2.4.1
tools.
+--------------------------+


Where to find the new packages:
+-----------------------------+

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/python-2.2.3-i386-1.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/python-2.2.3-i386-1.tgz

Updated packages for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/python-2.3.5-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/python-demo-2.3.5-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/python-tools-2.3.5-noarch-1.tgz

Updated packages for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/python-2.3.5-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/python-demo-2.3.5-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/python-tools-2.3.5-noarch-1.tgz

Updated packages for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/python-2.4.1-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/python-demo-2.4.1-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/python-tools-2.4.1-noarch-1.tgz

Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/python-2.4.1-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/python-demo-2.4.1-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/python-tools-2.4.1-noarch-1.tgz


MD5 signatures:
+-------------+

Slackware 8.1 package:
b90d20f1c90a39407fae3346e17befd0 python-2.2.3-i386-1.tgz

Slackware 9.0 package:
fb39a3367b130440b5f8a64c3468eec2 python-2.2.3-i386-1.tgz

Slackware 9.1 packages:
897fe07abe99fc1f1a4095cacecd697f python-2.3.5-i486-1.tgz
34a3cd2b3fe85810964a13fce7c5d9fc python-demo-2.3.5-noarch-1.tgz
c48b074dcf6a76818e181764ce7e41ee python-tools-2.3.5-noarch-1.tgz

Slackware 10.0 packages:
11c483e44089d7aae954c62eada1108c python-2.3.5-i486-1.tgz
b1dbd8eeca44c048dd83f505b2c69fdb python-demo-2.3.5-noarch-1.tgz
554e9cc2cb5c3f9d02cb57ee07025681 python-tools-2.3.5-noarch-1.tgz

Slackware 10.1 packages:
b78837244ef3c145cb9c354729d2954f python-2.4.1-i486-1.tgz
83b8a735c638a64f0f348a95fd58847a python-demo-2.4.1-noarch-1.tgz
83f0b4a65b44de14e475faa4087e5268 python-tools-2.4.1-noarch-1.tgz

Slackware -current packages:
7b2695497611d592ca756a074084bcbc python-2.4.1-i486-1.tgz
81f77f0063c79aa9cb78c7d03c2a762b python-demo-2.4.1-noarch-1.tgz
4008585cd345feb544de5ffae574a449 python-tools-2.4.1-noarch-1.tgz


Installation instructions:
+------------------------+

Upgrade the packages as root:
# upgradepkg python-2.4.1-i486-1.tgz python-demo-2.4.1-noarch-1.tgz python-tools-2.4.1-noarch-1.tgz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com


Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/python_simplexmlrpcserver_module_ssa2005_111_02.html)