Security Experts:

Security Vulnerabilities Fixed With Release of Python 2.7.8

Regression and security fixes are included in the latest version of the Python programing language released by the Python Software Foundation on July 1.

The developers announced that the OpenSSL version bundled with the Windows installer has been updated to version 1.0.1h, which addresses the recently disclosed ChangeCipherSpec (CCS) injection vulnerability that could allow for a man-in-the-middle (MitM) attack against an encrypted connection.

Another issue fixed with Python 2.7.8 refers to a possible overflow in the "buffer" type that could allow memory reading. The flaw was reported on June 24 and has been catalogued as a "release blocker," a priority assigned to bugs that "stop the release dead in its tracks."

Additionally, a vulnerability in the CGIHTTPServer module has been patched with the latest release. The bug, rated as "critical",  can be exploited to execute arbitrary code on affected servers.

"The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose a CGI script's source code or execute arbitrary scripts in the server's document root," reads the bug report for the flaw.

"CGIHTTPServer executes CGI cgies inside a folder specified at init. Its function for deciding what's inside the folder (to be executed) and what's outside (to be returned raw) is completely bust. If you urlencode the slashes you will confuse it enough to yield false negative/positive," explained Hacker News user FiloSottile. "This means that if you are using CGIHTTPServer, anyone can execute anything that the web server was supposed to print, or get the source of any CGI script."

 Additional details are available in the release notes and the complete change log.


view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.