Security Vulnerabilities Fixed With Release of Python 2.7.8

Regression and security fixes are included in the latest version of the Python programing language released by the Python Software Foundation on July 1.

The developers announced that the OpenSSL version bundled with the Windows installer has been updated to version 1.0.1h, which addresses the recently disclosed ChangeCipherSpec (CCS) injection vulnerability that could allow for a man-in-the-middle (MitM) attack against an encrypted connection.

Another issue fixed with Python 2.7.8 refers to a possible overflow in the “buffer” type that could allow memory reading. The flaw was reported on June 24 and has been catalogued as a “release blocker,” a priority assigned to bugs that “stop the release dead in its tracks.”

Additionally, a vulnerability in the CGIHTTPServer module has been patched with the latest release. The bug, rated as “critical”,  can be exploited to execute arbitrary code on affected servers.

“The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose a CGI script’s source code or execute arbitrary scripts in the server’s document root,” reads the bug report for the flaw.

“CGIHTTPServer executes CGI cgies inside a folder specified at init. Its function for deciding what’s inside the folder (to be executed) and what’s outside (to be returned raw) is completely bust. If you urlencode the slashes you will confuse it enough to yield false negative/positive,” explained Hacker News user FiloSottile. “This means that if you are using CGIHTTPServer, anyone can execute anything that the web server was supposed to print, or get the source of any CGI script.”

 Additional details are available in the release notes and the complete change log.