CVE-2011-1521

Published: 24 May 2011

The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.

Priority

Medium

Status

Package Release Status
python2.4
Launchpad, Ubuntu, Debian 		Upstream Needs triage

Patches:
Vendor: https://rhn.redhat.com/errata/RHSA-2011-0492.html
python2.5
Launchpad, Ubuntu, Debian 		Upstream Needs triage

Patches:
Upstream: http://hg.python.org/cpython/rev/dd852a0f92d6 (pt1)
Upstream: http://hg.python.org/cpython/rev/ca3b117c40f3 (pt2)
Upstream: http://hg.python.org/cpython/rev/9d06d5eb1a7e (pt3)
Upstream: http://hg.python.org/cpython/rev/90ec0bc01f3b (pt4, backport from 2.6)
python2.6
Launchpad, Ubuntu, Debian 		Upstream
Released (2.6.7)
Patches:
Vendor: https://rhn.redhat.com/errata/RHSA-2011-0554.html
Upstream: http://hg.python.org/cpython/rev/9eeda8e3a13f/ (pt1)
Upstream: http://hg.python.org/cpython/rev/90ec0bc01f3b (pt2)
python2.7
Launchpad, Ubuntu, Debian 		Upstream
Released (2.7.2)
Patches:
Upstream: http://hg.python.org/cpython/rev/b2934d98dac1/ (pt1)
Upstream: http://hg.python.org/cpython/rev/34d5d794ccc1 (pt2)
python3.1
Launchpad, Ubuntu, Debian 		Upstream
Released (3.1.4 rc1)
Patches:
Upstream: http://hg.python.org/cpython/rev/5937d2119a20
python3.2
Launchpad, Ubuntu, Debian 		Upstream
Released (3.2.1)
Patches:
Upstream: http://hg.python.org/cpython/rev/968bca2cab60

Notes

AuthorNote
jdstrand also needs a testcase fix

References

Bugs

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM

Further reading