Your submission was sent successfully! Close

CVE-2011-1521

Published: 24 May 2011

The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.

Notes

AuthorNote
jdstrand
also needs a testcase fix
Priority

Medium

Status

Package Release Status
python2.4
Launchpad, Ubuntu, Debian
dapper Ignored
(reached end-of-life)
hardy
Released (2.4.5-1ubuntu4.4)
lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric Does not exist

precise Does not exist

upstream Needs triage

Patches:
vendor: https://rhn.redhat.com/errata/RHSA-2011-0492.html











python2.5
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy
Released (2.5.2-2ubuntu6.2)
lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric Does not exist

precise Does not exist

upstream Needs triage

Patches:

upstream: http://hg.python.org/cpython/rev/dd852a0f92d6 (pt1)
upstream: http://hg.python.org/cpython/rev/ca3b117c40f3 (pt2)
upstream: http://hg.python.org/cpython/rev/9d06d5eb1a7e (pt3)
upstream: http://hg.python.org/cpython/rev/90ec0bc01f3b (pt4, backport from 2.6)







python2.6
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Does not exist

lucid
Released (2.6.5-1ubuntu6.1)
maverick Ignored
(reached end-of-life)
natty
Released (2.6.6-6ubuntu7.1)
oneiric Not vulnerable
(2.6.7-4ubuntu1)
precise Does not exist

upstream
Released (2.6.7)
Patches:





vendor: https://rhn.redhat.com/errata/RHSA-2011-0554.html
upstream: http://hg.python.org/cpython/rev/9eeda8e3a13f/ (pt1)
upstream: http://hg.python.org/cpython/rev/90ec0bc01f3b (pt2)




python2.7
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Does not exist

lucid Does not exist

maverick Ignored
(reached end-of-life)
natty
Released (2.7.1-5ubuntu2.2)
oneiric Not vulnerable
(2.7.2~rc1-2)
precise Not vulnerable
(2.7.2~rc1-2)
upstream
Released (2.7.2)
Patches:








upstream: http://hg.python.org/cpython/rev/b2934d98dac1/ (pt1)
upstream: http://hg.python.org/cpython/rev/34d5d794ccc1 (pt2)


python3.1
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Does not exist

lucid
Released (3.1.2-0ubuntu3.1)
maverick
Released (3.1.2+20100915-0ubuntu4.1)
natty
Released (3.1.3-1ubuntu1.1)
oneiric Does not exist

precise Does not exist

upstream
Released (3.1.4 rc1)
Patches:










upstream: http://hg.python.org/cpython/rev/5937d2119a20

python3.2
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Does not exist

lucid Does not exist

maverick Does not exist

natty
Released (3.2-1ubuntu1.1)
oneiric Not vulnerable
(3.2.1~rc1-1)
precise Not vulnerable
(3.2.1~rc1-1)
upstream
Released (3.2.1)
Patches:











upstream: http://hg.python.org/cpython/rev/968bca2cab60