- --------------------------------------------------------------------------
Debian-Edu/Skolelinux Security Advisory DESA 2004-015
http://www.skolelinux.org/security/                      Morten Werner Olsen
September 01, 2004              debian-edu-security@lists.alioth.debian.org
- --------------------------------------------------------------------------

Package             : python2.2
Vulnerability       : buffer overflow
Problem-Type        : local
Need reboot         : no
Debian-Edu-specific : no
CVE ID              : CAN-2004-0150
DSA ID              : DSA-458-2

This security advisory corrects DSA 458-1 which caused some
segmentation faults in gethostbyaddr with non-localhost input. This
update also disables IPv6 on all architectures.

The original advisory said:

  Sebastian Schmidt discovered a buffer overflow bug in Python's
  getaddrinfo function, which could allow an IPv6 address, supplied by
  a remote attacker via DNS, to overwrite memory on the stack.

  This bug only exists in python 2.2 and 2.2.1, and only when IPv6
  support is disabled. The python2.2 package in Debian woody meets
  these conditions (the 'python' package does not).

We recommend that you update your python2.2 package.


Upgrade Instructions
- --------------------

Make sure the line

  deb http://security.debian.org/ stable/updates main contrib non-free

is present in your /etc/apt/sources.list and run 'apt-get update' to
update your package lists. Then run

  'apt-get install python2.2'

to upgrade your python2.2 package.

- --------------------------------------------------------------------------
Mailing list: bruker@skolelinux.no, debian-edu@lists.debian.org,
              linuxiskolen@skolelinux.no, user@skolelinux.de
Package info: `apt-cache show <pkg>'