Detections
Analytics

Debian DSA-159-1 : python - insecure temporary files

medium Nessus Plugin ID 14996

Synopsis

The remote Debian host is missing a security-related update.

Description

Zack Weinberg discovered an insecure use of a temporary file in os._execvpe from os.py. It uses a predictable name which could lead execution of arbitrary code.

Solution

Upgrade the Python packages immediately.

This problem has been fixed in several versions of Python: For the current stable distribution (woody) it has been fixed in version 1.5.2-23.1 of Python 1.5, in version 2.1.3-3.1 of Python 2.1 and in version 2.2.1-4.1 of Python 2.2. For the old stable distribution (potato) this has been fixed in version 1.5.2-10potato12 for Python 1.5. For the unstable distribution (sid) this has been fixed in version 1.5.2-24 of Python 1.5, in version 2.1.3-6a of Python 2.1 and in version 2.2.1-8 of Python 2.2. Python 2.3 is not affected by this problem.

See Also

http://www.debian.org/security/2002/dsa-159

Plugin Details

Severity: Medium

ID: 14996

File Name: debian_DSA-159.nasl

Version: 1.20

Type: local

Agent: unix

Published: 9/29/2004

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.1

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:2.2, cpe:/o:debian:debian_linux:3.0, p-cpe:/a:debian:debian_linux:python

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 8/28/2002

Reference Information

CVE: CVE-2002-1119

BID: 5581

DSA: 159