Summary
The remote host is missing an update to python
announced via advisory DSA 159-2.
Solution
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20159-2
Insight
The bugfix we distributed in DSA 159-1 unfortunately caused Python to sometimes behave improperly when a non-executable file existed earlier in the path and an executable file of the same name existed later in the path. Zack Weinberg fixed this in the Python source. For reference, here's the original advisory text:
Zack Weinberg discovered an insecure use of a temporary file in os._execvpe from os.py. It uses a predictable name which could lead execution of arbitrary code.
This problem has been fixed in several versions of Python: For the current stable distribution (woody) it has been fixed in version 1.5.2-23.2 of Python 1.5, in version 2.1.3-3.2 of Python 2.1 and in version 2.2.1-4.2 of Python 2.2. For the old stable distribution (potato) this has been fixed in version 1.5.2-10potato13 for Python 1.5. For the unstable distribution (sid) this has been fixed in version 1.5.2-25 of Python 1.5, in version 2.1.3-9 of Python 2.1 and in version 2.2.1-11 of Python 2.2. Python 2.3 is not affected by the original problem.
We recommend that you upgrade your Python packages.
Severity
Classification
-
CVE CVE-2002-1119 -
CVSS Base Score: 4.6
AV:L/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities