{"id":"USN-3134-1","summary":"python2.7, python3.2, python3.4, python3.5 vulnerabilities","details":"It was discovered that the smtplib library in Python did not return an\nerror when StartTLS fails. A remote attacker could possibly use this to\nexpose sensitive information. (CVE-2016-0772)\n\nRĂ©mi Rampin discovered that Python would not protect CGI applications\nfrom contents of the HTTP_PROXY environment variable when based on\nthe contents of the Proxy header from HTTP requests. A remote attacker\ncould possibly use this to cause a CGI application to redirect outgoing\nHTTP requests. (CVE-2016-1000110)\n\nInsu Yun discovered an integer overflow in the zipimporter module in\nPython that could lead to a heap-based overflow. An attacker could\nuse this to craft a special zip file that when read by Python could\npossibly execute arbitrary code. (CVE-2016-5636)\n\nGuido Vranken discovered that the urllib modules in Python did\nnot properly handle carriage return line feed (CRLF) in headers. A\nremote attacker could use this to craft URLs that inject arbitrary\nHTTP headers. This issue only affected Ubuntu 12.04 LTS and Ubuntu\n14.04 LTS. (CVE-2016-5699)\n","modified":"2026-02-10T04:41:03Z","published":"2016-11-22T18:51:17Z","related":["UBUNTU-CVE-2016-0772","UBUNTU-CVE-2016-1000110","UBUNTU-CVE-2016-5636","UBUNTU-CVE-2016-5699"],"upstream":["CVE-2016-0772","CVE-2016-1000110","CVE-2016-5636","CVE-2016-5699","UBUNTU-CVE-2016-0772","UBUNTU-CVE-2016-1000110","UBUNTU-CVE-2016-5636","UBUNTU-CVE-2016-5699"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-3134-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-0772"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-5636"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-5699"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-1000110"}],"affected":[{"package":{"name":"python2.7","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/python2.7@2.7.6-8ubuntu0.3?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.6-8ubuntu0.3"}]}],"versions":["2.7.5-8ubuntu3","2.7.5-8ubuntu4","2.7.6-2","2.7.6-2ubuntu1","2.7.6-3","2.7.6-3ubuntu1","2.7.6-4","2.7.6-4ubuntu1","2.7.6-5","2.7.6-7","2.7.6-8","2.7.6-8ubuntu0.2"],"ecosystem_specific":{"binaries":[{"binary_name":"idle-python2.7","binary_version":"2.7.6-8ubuntu0.3"},{"binary_name":"libpython2.7","binary_version":"2.7.6-8ubuntu0.3"},{"binary_name":"libpython2.7-dev","binary_version":"2.7.6-8ubuntu0.3"},{"binary_name":"libpython2.7-minimal","binary_version":"2.7.6-8ubuntu0.3"},{"binary_name":"libpython2.7-stdlib","binary_version":"2.7.6-8ubuntu0.3"},{"binary_name":"libpython2.7-testsuite","binary_version":"2.7.6-8ubuntu0.3"},{"binary_name":"python2.7","binary_version":"2.7.6-8ubuntu0.3"},{"binary_name":"python2.7-dev","binary_version":"2.7.6-8ubuntu0.3"},{"binary_name":"python2.7-examples","binary_version":"2.7.6-8ubuntu0.3"},{"binary_name":"python2.7-minimal","binary_version":"2.7.6-8ubuntu0.3"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3134-1.json","cves_map":{"cves":[{"id":"CVE-2016-0772","severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-5636","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-5699","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1000110","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:14.04:LTS"}}},{"package":{"name":"python3.4","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1~14.04.5?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.4.3-1ubuntu1~14.04.5"}]}],"versions":["3.4~b1-0ubuntu3","3.4~b1-4ubuntu4","3.4~b1-4ubuntu6","3.4~b1-5ubuntu2","3.4~b2-1","3.4~b3-1ubuntu1","3.4~rc1-1build1","3.4~rc2-1","3.4~rc3-0ubuntu1","3.4.0-1","3.4.0-2ubuntu1","3.4.0-2ubuntu1.1","3.4.3-1ubuntu1~14.04.1","3.4.3-1ubuntu1~14.04.3","3.4.3-1ubuntu1~14.04.4"],"ecosystem_specific":{"binaries":[{"binary_name":"idle-python3.4","binary_version":"3.4.3-1ubuntu1~14.04.5"},{"binary_name":"libpython3.4","binary_version":"3.4.3-1ubuntu1~14.04.5"},{"binary_name":"libpython3.4-dev","binary_version":"3.4.3-1ubuntu1~14.04.5"},{"binary_name":"libpython3.4-minimal","binary_version":"3.4.3-1ubuntu1~14.04.5"},{"binary_name":"libpython3.4-stdlib","binary_version":"3.4.3-1ubuntu1~14.04.5"},{"binary_name":"libpython3.4-testsuite","binary_version":"3.4.3-1ubuntu1~14.04.5"},{"binary_name":"python3.4","binary_version":"3.4.3-1ubuntu1~14.04.5"},{"binary_name":"python3.4-dev","binary_version":"3.4.3-1ubuntu1~14.04.5"},{"binary_name":"python3.4-examples","binary_version":"3.4.3-1ubuntu1~14.04.5"},{"binary_name":"python3.4-minimal","binary_version":"3.4.3-1ubuntu1~14.04.5"},{"binary_name":"python3.4-venv","binary_version":"3.4.3-1ubuntu1~14.04.5"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3134-1.json","cves_map":{"cves":[{"id":"CVE-2016-0772","severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-5636","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-5699","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1000110","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:14.04:LTS"}}},{"package":{"name":"python2.7","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/python2.7@2.7.12-1ubuntu0~16.04.1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.12-1ubuntu0~16.04.1"}]}],"versions":["2.7.10-4ubuntu1","2.7.10-4ubuntu2","2.7.11-2","2.7.11-3","2.7.11-4","2.7.11-6","2.7.11-7","2.7.11-7ubuntu1","2.7.12-1~16.04"],"ecosystem_specific":{"binaries":[{"binary_name":"idle-python2.7","binary_version":"2.7.12-1ubuntu0~16.04.1"},{"binary_name":"libpython2.7","binary_version":"2.7.12-1ubuntu0~16.04.1"},{"binary_name":"libpython2.7-dev","binary_version":"2.7.12-1ubuntu0~16.04.1"},{"binary_name":"libpython2.7-minimal","binary_version":"2.7.12-1ubuntu0~16.04.1"},{"binary_name":"libpython2.7-stdlib","binary_version":"2.7.12-1ubuntu0~16.04.1"},{"binary_name":"libpython2.7-testsuite","binary_version":"2.7.12-1ubuntu0~16.04.1"},{"binary_name":"python2.7","binary_version":"2.7.12-1ubuntu0~16.04.1"},{"binary_name":"python2.7-dev","binary_version":"2.7.12-1ubuntu0~16.04.1"},{"binary_name":"python2.7-examples","binary_version":"2.7.12-1ubuntu0~16.04.1"},{"binary_name":"python2.7-minimal","binary_version":"2.7.12-1ubuntu0~16.04.1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3134-1.json","cves_map":{"cves":[{"id":"CVE-2016-0772","severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-5636","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1000110","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:16.04:LTS"}}},{"package":{"name":"python3.5","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/python3.5@3.5.2-2ubuntu0~16.04.1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.5.2-2ubuntu0~16.04.1"}]}],"versions":["3.5.0-3","3.5.0-3ubuntu1","3.5.1~rc1-2ubuntu1","3.5.1-1","3.5.1-2","3.5.1-3","3.5.1-5","3.5.1-6ubuntu1","3.5.1-6ubuntu2","3.5.1-9ubuntu1","3.5.1-10","3.5.2-2~16.01","3.5.2-2~16.04"],"ecosystem_specific":{"binaries":[{"binary_name":"idle-python3.5","binary_version":"3.5.2-2ubuntu0~16.04.1"},{"binary_name":"libpython3.5","binary_version":"3.5.2-2ubuntu0~16.04.1"},{"binary_name":"libpython3.5-dev","binary_version":"3.5.2-2ubuntu0~16.04.1"},{"binary_name":"libpython3.5-minimal","binary_version":"3.5.2-2ubuntu0~16.04.1"},{"binary_name":"libpython3.5-stdlib","binary_version":"3.5.2-2ubuntu0~16.04.1"},{"binary_name":"libpython3.5-testsuite","binary_version":"3.5.2-2ubuntu0~16.04.1"},{"binary_name":"python3.5","binary_version":"3.5.2-2ubuntu0~16.04.1"},{"binary_name":"python3.5-dev","binary_version":"3.5.2-2ubuntu0~16.04.1"},{"binary_name":"python3.5-examples","binary_version":"3.5.2-2ubuntu0~16.04.1"},{"binary_name":"python3.5-minimal","binary_version":"3.5.2-2ubuntu0~16.04.1"},{"binary_name":"python3.5-venv","binary_version":"3.5.2-2ubuntu0~16.04.1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3134-1.json","cves_map":{"cves":[{"id":"CVE-2016-0772","severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-5636","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-1000110","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:16.04:LTS"}}}],"schema_version":"1.7.3"}