Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 152897 - CAN-2005-0089 python SimpleXMLRPCServer security issue
Summary: CAN-2005-0089 python SimpleXMLRPCServer security issue
Status: CLOSED DUPLICATE of bug 169235
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: python
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
Whiteboard: 1, LEGACY, NEEDSWORK, rh73, rh90
Depends On: 169235
TreeView+ depends on / blocked
Reported: 2005-02-10 18:55 UTC by Marc Deslauriers
Modified: 2007-04-18 17:22 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-09-28 06:51:44 UTC

Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:31:21 UTC
The Python folks have discovered a flaw in SimpleXMLRPCServer that can
affect any XML-RPC servers.  This affects any programs have been written
that allow remote untrusted users to do unrestricted traversal and can
allow them to access or change function internals using the im_* and
func_* attributes.


------- Bug moved to this database by 2005-03-30 18:31 -------

This bug previously known as bug 2421 at
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Michal Jaegermann 2005-09-26 06:00:14 UTC
Corresponding fixed Python packages were annouced in which has classification

Comment 2 Michal Jaegermann 2005-09-26 22:26:47 UTC
There is a package for RH7.3 at

These sources include a fix for CAN-2005-0089, and also for other SSL security
issues (lifted from updates to RHEL) and a fix for pcre issues (CAN-2005-2491,

Neither python-1.5.2-... packages, nor python-xmlrpc-1.5.1-7.x.3, for RH7.3
seem to be affected by CAN-2005-0089.  It does not look that the code in
question, or something similar, is there.

For other distributions it seems that a fix for CAN-2005-0089 will be
either the same or very similar as applied here.  In any case a code from
corresponding RHEL update sources will apply.

Comment 3 David Eisenstein 2005-09-27 06:14:15 UTC
(Michal and Jim - hope you don't mind my adding you to the cc: for this bug.)

Since Michal has proposed the python2-2.2.2- packages as
a fix not only for the this bug report's issue, but also for the CAN-2005-2491
pcre issue (handled in Bug #169235), I suggest we re-title 169235 to be
"CAN-2005-0089 CAN-2005-2491 python multiple security issues" and continue all
work on CAN-2005-0089 there.  We can make this bug report's success depend on
that one.

That way we can track all of python's pending security issues in one bug report
rather than two.  Would you mind changing the title of 169235, Jim?

Comment 4 Jim Popovitch 2005-09-27 15:05:47 UTC
David, Thank you for adding me to this bug.  For the record I would rather be
added than deleted. ;-)

I have renamed 169235 as you proposed.

Comment 5 Pekka Savola 2005-09-28 06:51:44 UTC
I'm closing this bug if we continue tracking on #169235.

*** This bug has been marked as a duplicate of 169235 ***

Note You need to log in before you can comment on or make changes to this bug.