8.160. python

Updated python packages that fix one security issue, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
Python is an interpreted, interactive, object-oriented programming language.

Security Fix

A flaw was found in the way the Python SSL module handled X.509 certificate fields that contain a NULL byte. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully crafted certificate signed by an authority that the client trusts.

Bug Fixes

Previously, several Python executables from the python-tools subpackage started with the #!/usr/bin/env python shebang. This made it harder to install and use alternative Python versions. With this update, the first line of these executables has been replaced with #!/usr/bin/python that explicitly refers to the system version of Python. As a result, a user-preferred version of Python can now be used without complications
Prior to this update, the sqlite3.Cursor.lastrowid object did not accept an insert statement specified in the Turkish locale. Consequently, when installing Red Hat Enterprise Linux 6 with the graphical installer, selecting "Turkish" as the install language led to an installation failure. With this update, sqlite3.Cursor.lastrowid has been fixed and installation no longer fails under the Turkish locale.
Previously, the SysLogHandler class inserted a UTF-8 byte order mark (BOM) into log messages. Consequently, these messages were evaluated as having the emergency priority level and were logged to all user consoles. With this update, SysLogHandler no longer appends a BOM to log messages, and messages are now assigned correct priority levels.
Previously, the random.py script failed to import the random module when the /dev/urandom file did not exist on the system. This led subsequent programs, such as Yum, to terminate unexpectedly. This bug has been fixed, and random.py now works as expected even without /dev/urandom.
The WatchedFileHandler class was sensitive to a race condition, which led to occasional errors. Consequently, rotating to a new log file failed. WatchedFileHandler has been fixed and the log rotation now works as expected.
Prior to this update, Python did not read Alternative Subject Names from certain Secure Sockets Layer (SSL) certificates. Consequently, a false authentication failure could have occurred when checking the certificate host name. This update fixes the handling of Alternative Subject Names and false authentication errors no longer occur.
Previously, the SocketServer module did not handle the system call interruption properly. This caused certain HTTP servers to terminate unexpectedly. With this update, SocketServer has been modified to handle the interruption and servers no longer crash in the aforementioned scenario.
Passing the timeout=None argument to the subprocess.Popen() function caused the upstream version of the Eventlet library to terminate unexpectedly. This bug has been fixed and Eventlet no longer fails in the described case.
When a connection incoming to a server with an enabled SSLSocket class failed to pass the automatic do_handshake() function, the connection remained open. This problem affected only Python 2 versions. The underlying source code has been fixed and the failed incoming connection is now closed properly.
In cases when multiple libexpat.so libraries were available, Python failed to choose the correct one. This update adds an explicit RPATH to the _elementtree.so, thus fixing this bug.
Previously, the urlparse module did not parse the query and fragment parts of URLs properly for arbitrary XML schemes. With this update, urlparse has been fixed and correct parsing is now assured in this scenario.


This update adds the collections.OrderedDict data structure to the collections package. collections.OrderedDict is used in application code to ensure that the in-memory python dictionaries are emitted in the same order when converted to a string by the json.dumps routines.
All python users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement.