1.221. python

Updated python packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Python is an interpreted, interactive, object-oriented programming language.

Security Fixes

A flaw was found in the Python urllib and urllib2 libraries where they would not differentiate between different target URLs when handling automatic redirects. This caused Python applications using these modules to follow any new URL that they understood, including the "file://" URL type. This could allow a remote server to force a local Python application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed.
A race condition was found in the way the Python smtpd module handled new connections. A remote user could use this flaw to cause a Python script using the smtpd module to terminate.
An information disclosure flaw was found in the way the Python CGIHTTPServer module processed certain HTTP GET requests. A remote attacker could use a specially-crafted request to obtain the CGI script's source code.
This errata upgrades Python to version 2.6.6 (BZ#627301), and includes a number of bug fixes and enhancements.
Bug Fixes
The pydoc -k command performs a keyword search of the synopses in all installed Python modules. This command failed on modules that did not import, resulting in a traceback. pydoc -k now ignores modules that have import exceptions, allowing searches on the remaining modules.
A minor incompatibility with SELinux in one of the commands module selftests was corrected.
The python-tests subpackage was missing some test files and directories used by the selftests for lib2to3. This update adds the missing content to the subpackage.
Previously, the in operator for dbm mappings erroneously returned False for all keys on big-endian 64-bit builds of Python (64-bit PowerPC and IBM System z). This update fixes this issue.
A harmless but unnecessary RPATH directive from the _sqlite3.so module was removed. Execution and "#!" lines from .py files within the standard library that did not require these lines were also removed.
Previously, the urllib2 module ignored the no_proxy variable for the FTP scheme. This could lead to programs such as yum erroneously accessing a proxy server for ftp:// URLs covered by a no_proxy exclusion. The no_proxy variable now overrides the ftp_proxy variable, enforcing this exclusion.
Previously, the IDLE Python IDE used a hard-coded port (8833) when communicating between the shell and the execution sub-processes. Attempts to use more than one instance of IDLE on one computer failed with a "Port Binding Error" dialog box. This update backports a patch from Python 2.7 to use an ephemeral port instead, resolving this issue.
On AMD64 and Intel 64 architectures, running gdb (configured using the --with-python option) on python applications to generate backtraces caused a traceback error. python-gdb.py, the python module that deals with the case of debugging a python process, was updated to prevent this.
Using an invalid username or password while attempting to authenticate against HTTPS via the urllib2 module resulted in infinite recursion. This behavior has been patched, and urllib22 now attempts authentication a maximum of five times before authentication is considered failed.
Previously, Python programs that used ulimit -n to enable communication with large numbers of subprocesses could still monitor only 1024 file descriptors at a time, due to the subprocess module using the select system call. This could cause an exception:
ValueError: filedescriptor out of range in select()
The module now uses the poll system call, removing this limitation.
Basic HTTP authentication via the urllib2 module was limited to six requests because the retried attribute was not reset when authentication was successful. This attribute is now reset, and authentication requests work as expected.
The test_structmembers unit test failed on big-endian 64-bit builds of Python (64-bit PowerPC and IBM System z) because a variable was not well-defined. The variable is now defined correctly, and the unit test works as expected. Note that this issue was discovered and corrected during development, and was not encountered in production systems in the field.
Upgrading Python removed a call to the PyErr_Clear() method, which exposed an assertion failure in RhythmBox that resulted in RhythmBox crashing. Python now compensates for the RhythmBox assertion failure.
A race condition was discovered in python Makefile.pre.in. The make command interprets a make rule with two dependents as two copies of the rule. On machines with more than one core, this could lead to race conditions in which the compiler attempted to read a partially-overwritten file. This resulted in syntax or link errors when attempting to build python on machines with multiple cores. A check has been added to prevent this issue.
This updated package now provides the python-ssl package, rendering the python-ssl package provided by the EPEL repository obsolete.
The subprocess module now includes an optional timeout argument, which can be used by the subprocess.call, Popen.communicate and Popen.wait API entry points. This argument allows users to specify either an integer or a float value, which represents the number of seconds these processes will wait for a call to return before raising an exception of type TimeoutExpired.
SystemTap static probes have been added to the Python runtime. Two example scripts are also provided: pyfuntop.stp, which provides a top-like view of all bytecode being executed; and systemtap-example.stp, which shows the function-call hierarchy of Python bytecode.
Reference-handling bugs within C extension modules can lead to crashes when Python's garbage collector runs. The garbage collector now prints more informative messages to stderr when exiting due to unrecoverable reference errors.
All users of Python are advised to upgrade to these updated packages, which correct these issues and add these enhancements.