Security fixes are one of the major issues in the latest version of the Python programming language released by the Python Software Foundation.
The developers said the OpenSSL version bundled with the Windows installer ended up updated to version 1.0.1h, which addresses the ChangeCipherSpec (CCS) injection vulnerability that could allow for a man-in-the-middle (MitM) attack against an encrypted connection.
Another issue fixed with Python 2.7.8 refers to a possible buffer overflow that could allow memory reading. The flaw reported in late June 24 ended up catalogued as a “release blocker,” a priority assigned to bugs that “stop the release dead in its tracks.”
Additionally, a vulnerability in the CGIHTTPServer module got a patch. An attacker could leverage the bug, rated as “critical,” to execute arbitrary code.
“The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose a CGI script’s source code or execute arbitrary scripts in the server’s document root,” said the bug report for the flaw.
Additional details are available in the release notes.