Autodesk Maya [2] is a high-end 3D computer graphics and 3D modeling
software package.
Autodesk Maya offers so called "Script Nodes" as a way to program
animation behavior using MEL (Maya Embedded Language) and the Python
programming language. The Autodesk Maya file formats support embedding
of scripting code as part of a scene package. Programs embeded in Maya
files using scripting code are automatically executed upon opening of
the file. An attacker can take control of a system where Maya is
installed by sending a specially crafted scene package and enticing
the user to open it. The scripting code will run with the privileges
library breaking the resolution of UTF-8 encoded record names. An
updated release is available which corrects this problem. For
reference, the original advisory text follows.
Multiple weaknesses have been identified in PyDNS, a DNS client
implementation for the Python language. Dan Kaminsky identified a
practical vector of DNS response spoofing and cache poisoning,
exploiting the limited entropy in a DNS transaction ID and lack of
UDP source port randomization in many DNS implementations. Scott
Kitterman noted that python-dns is vulnerable to this predictability,
as it randomizes neither its transaction ID nor its source port.
Debian-specific: no
CVE Id(s) : CVE-2008-1447
Debian Bug : 490217
Multiple weaknesses have been identified in PyDNS, a DNS client
implementation for the Python language. Dan Kaminsky identified a
practical vector of DNS response spoofing and cache poisoning,
exploiting the limited entropy in a DNS transaction ID and lack of
UDP source port randomization in many DNS implementations. Scott
Kitterman noted that python-dns is vulnerable to this predictability,
as it randomizes neither its transaction ID nor its source port.
CVE Id : CVE-2008-2316 CVE-2009-3560 CVE-2009-3720
Debian Bug : 493797 560912 560913
Jukka Taimisto, Tero Rontti and Rauli Kaksonen discovered that the embedded Expat copy
in the interpreter for the Python language, does not properly process malformed or
crafted XML files. (CVE-2009-3560 CVE-2009-3720)
This vulnerability could allow an attacker to cause a denial of service while parsing
a malformed XML file.
In addition, this update fixes an integer overflow in the hashlib module in python2.5.
