# Python (SimpleXMLRPCServer) GLSA-check problem

## hanj

Hello All

I've been running GLSA check for awhile.. and I keep getting this notice:

```
[N] indicates that the system might be affected.

200502-09 [N] Python: Arbitrary code execution through SimpleXMLRPCServer ( dev-lang/python )
```

I'm not sure how to fix this.. since I've been updating the system with the latest Python. Currently here is the Python package this on the system...

```
[ebuild   R   ] dev-lang/python-2.3.5-r2  -X +berkdb -bootstrap -build -doc +gdbm -ipv6 +ncurses -nocxx +readline +ssl -tcltk -ucs2 0 kB
```

I thought running python-updater would do the trick.. but it didn't find anything. When I do a emerge -pC python.. I see two versions of Python on the system. Would you recommend me removing the other? The warning message made me hesitate before pulling the trigger...

```
emerge -pC python

>>> These are the packages that I would unmerge:

!!! Trying to unmerge package(s) in system profile. 'dev-lang/python'

!!! This could be damaging to your system.

 dev-lang/python

    selected: 2.2.3-r1 2.3.5-r2

   protected: none

     omitted: none

>>> 'Selected' packages are slated for removal.

>>> 'Protected' and 'omitted' packages will not be removed.

```

Here is output of python-updater:

```
/usr/sbin/python-updater

 * Logging disabled due to permissions

 * Starting Python Updater from 2.2 to 2.3 :

 * Searching for packages with files in /usr/lib/python2.2 /usr/lib32/python2.2 /usr/lib64/python2.2 ..

 * Calculating Upgrade Package List ..

 * Re-ordering packages to merge ..

 * Preparing to merge these packages in this order:

 * Python update completed successfully.
```

Any ideas?

Thanks much!

hanji

----------

## SecMon

hanji, 

make sure you run python-updater before you go to far

then 

 emerge -pC '<dev-lang/python-2.4.2'

unknown#  emerge -pC '<dev-lang/python-2.4.2'

>>> These are the packages that I would unmerge:

 dev-lang/python

    selected: 2.3.4-r1

   protected: none

     omitted: 2.4.2

>>> 'Selected' packages are slated for removal.

>>> 'Protected' and 'omitted' packages will not be removed.

If that looks good to you let it fly and pull the 'p'

-- Keath

----------

## slycordinator

Firstly, you need to install the newest stable version of python.

dev-lang/python-2.4.2

Then you'll need to run python-updater

Then you'll need to remove the versions of python that are lower than 2.4.2

----------

## slycordinator

 *SecMon wrote:*   

> hanji, 
> 
> make sure you run python-updater before you go to far
> 
> then 
> ...

 

That won't work as he doesn't have 2.4.2 installed. The only versions he has are 2.2.3-r1 and 2.3.5-r2, both of which are vulnerable. Plus if he issues the command you used there, portage will stop working (as the command will remove all his versions of python and portage requires python).

----------

