Sicherheit: Zwei Probleme in Python

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============2163778520467094552==
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="BVKcDR4nT0u7MyOM4yoMd4XaNEtpkNLVI"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--BVKcDR4nT0u7MyOM4yoMd4XaNEtpkNLVI
Content-Type: multipart/mixed;
boundary="YQfco2a4DZIPoNaTtAH516YocHfew4YMf";
protected-headers="v1"
From: Ian Constantin <ian.constantin@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <1bd1e82f-3c3d-fb20-e721-09481eb254ca@canonical.com>
Subject: [USN-5199-1] Python vulnerabilities

--YQfco2a4DZIPoNaTtAH516YocHfew4YMf
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-U
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-5199-1
December 17, 2021

python3.6 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Python could be made to crash if it receives specially crafted input
from a malicious server.

Software Description:
- python3.6: An interactive high-level object-oriented language

Details:

It was discovered that the urllib.request.AbstractBasicAuthHandler class
in Python contains regex with a quadratic worst-case time complexity.
Specially crafted traffic from a malicious HTTP server could cause a
regular expression denial of service (ReDoS) condition for a client.
(CVE-2021-3733)

It was discovered that the Python urllib http client could enter into an
infinite loop when incorrectly handling certain server responses (100
Continue response). Specially crafted traffic from a malicious HTTP
server could cause a denial of service (DoS) condition for a client.
(CVE-2021-3737)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
libpython3.6-stdlib 3.6.9-1~18.04ubuntu1.6
python3.6 3.6.9-1~18.04ubuntu1.6
python3.6-minimal 3.6.9-1~18.04ubuntu1.6

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5199-1
CVE-2021-3733, CVE-2021-3737

Package Information:
https://launchpad.net/ubuntu/+source/python3.6/3.6.9-1~18.04ubuntu1.6

--YQfco2a4DZIPoNaTtAH516YocHfew4YMf--

--BVKcDR4nT0u7MyOM4yoMd4XaNEtpkNLVI
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEcxdv4gCCE8W9nrt5a1+PL+d1/EgFAmG8y60ACgkQa1+PL+d1
/EgQQAv+NWO/G5meO3BaIDp2kpZRCGJaN09ssbMwerq1cyyxQSmTFd7u8Yr00jT8
uYWehZIoC+4VSiw74+/E/J7k30U9dBY4ukzqIb34yP+GvtOBKAjodbYRcK5Uaac7
5s8BaslQj7sTC2Bzt45Rsl/e1t5Tm2teTC5rk1RDzVPwoKOKKvcJCp/vc9eXipnh
izZLjPe9DFE19hX/DUfEJs4mEbXCj7BoJduxKVpKkIj+H51531wXMKfkZCNIuvlY
tJaq3Op8VveDKKlYQKQcdhDl/qsMj2z+n//6Abfw9uXF0JUAvhtaBoRSZHGf/Fkx
r+fLoURbgg97r2i8l7BKvooTV56mkPUTypXdOFxahsYz6tJ02A3/aEUu2gbXrmKC
1iK7+uj5mOv/+46j3VX7q1WqPqB0iPB/0QmH4yh/m8BuWDLpxL0H48EVnvNCggjj
wxXiV8szRpKW1itkKta2IdQnSRplyOGfcwPxB8PzcaPhLzOqQwE/GpthY2ba64YD
MwLTmwRe
=Ylkh
-----END PGP SIGNATURE-----

--BVKcDR4nT0u7MyOM4yoMd4XaNEtpkNLVI--

--===============2163778520467094552==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

--===============2163778520467094552==--