Sicherheit: Denial of Service in ConfigObj (Aktualisierung)

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============3100746261231660074==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="------------G9irSWloPbdJTVOMbGHoM1ya"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------G9irSWloPbdJTVOMbGHoM1ya
Content-Type: multipart/mixed;
boundary="------------9dJUCG0TTnfwoJX7AVDeDr0W";
protected-headers="v1"
From: Ian Constantin <ian.constantin@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <e7f2edf4-f6dc-4b91-89a1-7427981afbd4@canonical.com>
Subject: [USN-7040-2] ConfigObj vulnerability

--------------9dJUCG0TTnfwoJX7AVDeDr0W
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================
Ubuntu Security Notice USN-7040-2
October 14, 2024

configobj vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

ConfigObj could be made to crash if it received specially crafted input.

Software Description:
- configobj: simple but powerful config file reader and writer for Python

Details:

USN-7040-1 fixed a vulnerability in ConfigObj. This update
provides the corresponding update for Ubuntu 14.04 LTS.

Original advisory details:

It was discovered that ConfigObj contains regex that is susceptible to
catastrophic backtracking. An attacker could possibly use this issue to
cause a regular expression denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS
python-configobj 4.7.2+ds-5ubuntu0.1~esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7040-2
https://ubuntu.com/security/notices/USN-7040-1
CVE-2023-26112

--------------9dJUCG0TTnfwoJX7AVDeDr0W--

--------------G9irSWloPbdJTVOMbGHoM1ya
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsD5BAABCAAjFiEEcxdv4gCCE8W9nrt5a1+PL+d1/EgFAmcNTbwFAwAAAAAACgkQa1+PL+d1/Ehm
7wv7BNfVv0cHRWvJJ3Qj6vMgARr5cotFTv3rNxeUb+k4ZIEtGzPYJLK+nfjoDMUWIGEbYVulHLQI
wYETy1acAkEKArjZ41LzU9QAlQUnfJ3egLVbnYO1ctQ3rDyKFXcj6PN998zJBxE6jZVe3FiptI1/
HLEznmtmXrjLcWFrOX6Fgw/890ukfo18FFR/oMfF69BmlO2OdXX1e228lu4Wam+RCJ3Mcq1mZvg8
v6QxUT+YOI2UoUk1yf0tzhojuRbLxRKsLwnms4A7BqDJ3tXdMwgkC1vPuk3waUek0ifwXSKFxloD
VYOaP2L7Ep4pIABvc7HYw6Jg8JxC+dTT9PCQpjF0D7ihTispVYVY3+FGraOraSxjCTNk1UoDFPBY
uyU2CgUJecSDsUzvg/MKT9l8sw91kxSEB+knVeq665eTN1X8UpiLe9F0JJxI0mOfBHcGmkNRSNVC
0j5x1S3KAePepURwQHflwVX2SSA9E7HhniOnM4ZwMmWiOe0/Rkamd8MIrty8
=GrFj
-----END PGP SIGNATURE-----

--------------G9irSWloPbdJTVOMbGHoM1ya--

--===============3100746261231660074==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============3100746261231660074==--