Debian: DLA-2280-1 Critical: Python 3.5 Denial Of Service Issues
debian lts
July 15, 2020
Multiple security issues were discovered in Python, an interactive high-level object-oriented language
Summary
CVE-2018-20406
Modules/_pickle.c has an integer overflow via a large LONG_BINPUT
value that is mishandled during a "resize to twice the size"
attempt. This issue might cause memory exhaustion, but is only
relevant if the pickle format is used for serializing tens or
hundreds of gigabytes of data.
CVE-2018-20852
http.cookiejar.DefaultPolicy.domain_return_ok in
Lib/http/cookiejar.py does not correctly validate the domain: it
can be tricked into sending existing cookies to the wrong
server. An attacker may abuse this flaw by using a server with a
hostname that has another valid hostname as a suffix (e.g.,
pythonic to steal cookies for ). When a
program uses http.cookiejar.DefaultPolicy and tries to do an HTTP
connection to an attacker-controlled server, existing cookies can
be leaked to the attacker.
CVE-2019-5010
An exploitable denial-of-service vulnerability exists in the X509
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: python3.5
Version: 3.5.3-1+deb9u2
CVE ID: CVE-2018-20406 CVE-2018-20852 CVE-2019-5010 CVE-2019-9636
Debian Bug: 924072 921064 940901
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!