- -----------------------------------------------------------------------
Debian LTS Advisory DLA-2808-1              [email protected]
https://www.debian.org/lts/security/                      Utkarsh Gupta
November 05, 2021                           https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : python3.5
Version        : 3.5.3-1+deb9u5
CVE ID         : CVE-2021-3733 CVE-2021-3737

There were a couple of vulnerabilites found in src:python3.5, the
Python interpreter v3.5, and are as follows:


    The ReDoS-vulnerable regex has quadratic worst-case complexity
    and it allows cause a denial of service when identifying
    crafted invalid RFCs. This ReDoS issue is on the client side
    and needs remote attackers to control the HTTP server.


    HTTP client can get stuck infinitely reading len(line) < 64k
    lines after receiving a '100 Continue' HTTP response. This
    could lead to the client being a bandwidth sink for anyone
    in control of a server.

For Debian 9 stretch, these problems have been fixed in version

We recommend that you upgrade your python3.5 packages.

For the detailed security status of python3.5 please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS