Debian 11: DLA-4000-1 high: sqlparse Denial of Service risks
debian lts
December 21, 2024
Multiple vulnerabilities were found in sqlparse, a non-validating SQL parser for Python, which can lead to Denial of Service
Topics Covered
Summary
CVE-2021-32839
Erik Krogh Kristensen discovered that the StripComments filter
contains a regular expression that is vulnerable to ReDOS (Regular
Expression Denial of Service). The regular expression may cause
exponential backtracking on strings containing many repetitions of
'\r\n' in SQL comments.
CVE-2023-30608
Erik Krogh Kristensen discovered that the Parser contains a regular
expression that is vulnerable to ReDOS (Regular Expression Denial of
Service).
CVE-2024-4340
Uriya Yavniely discovered that passing a heavily nested list to
sqlparse.parse() may raise a RecursionError exception. A generic
SQLParseError is now raised instead.
For Debian 11 bullseye, these problems have been fixed in version
0.4.1-1+deb11u1.
We recommend that you upgrade your sqlparse packages.
For the detailed security status of sqlparse please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/sqlparse
PREVIOUS
NEXT
Package: sqlparse
Version: 0.4.1-1+deb11u1
CVE ID: CVE-2021-32839 CVE-2023-30608 CVE-2024-4340
Debian Bug: 994841 1034615 1070148
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!