Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Mageia 8: MGASA-2021-0435 Moderate: Python3 Denial Of Service

mageia
Calendar Grey September 23, 2021
Dist Mageia Esm H88
Recent updates to the python3 libraries in Mageia resolve several vulnerabilities and enhance the overall security of the system integrity.
bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid a potential race condition

Summary

bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid a potential race condition.
bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 “Billion Laughs” vulnerability. This copy is most used on Windows and macOS.
bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection.
bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inet_aton() treats leading zeros as octal notation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros.
It was discovered that Python incorrectly handled certain RFCs. An attacker could possibly use this issue to cause a denial of service. This i...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=29450

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K7QDAEX4PWRYYEIXRF5QDGKJULJO6HKD/

- https://docs.python.org/release/3.8.12/whatsnew/changelog.html

- https://www.cve.org/CVERecord?id=CVE-2021-3733

- https://www.cve.org/CVERecord?id=CVE-2021-3737

Resolution

SRPMS

- 8/core/python3-3.8.12-1.mga8

Severity
important
Lowest
Low
Medium
High
Critical

Publication date: 23 Sep 2021
URL: https://advisories.mageia.org/MGASA-2021-0435.html
Type: security
CVE: CVE-2021-3733, CVE-2021-3737

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here