Mageia 9: MGASA-2024-0084 Critical: Python Denial of Service

mageia

March 23, 2024

An issue was discovered in Python before 3.11.1

Summary

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. (CVE-2022-45061) An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. (CVE-2022-48565) An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest. (CVE-2022-48566) An issue in the urllib.parse component of Python before 3.11.4...

References

- https://bugs.mageia.org/show_bug.cgi?id=31000

- https://ubuntu.com/security/notices/USN-5888-1

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/

- https://access.redhat.com/errata/RHSA-2023:2763

- https://access.redhat.com/errata/RHSA-2023:2860

- https://access.redhat.com/errata/RHSA-2023:3556

- https://access.redhat.com/errata/RHSA-2023:3591

- https://ubuntu.com/security/notices/USN-6139-1

- https://www.cve.org/CVERecord?id=CVE-2022-45061

- https://www.cve.org/CVERecord?id=CVE-2022-48565

- https://www.cve.org/CVERecord?id=CVE-2022-48566

- https://www.cve.org/CVERecord?id=CVE-2023-24329

- https://www.cve.org/CVERecord?id=CVE-2023-40217

Topics Covered

security advisory Denial of Service Python Mageia XML Issue IDNA Decoder CPU Consumption

Resolution

SRPMS

- 9/core/python-2.7.18-15.1.mga9

- 9/core/python3-3.10.11-1.1.mga9

Severity

critical

Lowest

Low

Medium

High

Critical

Publication date: 23 Mar 2024

URL: https://advisories.mageia.org/MGASA-2024-0084.html

Type: security

CVE: CVE-2022-45061, CVE-2022-48565, CVE-2022-48566, CVE-2023-24329, CVE-2023-40217

Topics Covered

security advisory Denial of Service Python Mageia XML Issue IDNA Decoder CPU Consumption

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Like staying secure? So do we.
Sign up for updates, tips, and alerts!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

Mageia 9: MGASA-2024-0084 Critical: Python Denial of Service

Summary

References

Topics Covered

Resolution

SRPMS

Topics Covered

Get the latest News and Insights

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

Mageia 9: MGASA-2024-0084 Critical: Python Denial of Service

Summary

References

Topics Covered

Resolution

SRPMS

Topics Covered

Get the latest News and Insights

Related Articles

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!